Risk Assessment, Method Statement and COSHH software

HANDS HQ is a SaaS platform that makes health and safety accessible to the entire workforce. It uses the latest technology, intuitive design experience and plain English to help businesses create higher quality Risk Assessment and Method Statements, saving time and money while increasing compliance across the entire organisation.


  • Risk Assessments: add activities, risks, & sequence of operations
  • Method statements: automatically create project-specific statements following assessment
  • Risk Register: RAMS library, automatically share updates; simple ISO45001 compliance
  • COSHH: quickly find & add COSHH for all hazardous substances
  • Construction Phase Plans: easily create CPPs compliant with CDM2015 regulations
  • Digital/in-person Signatures: easily gain paperless workforce signatures on RAMS
  • Custom Content: use organisation-specific content to build RAMS
  • Approvals: easily build an approvals workflow, approved/with conditions/rejected
  • Custom Templates: build company-specific templates for Risk Assessments
  • Content Editing: customize core content to align with organisational procedures


  • Faster processes: create comprehensive RAMS in minutes
  • Easy collaboration: centralised library of RAMS, COSHH and CPP
  • Improved accessibility: access HANDS HQ anytime, anywhere on any device
  • Boost compliance: instant audit trail to achieve industry standards
  • Effortless approvals: workflows allowing designated individuals to accept/reject documents
  • Comprehensive history: know when, by who and why, projects changed
  • Raised quality: easily create consistent, professional-looking, on-brand documentation
  • Completely customisable: add logos, employees, and processes to fit requirements
  • Accelerate digitalisation: quickly move away from paper-based processes
  • Simple innovation: design-driven platform that requires limited technical skills


£49 per unit

Service documents

G-Cloud 10



Jamie Carruthers

020 3318 4901


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints As HANDS HQ is a cloud-based platform there is nothing to install. HANDS HQ is accessed through a web browser, and each user will have their own individual login via email address. HANDS HQ works across all the latest browsers, we do however suggest using Google Chrome if you have the option. We find this browser works best and is regularly updated. You will need an internet connection to access HANDS HQ.

HANDS HQ can be used on any smartphone or tablet, however, we suggest tablets will offer the best user experience due to the size of screens available.
System requirements Active internet connection and a modern web browser (ideally Chrome)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We aim to respond to questions in 1-2 business hours when submitted between UK working hours, Monday to Friday.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible We use Intercom for our web chat platform.
Web chat accessibility testing Don't know
Onsite support Yes, at extra cost
Support levels HANDS HQ offers different levels of service to clients based on the product supplied. Our standard service offering includes an online knowledge base answering FAQs; and during UK office hours, phone, email and in-app web support.

Customers on our Enterprise plan will additionally have a dedicated account manager who will guide them through set-up and continuous learning for the organisation. This can include on-site training days and webinars. Custom training plans will be created depending on the customer requirements and content set up. The training will include all aspects of the software including the different permissions and functions of the software.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The onboarding process for all new customers of HANDS HQ includes access to an online knowledge base, phone and email support and in-app support during UK office hours.
For larger enterprise customers we create customised training plans that ensure all individual needs are met. This can include but is not limited to, on-site training and web training.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Customers are able to access, and export, their data into PDF format while they have an active HANDS HQ subscription. For a period of two years following the termination of a contract, their data will be securely retained. If within that period of time their subscription is not reactivated, their data will be deleted.

During that two year period, former customers of HANDS HQ are able to contact the team should they wish to access their documents without reactivating their subscription. Documents will be supplied in PDF format.
End-of-contract process HANDS HQ customers are required to inform the company of the decision to terminate the agreement with 30 days notice.

Upon termination of the agreement, customers can choose to receive a folder containing all of the documents stored in the HANDS HQ platform in PDF format.

Business: £406 per month / £3900 annually ex VAT. Includes 130 RAMS projects per year; up to 10 users; data migration; custom content; approval workflow and audit history.
Enterprise: starts at £750 per month / £7200 annually ex VAT. Includes 150 RAMS projects per year; unlimited users; multiple divisions and departments; digital signatures; Risk Register; access to API; single sign-on; COSHH register.

Additional services, divisions and training. POA There is a volume discount available for additional projects.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no differences in functionality between mobile and desktop.
Accessibility standards None or don’t know
Description of accessibility All content is text-based.
Accessibility testing None
Customisation available Yes
Description of customisation Customers can choose to have custom content added to our system. We can also customise the end document layout to match that of our customer's existing documents.

Customisation is done by our Customer Success team.


Independence of resources HANDS HQ uses an Auto Scaling service which monitors applications and adjusts capacity to maintain a steady service. The service, provided by Heroku, means that demand is never an issue. Additionally, we receive a number of alerts around capacity thresholds as a backup.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Other
Other data at rest protection approach We encrypt the data using minimum AES128 bit.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Customers or ex-customers can contact the HANDS HQ team through any of our support channels to request a data export.
Data export formats Other
Other data export formats PDF
Data import formats Other
Other data import formats PDF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability HANDS HQ has a target of 99.6% uptime. For any downtime beyond one consecutive day, customers will receive pro rata credit to their account.
Approach to resilience HANDS HQ use Heroku and AWS; details of their data centre measures can be found on their websites. The HANDS HQ platform has been built with a high level of self-healing and redundancy built into our service. If there is a failure, we are alerted immediately. Our databases are backed up daily; in the event of an outage, we can restore in any point of time over the last seven days.
Outage reporting We currently email customers to inform them of any outage. Within the next three months we will be implementing a public status page too.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels We use an access control matrix to ensure that only staff that require high impact systems are provided with access to them. As well as this, HANDS HQ has several additional policies in place, such as reviewing privileged access at ISO Committees We also have a staff offboarding process to ensure all systems access is adequately removed on their last day or before, depending on the situation. We do not allow our staff to unencrypt or download customer confidential data, but those that have the access rights to do so are limited.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 13/4/2018
What the ISO/IEC 27001 doesn’t cover Awaiting the documentation
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes HANDS HQ is ISO 27001:2015 which is headed up by our Co-Founder. The company adheres to multiple policies and procedures that are required or are best practice in line with ISO 27001, including Asset Management, Access management, Third Party Management, Secure Development practices etc. (see our SOA which controls apply). HANDS HQ runs an ISO Committee every quarter which reports on the effectiveness of our ISMS and conduct quarterly internal audits. We ensure policies are followed through internal audits and staff management - both day-to-day and via performance targets. HANDS HQ holds security training and inductions to ensure all staff remain aware of the security policies and are kept up to date with the latest threats and vulnerabilities.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach HANDS HQ is built with Ruby on Rails with Postgres hosted on Heroku/AWS.

We use a product management tool (Product Board) to gather feedback/issues from customers which are prioritised by the development team. All code is peer-reviewed and we use a test-driven development methodology with a target of 95% test coverage to ensure code quality. We have continuous monitoring of all code dependencies to identify security issues and all new features are run against our penetration testing tool. All of the development team are trained in secure development practices and we adhere to OWASP best practices
Vulnerability management type Supplier-defined controls
Vulnerability management approach Code will be assessed for vulnerabilities, dependencies and known issues by using a combination of continuous code checking through Code Climate and Github tools, and then half yearly vulnerability scanning using ZAP on our staging environment, which is an identical reproduction of our production environment. These tools rate the risk in three layers and HANDS HQ has applied timescales for each.

The team will log test results in a spreadsheet and state which are applicable to the Production environment which will take priority and adapt the impact accordingly where necessary and detail the reasoning for the change or downgrade.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We monitor service downtime and degradation using a variety of tools which measure from as little as continuously to up to an hour intervals. We monitor vulnerabilities and capacity as previously described. Alerts are flagged immediately and assessed for their severity by a member of staff. If the issue is categorised by the staff member as an incident they will evoke the incident management procedure.
Incident management type Supplier-defined controls
Incident management approach HANDS HQ uses Zendesk for incident management purposes. Employees report any CRITICAL/ HIGH incidents immediately to co-founders who will record the information going forward. MAJOR OR MINOR incidents can be added directly. An impact rating will be added to the case as follows: URGENT: Leak of confidential information (Fix within 72 hours) HIGH: Partial loss of service or potential corruption of data (Fix within two weeks) NORMAL: Loss, corruption or leak of non-core functionality (Fix within three months) Knowledge gained from analysing and resolving information security incidents is entered into future test scripts to prevent the issues arising again.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £49 per unit
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑