HANDS HQ is a SaaS platform that makes health and safety accessible to the entire workforce. It uses the latest technology, intuitive design experience and plain English to help businesses create higher quality Risk Assessment and Method Statements, saving time and money while increasing compliance across the entire organisation.
- Risk Assessments: add activities, risks, & sequence of operations
- Method statements: automatically create project-specific statements following assessment
- Risk Register: RAMS library, automatically share updates; simple ISO45001 compliance
- COSHH: quickly find & add COSHH for all hazardous substances
- Construction Phase Plans: easily create CPPs compliant with CDM2015 regulations
- Digital/in-person Signatures: easily gain paperless workforce signatures on RAMS
- Custom Content: use organisation-specific content to build RAMS
- Approvals: easily build an approvals workflow, approved/with conditions/rejected
- Custom Templates: build company-specific templates for Risk Assessments
- Content Editing: customize core content to align with organisational procedures
- Faster processes: create comprehensive RAMS in minutes
- Easy collaboration: centralised library of RAMS, COSHH and CPP
- Improved accessibility: access HANDS HQ anytime, anywhere on any device
- Boost compliance: instant audit trail to achieve industry standards
- Effortless approvals: workflows allowing designated individuals to accept/reject documents
- Comprehensive history: know when, by who and why, projects changed
- Raised quality: easily create consistent, professional-looking, on-brand documentation
- Completely customisable: add logos, employees, and processes to fit requirements
- Accelerate digitalisation: quickly move away from paper-based processes
- Simple innovation: design-driven platform that requires limited technical skills
£49 per unit
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
As HANDS HQ is a cloud-based platform there is nothing to install. HANDS HQ is accessed through a web browser, and each user will have their own individual login via email address. HANDS HQ works across all the latest browsers, we do however suggest using Google Chrome if you have the option. We find this browser works best and is regularly updated. You will need an internet connection to access HANDS HQ.
HANDS HQ can be used on any smartphone or tablet, however, we suggest tablets will offer the best user experience due to the size of screens available.
|System requirements||Active internet connection and a modern web browser (ideally Chrome)|
|Email or online ticketing support||Email or online ticketing|
|Support response times||We aim to respond to questions in 1-2 business hours when submitted between UK working hours, Monday to Friday.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||We use Intercom for our web chat platform.|
|Web chat accessibility testing||Don't know|
|Onsite support||Yes, at extra cost|
HANDS HQ offers different levels of service to clients based on the product supplied. Our standard service offering includes an online knowledge base answering FAQs; and during UK office hours, phone, email and in-app web support.
Customers on our Enterprise plan will additionally have a dedicated account manager who will guide them through set-up and continuous learning for the organisation. This can include on-site training days and webinars. Custom training plans will be created depending on the customer requirements and content set up. The training will include all aspects of the software including the different permissions and functions of the software.
|Support available to third parties||Yes|
Onboarding and offboarding
The onboarding process for all new customers of HANDS HQ includes access to an online knowledge base, phone and email support and in-app support during UK office hours.
For larger enterprise customers we create customised training plans that ensure all individual needs are met. This can include but is not limited to, on-site training and web training.
|End-of-contract data extraction||
Customers are able to access, and export, their data into PDF format while they have an active HANDS HQ subscription. For a period of two years following the termination of a contract, their data will be securely retained. If within that period of time their subscription is not reactivated, their data will be deleted.
During that two year period, former customers of HANDS HQ are able to contact the team should they wish to access their documents without reactivating their subscription. Documents will be supplied in PDF format.
HANDS HQ customers are required to inform the company of the decision to terminate the agreement with 30 days notice.
Upon termination of the agreement, customers can choose to receive a folder containing all of the documents stored in the HANDS HQ platform in PDF format.
Business: £406 per month / £3900 annually ex VAT. Includes 130 RAMS projects per year; up to 10 users; data migration; custom content; approval workflow and audit history.
Enterprise: starts at £750 per month / £7200 annually ex VAT. Includes 150 RAMS projects per year; unlimited users; multiple divisions and departments; digital signatures; Risk Register; access to API; single sign-on; COSHH register.
Additional services, divisions and training. POA There is a volume discount available for additional projects.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||There are no differences in functionality between mobile and desktop.|
|Accessibility standards||None or don’t know|
|Description of accessibility||All content is text-based.|
|Description of customisation||
Customers can choose to have custom content added to our system. We can also customise the end document layout to match that of our customer's existing documents.
Customisation is done by our Customer Success team.
|Independence of resources||HANDS HQ uses an Auto Scaling service which monitors applications and adjusts capacity to maintain a steady service. The service, provided by Heroku, means that demand is never an issue. Additionally, we receive a number of alerts around capacity thresholds as a backup.|
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||EU-US Privacy Shield agreement locations|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||In-house|
|Protecting data at rest||Other|
|Other data at rest protection approach||We encrypt the data using minimum AES128 bit.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||In-house destruction process|
Data importing and exporting
|Data export approach||Customers or ex-customers can contact the HANDS HQ team through any of our support channels to request a data export.|
|Data export formats||Other|
|Other data export formats|
|Data import formats||Other|
|Other data import formats|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||HANDS HQ has a target of 99.6% uptime. For any downtime beyond one consecutive day, customers will receive pro rata credit to their account.|
|Approach to resilience||HANDS HQ use Heroku and AWS; details of their data centre measures can be found on their websites. The HANDS HQ platform has been built with a high level of self-healing and redundancy built into our service. If there is a failure, we are alerted immediately. Our databases are backed up daily; in the event of an outage, we can restore in any point of time over the last seven days.|
|Outage reporting||We currently email customers to inform them of any outage. Within the next three months we will be implementing a public status page too.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||We use an access control matrix to ensure that only staff that require high impact systems are provided with access to them. As well as this, HANDS HQ has several additional policies in place, such as reviewing privileged access at ISO Committees We also have a staff offboarding process to ensure all systems access is adequately removed on their last day or before, depending on the situation. We do not allow our staff to unencrypt or download customer confidential data, but those that have the access rights to do so are limited.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||Between 6 months and 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||13/4/2018|
|What the ISO/IEC 27001 doesn’t cover||Awaiting the documentation|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||HANDS HQ is ISO 27001:2015 which is headed up by our Co-Founder. The company adheres to multiple policies and procedures that are required or are best practice in line with ISO 27001, including Asset Management, Access management, Third Party Management, Secure Development practices etc. (see our SOA which controls apply). HANDS HQ runs an ISO Committee every quarter which reports on the effectiveness of our ISMS and conduct quarterly internal audits. We ensure policies are followed through internal audits and staff management - both day-to-day and via performance targets. HANDS HQ holds security training and inductions to ensure all staff remain aware of the security policies and are kept up to date with the latest threats and vulnerabilities.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
HANDS HQ is built with Ruby on Rails with Postgres hosted on Heroku/AWS.
We use a product management tool (Product Board) to gather feedback/issues from customers which are prioritised by the development team. All code is peer-reviewed and we use a test-driven development methodology with a target of 95% test coverage to ensure code quality. We have continuous monitoring of all code dependencies to identify security issues and all new features are run against our penetration testing tool. All of the development team are trained in secure development practices and we adhere to OWASP best practices
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Code will be assessed for vulnerabilities, dependencies and known issues by using a combination of continuous code checking through Code Climate and Github tools, and then half yearly vulnerability scanning using ZAP on our staging environment, which is an identical reproduction of our production environment. These tools rate the risk in three layers and HANDS HQ has applied timescales for each.
The team will log test results in a spreadsheet and state which are applicable to the Production environment which will take priority and adapt the impact accordingly where necessary and detail the reasoning for the change or downgrade.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||We monitor service downtime and degradation using a variety of tools which measure from as little as continuously to up to an hour intervals. We monitor vulnerabilities and capacity as previously described. Alerts are flagged immediately and assessed for their severity by a member of staff. If the issue is categorised by the staff member as an incident they will evoke the incident management procedure.|
|Incident management type||Supplier-defined controls|
|Incident management approach||HANDS HQ uses Zendesk for incident management purposes. Employees report any CRITICAL/ HIGH incidents immediately to co-founders who will record the information going forward. MAJOR OR MINOR incidents can be added directly. An impact rating will be added to the case as follows: URGENT: Leak of confidential information (Fix within 72 hours) HIGH: Partial loss of service or potential corruption of data (Fix within two weeks) NORMAL: Loss, corruption or leak of non-core functionality (Fix within three months) Knowledge gained from analysing and resolving information security incidents is entered into future test scripts to prevent the issues arising again.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£49 per unit|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|