Flowz Ltd

Flowz

Flowz is a SaaS tool that reports compliance with GDPR data protection legislation.

Flowz distributed model: information risk reporting (article 32), Data Protection Impact Assessment (DPIA) (article 35), data flow mapping, Records of Processing Activity (article 30), Accountability (article 5), supports data breach reporting (article 33), management control (article 29).

Features

  • Data Flow Mapping processes to information assets (GDPR articles 32/35)
  • Information Asset Register (GDPR articles 30/32)
  • Distributed model with RBAC/LR access controls mapped to organisation hierarchy
  • Customer configurable user role profiles and per user
  • Drilldown information risk dashboard and reporting module (GDPR article 32)
  • Data Subject Access Requests (DSARs) model with health workflow option
  • User configurable data exports to Microsoft Excel
  • Delivered as a distributed Cloud Service (Saas) with user branding
  • Preconfigured versions available for public sector inc health, LA, HE
  • Data Protection Impact Assessment (DPIA) (GDPR article 35)

Benefits

  • Supports requirements of Article 30 of GDPR (and many others)
  • Dashboards and reporting help manage Information Risk more effectively
  • Engages users and managers in 'owning' use of personal information
  • Risk assessment of each individual Flow and Asset
  • Fully configurable picking lists
  • Fully configurable risk profiles tuned to corporate risk appetite
  • Reports enable project work based on risk or potential savings
  • Links to Single Sign-On (SSO) to enable easier user access

Pricing

£3000 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11

302262690353242

Flowz Ltd

Mark Jones

0330 124 1966

mark.jones@flowz.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements Internet access

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 9.00am - 5.30pm Monday to Friday only.

Responses will usually be within an hour, but our SLA differs dependent on agreed severity.

P1 (Flowz rendered unusable by a problem) - 4 hours.

P2 (Problem affecting the data being stored within Flowz) - 1 Working Day.

P3 (Regular problem that doesn't seriously affect routine working) - 5 Working days.

P4 (Infrequent problem which does not seriously affect routine working) - 10 Working days.

P5 (Clarification request about the data being displayed/reported by Flowz) - 5 Working days.

Wish list (Request for additional functionality) - Next User Group meeting
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible A standard Dialog box appears when anyone visits our Web site, a facility provided by HubSpot, the CRM system we are using. The end user will initiate the chat and type in their query, which
will send a message to the Help Desk software and also any Administrators logged in.
Web chat accessibility testing We have tested internally and all works fine.
Onsite support Yes, at extra cost
Support levels During the deployment of the Flowz system, we will provide as much support as the customer requires. This usually involves the following.

1. On-site Deployment Workshop
• Discuss and agree the configuration of your Flowz system, along with the associated drop-down list entries and User Hierarchy, roles etc.

2. System Configuration (off-site)
• Create your Flowz instance and configure it to the agreed specification from the Workshop day

3. Data Migration
• Import existing sources of data i.e. spreadsheet.

4. On-site Training
• Provide training for trainers and System Administrators/ IT team in the use and configuration of Flowz
• Training can be delivered on-site or via a series of WebEx sessions

After the completion of the deployment, support is provided through the Service Desk, our Web site forum and regular Flowz User Group meetings, where customers can meet the Flowz team, including Development staff, share experiences of other users and view functionality enhancements.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Services are available to assist with the on-boarding of our customers. These include Workshops to discuss configuration, Data Migration and Training.

Training can be for System Administrators, Trainers, or End-users. It can be delivered on-site or via WebEx, dependent on customer preference.

On-line help documentation is also available in the system.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction We have a data extraction feature, and can provide data in a variety of formats, for example CSV, Excel etc.
End-of-contract process The extraction of customer data at the end of the contract is provided free of charge,

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Screen rearranges to suit mobile viewing.
Service interface No
API No
Customisation available Yes
Description of customisation Almost every element of the system can be tailored by the customer without the need for support, though services are available to train the System Administrators how to best make the changes.

Customisation features will be limited to System Administrators by role-based access.

Scaling

Scaling
Independence of resources Flowz Limited undertakes regular testing to ensure the system is performing optimally. Infrastructure is scaled accordingly to pre-empt any performance degradation. All elements of the cloud platform are modular and can be expanded quickly and easily as and when additional capacity or performance is required.

Analytics

Analytics
Service usage metrics Yes
Metrics types A report of Flowz usage is available upon request, including all Service Tickets logged in the last period.
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Throughout the system, users may export data, for example, search results in grids or reports in Excel.
Data export formats
  • CSV
  • Other
Other data export formats Microsoft Excel
Data import formats
  • CSV
  • Other
Other data import formats Microsoft Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The system is available 24/7/365 excluding planned maintenance. There will be occasional system maintenance but this will be performed out of business hours wherever possible and will be communicated in advance to the Flowz Service Desk which will contact the customer and agree the maintenance window. Data Centre availability exceeds 99.9% (Tier 3).
Approach to resilience Flowz is a web service-oriented application (SOA) hosted in Internet Information Services (IIS) utilising SQL Server database services and has been developed using ASP.NET MVC - a Microsoft web application framework which implements the model–view–controller (MVC) design pattern.

Flowz comprises a set of services using Windows Communication Foundation services (WCF) to specify communications protocols, for example SOAP over HTTP, and security mechanisms etc. Individual services deployed on multiple virtual machines facilitates resilience, scalability and availability of the system.
Outage reporting Email alerts and Flowz Service Desk customer portal.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Role-Based Access Control (RBAC) - Only an Administrator or a more Senior User role granted Administrator privileges may alter a User’s access rights. Only trained Users with assigned credentials may access the system and only then within their prescribed user roles, configurable by the customer’s System Administrator.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our security policy is regularly updated on our intranet with notifications emailed to all staff and associates. Information security responsibilities form a part of the induction process for all new Flowz Limited employees and are included in the employee’s handbook. Updates to the Acceptable Use policy for customer’s data for staff and associates are distributed by read-receipt email and are posted on our intranet.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Robust configuration and change management processes ensure changes to the production system environment are fully tested and approved before deployment. Our cloud provider maintains and implements change and configuration approval processes for equipment and devices which support Flowz Limited’s products. Infrastructure and application changes are managed in our change management and helpdesk systems as appropriate. Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.
Incident management type Supplier-defined controls
Incident management approach Crisis and incident management is a key part of our BC and DR policies and is built heavily around the Service Desk system. Major issues and alerts relating to the availability of the Cloud system are automatically logged as new tickets and can be subsequently grouped together as a major incident/crisis. Alerts along with key performance parameters are monitored by the senior engineers, and incident reporting is made via email. All incidents are given a Priority rating and the Response Time will be judged the agreed Service Level Agreement (SLA).

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £3000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We have a limited time trial version (up to 28 days) that includes full system functionality.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑