Mahara is an open source web application for creating electronic portfolios: a collection of reflections and digital artefacts (documents, images, resumes, multimedia). Use Mahara to demonstrate competencies, skills and development, then share with selected audiences. Catalyst are lead developers of Mahara, offering aaS hosting, theming, training and bespoke development services.
- Simple to use file repository controlled by users.
- Upload existing files or add content from mobile devices.
- Develop web pages with portfolio content for assessment.
- Share portfolios flexibly with other users or the public.
- Multiple users (groups) can use a single site.
- Connect other applications via expandable standards-based we services.
- Navigate easily using desktop and mobile devices.
- Content follows user: import / export ePortfolios via Leap2A.
- Multi-lingual and customisable user interface.
- Open source code offers core functionality and bespoke development options.
- Collect, reflect on and share personal and professional achievements.
- Demonstrate requirements met in continuous professional development / compliance certification.
- Create and monitor compliance requirements for individuals and groups.
- Encourage collaborative learning communities trough controlled sharing of content.
- Support lifelong learning through portability of portfolios across organisations.
- Support social networking at a controllable, organisation level.
- Link with other business systems to support talent management.
- Use mobile devices to create / collect evidence content on-the-job.
- Support employees by providing feedback on ePortfolios privately or publicly.
- Start small and scale quickly with no user license costs.
£3480 per instance per year
Catalyst IT Europe Ltd
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
|Cloud deployment model||Public cloud|
|System requirements||Devices (laptop / desktop / mobile ) with internet connection.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Standard application support offered UK business hours (M-F, 9-5) with option for 24/7 at additional cost. System support has 24/7 SLA support option.
Response times: Critical incident response within 2 hours, standard within 8 hours
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Catalyst offer level 2-4 technical support of cloud hosted Mahara ePortfolio. Pricing is subject to negotiation relative to requirements including how mission critical systems are, scale of support need, support hours and geographic location. Catalyst are able to offer dedicated technical account management or onsite support subject to scale of requirements.|
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Mahara has extensive on-line user documentation and support community. Additional bespoke support or training by Catalyst is available if required and on request.|
|End-of-contract data extraction||Catalyst will provide copies of all data to clients upon request at the end of a service contract. Individual users can export their own data at any time.|
|End-of-contract process||At the end of a contract the Mahara site will be closed, removed from service and all data purged. Costs for this are included in the base contract. If a client requires copies of data this can be extract at an additional cost.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Full functionality on desktop through to mobile devices is supported by fully responsive design.|
|Accessibility standards||WCAG 2.0 AA or EN 301 549|
|Accessibility testing||Catalyst has an in-house accessibility consultant and works with individual customers on Mahara themes that further support users of assistive technologies and accessibility tools.|
|What users can and can't do using the API||
Mahara web services allow you to connect your Mahara site with other applications that have web services / APIs. In order to use web services, your site must use a SSL certificate.
You can enable web services globally in the administration user interface and then configure protocols individually to suit your needs. Once a protocol is enabled, it can be used for all functions, users and tokens. Protocols available as of version 16.10 are: SOAP; XML-RPC; REST; and OAuth.
Not all functions are replicated in web services in the current development however the framework makes it possible to develop additional APIs. This requires defining a function that exposes the required functionality, and the associated interface definition.
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||
The service may be customised as follows:
- adapt the look and feel of the application through custom theme.
- add specific features to meet bespoke requirements.
- apply 3rd party plug-ins to support specific requirements.
- levels of hosting (user numbers and storage) and support.
Customisations are generally delivered by Catalyst, but can also be configured to be managed by the customer.
|Independence of resources||The underlying cloud infrastructure is architected with elastic auto-scaling characteristics to minimise performance impacts resulting from other users of the service.|
|Service usage metrics||Yes|
|Metrics types||Catalyst are able to provide web analytics on the usage of the Mahara service on request. User logs are accessible by default to administrative users of the system.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||In-house destruction process|
Data importing and exporting
|Data export approach||Mahara provides users with the ability to export their data (using Leap2A or HTML) within the standard interface.|
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
|Other protection within supplier network||Data is encrypted at rest and in transit. Strong security principles and governance ensure proper role separation, minimal privileges granted to each role, and strong defensive security posture.|
Availability and resilience
|Guaranteed availability||The Mahara service will use commercially reasonable efforts to ensure a Monthly Uptime Percentage of at least 99.90%, in each case during any monthly billing cycle. Service credits for failure to meet guaranteed availability targets can be agreed as part of individual contract negotiations.|
|Approach to resilience||Full redundancy is built into the system architecture with no single point of failure. Additional detail are available on request.|
|Outage reporting||Email alerts via ticketing system. Private dashboard showing monthly availability metrics.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Controllable roles and permissions can be used to restrict access in management interfaces and support channels.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
Security governance approach
Closely aligned with ISO/IEC 27001:2013, but not formally certified.
|Information security policies and processes||Catalyst has formal, documented policies and procedures that provide guidance for operations and information security management within the organisation. The policies clearly define scope, roles, responsibilities and management commitment. Staff maintain the policies in a centralised and accessible location, subject to review by the Security Manager. Senior management provides visible support for security initiatives, and ensures appropriate prioritisation and resource allocation in order to maintain good security posture. Policies are reviewed at least annually.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Changes to Catalyst services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is limited.
Teams set bespoke change management standards per service, underpinned by standard practices.
All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.
Exceptions to change management processes are documented and subject management review.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Catalyst monitors potential threats from a variety of sources including CERT and upstream project channels such as the Debian Security Advisories (DSA). Supplier notifications and industry updates are assessed by technical team and Critical patches are deployed as soon as possible.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Catalyst use a combination of intrusion detection methods to identify potential security incidents. IDS alarms alert the infrastructure support team immediately. Upon detection, the affected systems are isolated and analysed, followed by service restoration using fresh cloud infrastructure.|
|Incident management type||Supplier-defined controls|
|Incident management approach||Yes, standard incident response processes are defined for Catalyst staff. Users may report incidents using telephone or the online ticketing system. Incident reports and root cause analysis are published to the customer as PDF documents upon completion.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£3480 per instance per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||Limited access (user) to a demo instance - refreshed daily. Extended access to a sandbox environment with admin privileges can be negotiated on request.|
|Link to free trial||https://demo.mahara.org|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|