HighQ

Regulatory reporting

Our regulatory reporting and compliance solution empowers organisations to improve regulatory reporting efficiency, optimise internal processes and reduce operational risks.

Features

  • Quick and Secure - Share instantly, with full auditing
  • Intuitive Interface - Easily view, download or comment
  • Customisable data sheets
  • Date or data based alerts
  • Manage group tasks, share group calendars
  • Detailed reports and auditing
  • Send large files - That are too large or sensitive
  • Manage content in wikis, post updates in the blog
  • Have discussions and much more in one unified team space
  • Made for Mobile - Optimised for any mobile device

Benefits

  • Security - Ensure control over information
  • Audit trail - What's been sent, when and by who
  • Overcome mailbox sizes - Send a link to a download
  • Private Cloud - So you know where the data sits
  • Business Intelligence - See how users are viewing your data

Pricing

£20 to £400 per person per year

  • Free trial available

Service documents

G-Cloud 9

314609570095975

HighQ

Adam Koscinski / Alex Zervos

020 7220 5340

sales@highq.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements A modern browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 30 minutes Monday to Friday, 8pm to 6pm
24/7 Emergency
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support No
Support levels 8am - 6pm Service desk on business days
24/7 Emergency
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Training can be delivering remotely or onsite
There is a comprehensive online knowledge base
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction All data can be extracted by users with the appropriate permission via the user interface,
End-of-contract process All client data is deleted as part of the contract. HighQ will decommission the instance in full as part of the base contract. It is the client's responsibility to extract any data they wish to keep prior to the decommissioning process. Secure overwrite is available for an additional charge.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service All features are available on mobile using a responsive design
Files can be accessed via the HighQ Drive app for mobile
Accessibility standards None or don’t know
Description of accessibility Collaborate is accessible using any of the standard web browsers in conjunction with existing assistive software that supports the user's chosen web browser. The product has alt-text fields for all non-text content and supports the creation of alt-text metadata for non-text data uploaded into the system.
Accessibility testing We will investigate any usability issue should it be raised as necessary.
API Yes
What users can and can't do using the API All the main features are accessible via the API, with a vibrant developer community to share and learn.
API documentation Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Custom branding can be applied at system and site level including the URL, visual appearance of the whole user interface and system generated emails.

Scaling

Scaling
Independence of resources HighQ's solutions are single tenancy, ring fencing each client from the others. All systems are also load balanced, with duplication of resources in the data centres to ensure continued service.

Analytics

Analytics
Service usage metrics Yes
Metrics types All logins, configuration changes and content accessed is audited by user, date and IP address.
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach All files can be exported via the main user interface, and all other content can be exported to Excel and/or PDF.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • PDF
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • Zip

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.5% Uptime which would be remunerated via service credits.
Approach to resilience Each client is hosted on two geographically separate datacentres within the same legal jurisdiction. All UK hosting centres are ISO 22301, and ISO 27031 compliant.
Outage reporting Email alerts are sent to client organisations upon detecting an outage.
Any maintenance works are undertaken during pre-agreed maintenance windows and upgrades take place on a date/time pre-agreed with the client.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication SAML2.0
2-step authentication
Access restrictions in management interfaces and support channels Application access management is controlled by the client who can grant or revoke administrative privileges within the application to or from users in line with their own organisational policies and procedures.
Infrastructure management is performed via secure management servers which are accessible only by VPN using two-factor authentication. Administrators cannot view client data where it is encrypted at rest.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DAS
ISO/IEC 27001 accreditation date 04/02/2016
What the ISO/IEC 27001 doesn’t cover The scope of the certification is Secure Data Room, Extranet, Collaboration, Know-How and Publishing solutions utilising the software-as-a-service model. The scope covers all operations and employees based at the London headquarters.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes HighQ have a CISO who reports to the CEO. A dedicated Security Officer reports to the CISO and undertakes GRC tasks and a dedicated Security Operations team implements the policies as set by the Security Officer.
All staff must adhere to a defined IT security policy and sign a confidentiality agreement. An ISMS is in place adhering to ISO27001 and
All staff receive basic cybersecurity training upon commencement of employment and on-going cybersecurity training.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All configuration management and change management is performed using the Agile methodology. Changes are developed and a product iteration is released. Each release is subject to penetration testing.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We regularly perform penetration testing, undertake monthly vulnerability scans, and daily change scans. Patches are normally deployed within 2 weeks, and we receive threat intelligence from third party security vendors, e.g. CiSP, Mitre, and other publicly available sources. We also employ a source code vulnerability tracking system and use automated security assessment tools.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach HighQ employ enterprise logging and SIEM for all systems and perform regular checks upon those logs and events. Incidents are reviewed and classified in terms of impact and criticality. There is a defined security incident management practice (NIST 800-61r2). Depending upon the nature of the incident, the issue is either remediated immediately or mitigations designed into the next release.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents are managed using NIST 800-61r2 methodology and are recorded through an issue tracking system. Each incident is prioritised according to its impact and severity and will be remediated either as a bug fix in the next release or as an immediate hotfix should the incident be highly pervasive in nature.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £20 to £400 per person per year
Discount for educational organisations No
Free trial available Yes
Description of free trial A UAT site can be accessed once the scope of the requirement has been agreed.

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑