Capita Business Services Limited

One Housing

One Housing is an integrated SaaS housing management solution for local authorities and registered providers of housing, encompassing the modules required for optimum performance. The system provides person and property-centric data, integrated with strong business process management, delivering a 360-degree view of the Customer and one version of the truth.


  • Integrated people and property database.
  • Repairs lifecycle management.
  • Rent collection and processing with rent arrears management.
  • Best of breed disaster recovery with geo replication.
  • Capita One Housing provided as a complete software-as-a-service.
  • Property allocation.
  • Void property management.
  • Property asset management.
  • Availability, capacity, security and performance managed by Capita One.
  • All software updates, technology refreshes, patches and continuous improvements.


  • Integrated system: input information once, updates across all modules.
  • Meets all core housing management needs from Hosted Service.
  • Migration to cloud service (onboarding).
  • One price for complete service, giving budget certainty.
  • Immunity from technology changes.
  • 99.5% uptime with 24/7 availability.


£8437 per instance per month

Service documents


G-Cloud 11

Service ID

3 1 7 3 8 1 8 2 6 3 8 4 1 1 6


Capita Business Services Limited

Capita Business Services Ltd


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Capita One Housing forms part of the Capita One portfolio of software services, which delivers comprehensive solutions across the Public Sector and Housing Association marketplace.

One Housing can be used to extend the scope of existing third party software solutions, ie, a repairs contractor solution extended to provide tenancy management.
Cloud deployment model
Public cloud
Service constraints
The Hosted One Housing system operates within a banded model, based on the number of properties under management within the contracting organisation.

Not all maintenance requires downtime and we will schedule downtime to be outside of core business hours wherever possible – The scheduled maintenance cover tasks including, but not limited to:

• New releases (software upgrades) and server patching.
• Monthly schedules of planned downtime published in advance.

In cases of unscheduled downtime for emergency changes, we will endeavour to complete work outside normal office hours.
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times apply Monday – Friday, 08:00 – 18:00.

High severity (must be logged by telephone): day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one working hour (30 minutes for critical issues) and, whenever possible, provide a solution/ advise how quickly a solution will be available.

Medium severity: day-to-day work can be continued but there is still a requirement for a speedy resolution. We aim to respond within four working hours.

Low severity: day-to-day work can be continued but the problem is minor. We aim to respond within two working days.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
There is a fixed annual support fee provided to all customers, based on the number of properties under management. The current support SLAs:
•24/7 Platform Availability Monitoring and fix of ‘site down’ P1 incidents.
•Critical Priority: key area of live system is down and unusable. We aim to respond within one working hour (30 minutes for critical issues), with a target resolution time of one working day.
•Essential Priority: system fault, where no workaround is available, causing workload, planning, etc, to be significantly affected by lack of early resolution. We aim to respond within two working hours, with a target resolution time of three working days.
•Important Priority: system fault – workaround possible. We aim to respond within two working days, with a target resolution time of 20 working days.
•Useful Priority: minor fault or cosmetic problem. We aim to respond within one week, with a target resolution time of next appropriate release of software (depending on customer demand, following an assessment of the number of calls received).
•Each support call logged is assigned to a Help Desk Operative and regular updates are provided via our support website.

The standard level of support is included with the monthly service charge.
Support available to third parties

Onboarding and offboarding

Getting started
The service provides on-site and remote training as well as post Go Live support if necessary. It is usual for the organisations working with Capita on the implementation to provide trainers who will be given Capita’s train-the-trainer courses. In turn they are expected to carry out suitable training activities within the organisation, effectively preparing employees for using the new system.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
MS Word.
End-of-contract data extraction
One Housing has the capability to extract all data into a CSV format.
End-of-contract process
At the end of the contract, the Customer will be able to extract their data into a CSV format. If the Customer wishes to extend the contract, they will be able to continue to access the service, if however, the Customer does not renew, access to the service will be terminated on the final day of the contract.

Upon withdrawal from our cloud service, all data will be securely deleted from our infrastructure. This includes all secondary data sources, such as backups. All customer data is managed in clearly segregated data stores. The deletion is enforced by the Microsoft Azure Cloud Platform. Microsoft implements security controls which ensure no unauthorised access to deleted data and, ultimately, secure wiping or physical destruction of the storage hardware when it is de-commissioned from service.

The contract includes the One Housing application and the modules, a set number of user access licences, several training and implementation days to onboard and deploy, application hosting charge and an annual support and maintenance fee, detailed within the pricing document.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
One Housing provides more than 30 separate APIs to allow rapid integration to and from third party software applications. Each API is designed to perform a specific business need, such as exchange of repair data between subcontractor software or application(s) and nominations data for choice-based lettings partnerships.

Each API is fully documented, detailing the formatting of outbound/ inbound data, which allows our customers to take a measure of control over their integration requirements.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
One Housing SaaS comes as a preconfigured housing management system for rapid implementation and deployment. Included within the service is training that will enable customers to carry out configuration changes to the system to more accurately reflect their own processes. The initial preconfigured implementation is designed to reduce deployment time, while giving customers the choice to further finesse their configuration options.

Virtually all parameters are configurable by our customers to provide a more tailored solution to their users. All parameters are configured by those users empowered to do so (by our customers), be that system administrator(s) or power user(s) at individual service delivery area/ department.

Configuration of all parameters is undertaken via the same single user interface, ie, no specialist tools are required. Each functional area (module) provides secure access to the underlying parameters and customisation options relevant. Only those users authorised by our customers are able to create, update or retire parameters.

This approach gives our customers the ability to adopt a standard deployment, while giving the freedom to control their own customisation, delivering rapid deployment and reduction in cost of on-going configuration and customisation.


Independence of resources
Each customer will have their own single tenant dedicated application instance, including isolated databases. We enforce segregation and prevent cross contamination; using multiple layers of network segregation, including a dedicated subnet per customer, secure namespaces and encrypted overlay VXLAN-based virtual networks per customer. This means that other instances cannot have a negative impact on each other.

The solution has automatic elastic scalability built in – it scales resources responding to unforeseen spikes of usage to protect the customer user experience. Additionally, Capita will work with customers to predict and plan for known events that will require extra resources or capacity.


Service usage metrics
Metrics types
A Monthly Client Report will be provided detailing the status of the system against availability targets. This report will also include any corrective actions required by the Customer, together with any additional in scope information mutually agreed during the ongoing service review process.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
All customer data within the Secure Capita One Cloud is isolated and encrypted at rest through 256-bit AES encryption. Symmetric encryption using a multiple key hierarchy is used to encrypt and decrypt this data.

Access to customer data is restricted based on business need and by role-based access control and multifactor authentication, minimising standing access to data. Data encryption keys are created and controlled by Capita.

Microsoft cannot access customer data. Microsoft Azure is the hosting service which provides the underlying highly resilient and secure data centres, physical hardware, networks and services that underpin the Secure Capita One Cloud.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The One Housing application provides users with the capability to export data in various formats.
Data export formats
Other data export formats
  • PDF
  • MS Word
Data import formats
Other data import formats
  • PDF
  • MS Word

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
All data in transit between the Customer and the Secure Capita One Cloud is secured and encrypted. Data in transit to or from our SaaS is secured by the following methods:
•Website traffic accessed via a browser is HTTPS only, encrypted and secured with SHA-2 x.509 certificates.
•Rich client application access via HTTPS and secure RDP encrypted to 128-bit.
•Restricted features for specific back office employees/ roles can be secured and only accessible via an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
•Secure integrations facilitated by an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
The hosting platforms are designed to be compliant with the UK Government Cloud Security Principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA-256 bit encryption. All backup data and secure keys backed up between the two Microsoft UK regions are secured and encrypted in transit.

Availability and resilience

Guaranteed availability
Capita One Housing SaaS is built to run 24/7 but is optimised for high availability and performance during core hours.
For public-facing portals, the service shall provide at least 99.5% availability 24 hours a day, 7 days per week, 365 days per year, excluding scheduled maintenance.
For the internal-facing application, the service shall provide at least 99.5% availability during supported office hours, which is defined as 08:00 – 18:00, Monday – Friday, excluding English public holidays and excluding scheduled maintenance.

The scheduled maintenance will cover tasks including, but not limited to:
•New releases (software upgrades) and server patching. Not all maintenance will require downtime.
•In addition to any scheduled maintenance, there will be occasions where Capita is required to initiate unscheduled downtime for emergency changes. In exceptional cases when emergency changes are required, we will endeavour but cannot guarantee to complete this work outside of the core normal office hours.
•Monthly schedules of planned downtime are published in advance.

The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
Approach to resilience
One Housing is made up of a set of virtualised, containerised components that rely on specific Infrastructure as a Service and Platform as a Service features of Microsoft Azure that have been configured and optimised to make up the Secure Capita One Cloud.

The Secure Capita One Cloud only uses resources that are a commodity, highly available and easy to bring up, scale and configure on-demand.

Each dedicated customer instance will live within the Secure Capita One Cloud within one of the two UK Microsoft Azure regions (UK South and UK West). Within each region we are using highly available and highly resilient services with no single points of failure.
• Automated backups of all databases, data and configuration to support RPO and RTO targets.
• Backups are written to disk immediately within region.
• Backups are automatically copied to the second region to protect from region-wide issues.
• Unique security keys for each customer are written into both regions to protect from region-wide issues.
• Data Recovery processes tested regularly.
• Complete Disaster Recovery testing performed regularly.
• Application components are built from golden images and can be spun up easily.

More information available on request.
Outage reporting
Service outages are communicated in varying manners, dependent on the magnitude of the service outage. For a multi-customer service outage, email communications will be sent out to all customers advising the status of outage with regular updates on progress as well as a status message being provided on the Home Page of the online ticketing system. A service outage that affects a single customer will be communicated both by email and by telephone. Historical outage reporting is provided as part of the quarterly service review pack as well as being available at an individual customer level via the online ticketing system offering an on-demand view of this.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
There are several options for authentication for the solution, including utilising customers’ own identity providers (subject to supported configurations) and as such MFA and other customer required security requirements may be supported.
Access restrictions in management interfaces and support channels
Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.

Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Help Desk are encouraged to register on the support portal. If customers contact us by telephone or email, their details are matched to an existing registration.

The management control plane for the cloud service is locked down and not public; we use Azure AD and have role-based access by employees.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication
The Management control plane for the cloud service is locked down and not public, we use azure AD and have role-based access by staff members. We’ve reduced risk by giving no data access via cloud service management all access is audited and only granted on need basis.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Cloud service hosting certified by BSI.
ISO/IEC 27001 accreditation date
Microsoft recertification date: 20/06/2017. Expiry: 19/06/2020.
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
Microsoft recertification date: 20/06/2017.
CSA STAR certification level
Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover
PCI certification
Other security certifications
Any other security certifications
Cyber Security Essentials.

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
Our cloud service provider complies with many standards, including CSA CCM v3.0, ISO/ IEC 27018, ISO/ IEC27001, UK Cyber Essentials PLUS.

Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls. Capita has UK Cyber Essentials certification.

Further details are available upon request.
Information security policies and processes
As part of Capita Business Services, we work to policies and standards that are aligned with ISO 27001. These are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when employees complete their annual training they agree to comply with both Group and Business Unit Level policies.

Information security employees as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.

Information security is dealt with at all levels of the business, including at the Business Unit, Divisional Unit and Capita Group.

The maintained ISMS Management Policies include:
• Acceptable Use Policy
• Access Control Policy
• Compliance Policy
• Data and Asset Management Policy
• Information Security Management Policy
• Mobile Working Policy
• Personnel Policy
• Physical Security Policy
• Risk Management Policy
• Systems Acquisition Development and Maintenance Security Policy.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Capita maintains the assets that make up the solution using ITIL v3 incident, problem and change management processes, aligned to the ISO 27001 standard. No configuration items are added or changed without the appropriate review and backout planning to ensure that the risks and impact are appropriately managed prior to delivery of the change into live.

One Housing is a unified code base that can only be changed by the supplier; this is controlled via a yearly product development plan, which is published to all customers. All changes are built into a numbered release, which is made available to customers.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Capita has Information Security Policies and Standards that cover ISO 27001 clauses and controls to triage vulnerabilities. Capita monitors security alerts from various sources, such as Secunia or Gov Cert UK and assesses the patches that are released by operating systems suppliers. All patches are graded Critical, Recommended or Low. The grade of patch will determine the timescale in which it will be installed. Critical patches will be installed at the next available opportunity. Recommended and Low graded patches will be installed as part of a patch cluster. Automated vulnerability and threat detection services will also be employed.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Incident Response methodology:
•Monitoring, control, communication

Nominated stakeholders will perform communication and data gathering with users.

•Ensure the privacy of those affected.
•Report and document potential breaches of confidentiality to Governance and Compliance.

•Ensure integrity of data is maintained throughout the lifecycle.
•Maintain a full inventory of the data tracking additions and amendments.
•Encrypt and store data securely.

•Ticket with event description made for correspondence and reporting purposes.

•An Incident Manager will own an event through its lifecycle.
•ISO 27001 standards for accountability are reviewed for the lifecycle at each stage.
Incident management type
Supplier-defined controls
Incident management approach
We have a defined, approved and tested Incident Management process; the process has a list of example incidents that are designed to cover a wide range of scenarios. All employees are made aware of the incident reporting process and randomly tested for effectiveness.

Incident reports will be passed to relevant customers if their environment or data has been impacted.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£8437 per instance per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑