One Housing is an integrated SaaS housing management solution for local authorities and registered providers of housing, encompassing the modules required for optimum performance. The system provides person and property-centric data, integrated with strong business process management, delivering a 360-degree view of the Customer and one version of the truth.
- Integrated people and property database.
- Repairs lifecycle management.
- Rent collection and processing with rent arrears management.
- Best of breed disaster recovery with geo replication.
- Capita One Housing provided as a complete software-as-a-service.
- Property allocation.
- Void property management.
- Property asset management.
- Availability, capacity, security and performance managed by Capita One.
- All software updates, technology refreshes, patches and continuous improvements.
- Integrated system: input information once, updates across all modules.
- Meets all core housing management needs from Hosted Service.
- Migration to cloud service (onboarding).
- One price for complete service, giving budget certainty.
- Immunity from technology changes.
- 99.5% uptime with 24/7 availability.
£8437 per instance per month
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Capita Business Services Limited
Capita Business Services Ltd
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
Capita One Housing forms part of the Capita One portfolio of software services, which delivers comprehensive solutions across the Public Sector and Housing Association marketplace.
One Housing can be used to extend the scope of existing third party software solutions, ie, a repairs contractor solution extended to provide tenancy management.
|Cloud deployment model||Public cloud|
The Hosted One Housing system operates within a banded model, based on the number of properties under management within the contracting organisation.
Not all maintenance requires downtime and we will schedule downtime to be outside of core business hours wherever possible – The scheduled maintenance cover tasks including, but not limited to:
• New releases (software upgrades) and server patching.
• Monthly schedules of planned downtime published in advance.
In cases of unscheduled downtime for emergency changes, we will endeavour to complete work outside normal office hours.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Response times apply Monday – Friday, 08:00 – 18:00.
High severity (must be logged by telephone): day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one working hour (30 minutes for critical issues) and, whenever possible, provide a solution/ advise how quickly a solution will be available.
Medium severity: day-to-day work can be continued but there is still a requirement for a speedy resolution. We aim to respond within four working hours.
Low severity: day-to-day work can be continued but the problem is minor. We aim to respond within two working days.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
There is a fixed annual support fee provided to all customers, based on the number of properties under management. The current support SLAs:
•24/7 Platform Availability Monitoring and fix of ‘site down’ P1 incidents.
•Critical Priority: key area of live system is down and unusable. We aim to respond within one working hour (30 minutes for critical issues), with a target resolution time of one working day.
•Essential Priority: system fault, where no workaround is available, causing workload, planning, etc, to be significantly affected by lack of early resolution. We aim to respond within two working hours, with a target resolution time of three working days.
•Important Priority: system fault – workaround possible. We aim to respond within two working days, with a target resolution time of 20 working days.
•Useful Priority: minor fault or cosmetic problem. We aim to respond within one week, with a target resolution time of next appropriate release of software (depending on customer demand, following an assessment of the number of calls received).
•Each support call logged is assigned to a Help Desk Operative and regular updates are provided via our support website.
The standard level of support is included with the monthly service charge.
|Support available to third parties||No|
Onboarding and offboarding
|Getting started||The service provides on-site and remote training as well as post Go Live support if necessary. It is usual for the organisations working with Capita on the implementation to provide trainers who will be given Capita’s train-the-trainer courses. In turn they are expected to carry out suitable training activities within the organisation, effectively preparing employees for using the new system.|
|Other documentation formats||MS Word.|
|End-of-contract data extraction||One Housing has the capability to extract all data into a CSV format.|
At the end of the contract, the Customer will be able to extract their data into a CSV format. If the Customer wishes to extend the contract, they will be able to continue to access the service, if however, the Customer does not renew, access to the service will be terminated on the final day of the contract.
Upon withdrawal from our cloud service, all data will be securely deleted from our infrastructure. This includes all secondary data sources, such as backups. All customer data is managed in clearly segregated data stores. The deletion is enforced by the Microsoft Azure Cloud Platform. Microsoft implements security controls which ensure no unauthorised access to deleted data and, ultimately, secure wiping or physical destruction of the storage hardware when it is de-commissioned from service.
The contract includes the One Housing application and the modules, a set number of user access licences, several training and implementation days to onboard and deploy, application hosting charge and an annual support and maintenance fee, detailed within the pricing document.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|What users can and can't do using the API||
One Housing provides more than 30 separate APIs to allow rapid integration to and from third party software applications. Each API is designed to perform a specific business need, such as exchange of repair data between subcontractor software or application(s) and nominations data for choice-based lettings partnerships.
Each API is fully documented, detailing the formatting of outbound/ inbound data, which allows our customers to take a measure of control over their integration requirements.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
One Housing SaaS comes as a preconfigured housing management system for rapid implementation and deployment. Included within the service is training that will enable customers to carry out configuration changes to the system to more accurately reflect their own processes. The initial preconfigured implementation is designed to reduce deployment time, while giving customers the choice to further finesse their configuration options.
Virtually all parameters are configurable by our customers to provide a more tailored solution to their users. All parameters are configured by those users empowered to do so (by our customers), be that system administrator(s) or power user(s) at individual service delivery area/ department.
Configuration of all parameters is undertaken via the same single user interface, ie, no specialist tools are required. Each functional area (module) provides secure access to the underlying parameters and customisation options relevant. Only those users authorised by our customers are able to create, update or retire parameters.
This approach gives our customers the ability to adopt a standard deployment, while giving the freedom to control their own customisation, delivering rapid deployment and reduction in cost of on-going configuration and customisation.
|Independence of resources||
Each customer will have their own single tenant dedicated application instance, including isolated databases. We enforce segregation and prevent cross contamination; using multiple layers of network segregation, including a dedicated subnet per customer, secure namespaces and encrypted overlay VXLAN-based virtual networks per customer. This means that other instances cannot have a negative impact on each other.
The solution has automatic elastic scalability built in – it scales resources responding to unforeseen spikes of usage to protect the customer user experience. Additionally, Capita will work with customers to predict and plan for known events that will require extra resources or capacity.
|Service usage metrics||Yes|
|Metrics types||A Monthly Client Report will be provided detailing the status of the system against availability targets. This report will also include any corrective actions required by the Customer, together with any additional in scope information mutually agreed during the ongoing service review process.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||Less than once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
All customer data within the Secure Capita One Cloud is isolated and encrypted at rest through 256-bit AES encryption. Symmetric encryption using a multiple key hierarchy is used to encrypt and decrypt this data.
Access to customer data is restricted based on business need and by role-based access control and multifactor authentication, minimising standing access to data. Data encryption keys are created and controlled by Capita.
Microsoft cannot access customer data. Microsoft Azure is the hosting service which provides the underlying highly resilient and secure data centres, physical hardware, networks and services that underpin the Secure Capita One Cloud.
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The One Housing application provides users with the capability to export data in various formats.|
|Data export formats||Other|
|Other data export formats||
|Data import formats||Other|
|Other data import formats||
|Data protection between buyer and supplier networks||
|Other protection between networks||
All data in transit between the Customer and the Secure Capita One Cloud is secured and encrypted. Data in transit to or from our SaaS is secured by the following methods:
•Website traffic accessed via a browser is HTTPS only, encrypted and secured with SHA-2 x.509 certificates.
•Rich client application access via HTTPS and secure RDP encrypted to 128-bit.
•Restricted features for specific back office employees/ roles can be secured and only accessible via an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
•Secure integrations facilitated by an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
|Data protection within supplier network||
|Other protection within supplier network||The hosting platforms are designed to be compliant with the UK Government Cloud Security Principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA-256 bit encryption. All backup data and secure keys backed up between the two Microsoft UK regions are secured and encrypted in transit.|
Availability and resilience
Capita One Housing SaaS is built to run 24/7 but is optimised for high availability and performance during core hours.
For public-facing portals, the service shall provide at least 99.5% availability 24 hours a day, 7 days per week, 365 days per year, excluding scheduled maintenance.
For the internal-facing application, the service shall provide at least 99.5% availability during supported office hours, which is defined as 08:00 – 18:00, Monday – Friday, excluding English public holidays and excluding scheduled maintenance.
The scheduled maintenance will cover tasks including, but not limited to:
•New releases (software upgrades) and server patching. Not all maintenance will require downtime.
•In addition to any scheduled maintenance, there will be occasions where Capita is required to initiate unscheduled downtime for emergency changes. In exceptional cases when emergency changes are required, we will endeavour but cannot guarantee to complete this work outside of the core normal office hours.
•Monthly schedules of planned downtime are published in advance.
The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
|Approach to resilience||
One Housing is made up of a set of virtualised, containerised components that rely on specific Infrastructure as a Service and Platform as a Service features of Microsoft Azure that have been configured and optimised to make up the Secure Capita One Cloud.
The Secure Capita One Cloud only uses resources that are a commodity, highly available and easy to bring up, scale and configure on-demand.
Each dedicated customer instance will live within the Secure Capita One Cloud within one of the two UK Microsoft Azure regions (UK South and UK West). Within each region we are using highly available and highly resilient services with no single points of failure.
• Automated backups of all databases, data and configuration to support RPO and RTO targets.
• Backups are written to disk immediately within region.
• Backups are automatically copied to the second region to protect from region-wide issues.
• Unique security keys for each customer are written into both regions to protect from region-wide issues.
• Data Recovery processes tested regularly.
• Complete Disaster Recovery testing performed regularly.
• Application components are built from golden images and can be spun up easily.
More information available on request.
|Outage reporting||Service outages are communicated in varying manners, dependent on the magnitude of the service outage. For a multi-customer service outage, email communications will be sent out to all customers advising the status of outage with regular updates on progress as well as a status message being provided on the Home Page of the online ticketing system. A service outage that affects a single customer will be communicated both by email and by telephone. Historical outage reporting is provided as part of the quarterly service review pack as well as being available at an individual customer level via the online ticketing system offering an on-demand view of this.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||There are several options for authentication for the solution, including utilising customers’ own identity providers (subject to supported configurations) and as such MFA and other customer required security requirements may be supported.|
|Access restrictions in management interfaces and support channels||
Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.
Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Help Desk are encouraged to register on the support portal. If customers contact us by telephone or email, their details are matched to an existing registration.
The management control plane for the cloud service is locked down and not public; we use Azure AD and have role-based access by employees.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||The Management control plane for the cloud service is locked down and not public, we use azure AD and have role-based access by staff members. We’ve reduced risk by giving no data access via cloud service management all access is audited and only granted on need basis.|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Cloud service hosting certified by BSI.|
|ISO/IEC 27001 accreditation date||Microsoft recertification date: 20/06/2017. Expiry: 19/06/2020.|
|What the ISO/IEC 27001 doesn’t cover||N/A.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||Microsoft recertification date: 20/06/2017.|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||N/A.|
|Other security certifications||Yes|
|Any other security certifications||Cyber Security Essentials.|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Our cloud service provider complies with many standards, including CSA CCM v3.0, ISO/ IEC 27018, ISO/ IEC27001, UK Cyber Essentials PLUS.
Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls. Capita has UK Cyber Essentials certification.
Further details are available upon request.
|Information security policies and processes||
As part of Capita Business Services, we work to policies and standards that are aligned with ISO 27001. These are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when employees complete their annual training they agree to comply with both Group and Business Unit Level policies.
Information security employees as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.
Information security is dealt with at all levels of the business, including at the Business Unit, Divisional Unit and Capita Group.
The maintained ISMS Management Policies include:
• Acceptable Use Policy
• Access Control Policy
• Compliance Policy
• Data and Asset Management Policy
• Information Security Management Policy
• Mobile Working Policy
• Personnel Policy
• Physical Security Policy
• Risk Management Policy
• Systems Acquisition Development and Maintenance Security Policy.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Capita maintains the assets that make up the solution using ITIL v3 incident, problem and change management processes, aligned to the ISO 27001 standard. No configuration items are added or changed without the appropriate review and backout planning to ensure that the risks and impact are appropriately managed prior to delivery of the change into live.
One Housing is a unified code base that can only be changed by the supplier; this is controlled via a yearly product development plan, which is published to all customers. All changes are built into a numbered release, which is made available to customers.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Capita has Information Security Policies and Standards that cover ISO 27001 clauses and controls to triage vulnerabilities. Capita monitors security alerts from various sources, such as Secunia or Gov Cert UK and assesses the patches that are released by operating systems suppliers. All patches are graded Critical, Recommended or Low. The grade of patch will determine the timescale in which it will be installed. Critical patches will be installed at the next available opportunity. Recommended and Low graded patches will be installed as part of a patch cluster. Automated vulnerability and threat detection services will also be employed.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Incident Response methodology:
•Monitoring, control, communication
Nominated stakeholders will perform communication and data gathering with users.
•Ensure the privacy of those affected.
•Report and document potential breaches of confidentiality to Governance and Compliance.
•Ensure integrity of data is maintained throughout the lifecycle.
•Maintain a full inventory of the data tracking additions and amendments.
•Encrypt and store data securely.
•Ticket with event description made for correspondence and reporting purposes.
•An Incident Manager will own an event through its lifecycle.
•ISO 27001 standards for accountability are reviewed for the lifecycle at each stage.
|Incident management type||Supplier-defined controls|
|Incident management approach||
We have a defined, approved and tested Incident Management process; the process has a list of example incidents that are designed to cover a wide range of scenarios. All employees are made aware of the incident reporting process and randomly tested for effectiveness.
Incident reports will be passed to relevant customers if their environment or data has been impacted.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£8437 per instance per month|
|Discount for educational organisations||No|
|Free trial available||No|