THE PAY INDEX LIMITED

UK and Global Pay Analytics

The Pay Index provides pay and compensation data across industry sector, job function, level of seniority, gender, education and geographies at city and country level.

Features

  • Real-time analysis
  • Data visualisation
  • Remote access via website
  • Real-time reporting

Benefits

  • Analyse pay discrepancies by gender
  • Analyse pay discrepancies by sector
  • Identify pay gaps

Pricing

£6,000 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at aoife.whitford@thepayindex.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

3 3 3 2 4 5 0 6 1 7 3 6 5 3 5

Contact

THE PAY INDEX LIMITED Aoife Whitford
Telephone: 07426960626
Email: aoife.whitford@thepayindex.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Professional services consulting, data analysis and reporting of data through customised data visualisations.
Cloud deployment model
Public cloud
Service constraints
None
System requirements
Internet access

User support

Email or online ticketing support
Email or online ticketing
Support response times
2 hours
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
Technical support
Customer support
Product support
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Onsite training, remote training.
Service documentation
No
End-of-contract data extraction
Users can request that their data is removed and The Pay Index will ensure all data is removed and deleted or returned to the user.
End-of-contract process
At the end of the contact the user will no longer have access to any paid products of The Pay Index. The user will still have access to any free components of the product. There is no incremental cost to terminate the contract.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None
Service interface
No
API
No
Customisation available
Yes
Description of customisation
Any aspect of the service can be customised including:
Domain URL
Data visualisations
Data captured
Interface design
Customer logos and branding
This will all be customised by The Pay Index and accessed by the customer

Scaling

Independence of resources
The Pay Index is hosted on the Azure platform with unlimited ability to scale to end users needs. Any data visualisation plug-ins are added on demand.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
The Pay Index is a data visualisation tool so the data does not need to be exported. Upon request we can provide a customised solution to allow users to receive a copy of their data, either through a download or via a CSV file.
Data export formats
CSV
Data import formats
  • CSV
  • Other
Other data import formats
Via web form

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
The networks are not connected.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our service is 24 hours a day, 7 days a week. Our up-time is 99.99% (or as stated in the Microsoft Azure terms and conditions of service).

We have a support line available through email where customers can request information on data, account changes and account termination services.

The support line typically responds to requests within 24h and is most active from 9am-5pm on weekdays.
Approach to resilience
It is available on request.
Outage reporting
Email alerts.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Licences are distributed to different client types which restrict usage of the service to specific reports / datasets.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Cyber Essentials
Information security policies and processes
We follow:
Information Security Policy,
Information Classification Policy,
Confidentiality Policy,
Personal Data Protection Policy,
Incident Management Procedure,
Procedure for Corrective Action,
Risk Assessment and Risk Treatment Methodology,
Access Control Policy,
Acceptable Use Policy (within Mobile Device and Teleworking Policy, Password Policy, Clear Desk and Clear Screen Policy),
Bring Your Own Device (BYOD) Policy,
Disposal and Destruction Policy,
Supplier Security Policy,
Procedures for Working in Secure Areas,
Policy on the Use of Cryptographic Controls,
Operating Procedures for Information and Communication Technology (within Change Management Policy, Backup Policy, Information Transfer Policy),
Secure Employment and Dismissal Procedure,
Secure Development Policy,
Secure Development Procedure,
Disaster Recovery Plan,
Internal Audit Procedure,
Maintenance and Review Procedure.

To ensure policies are followed we perform:
every three months - monitoring and measurement of ISMS objectives, information security processes and controls;
annual - internal audit;
on customer's request - external audit.

Monitoring, measurement and audit results are the subject of analysis, evaluation and annual management review.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
A.8.1.1, A.8.1.2, A.9.2.3, A.9.4.4, A.12.1.1, A.12.1.2, A.14.2.2, A,14,2,3, A,14.2.4 ISO 27001 controls are implemented.

Each change must be made in the following way:
proposed by IT team member or asset owner;
authorized by IT Manager, who assesses its justification for business and potential negative security impacts;
implemented by IT team member, who is responsible for checking that the change has been implemented in accordance with the asset owner requirements and for testing and verifying the system's stability (system must not be put into production before thorough testing has been conducted);
change records are kept in Information System's Registry.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
A.12.2.1, A.12.5.1, A.12.6.1, A.12.6.2 ISO 27001 controls are implemented.

We use anti-malware software with application management feature which provides information and assesses potential threats. Also we perform vulnerability scans monthly using customised open source software.

All software patches are installed as soon as practical. Automatic patching enabled where possible for all software in use. Common users are not be given the choice of patching and required to patch as soon as possible. Depending on level of risk some patches are forced to install immediately during unplanned maintenance window.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4 ISO 27001 controls are implemented.

Based on risk assessment results Information Security Manager decides which logs will be kept for which systems, and how long they will be stored.

IT Manager is responsible for monitoring the logs of automatically reported faults on a daily basis, as well as to register faults reported by users, to analyze why errors occurred and to take appropriate corrective actions.

Information Security Manager is responsible for regularly reviewing logs in order to monitor the activities of administrators and system operators.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.6, A.16.1.7 ISO 27001 controls are implemented.

To ensure quick detection of security events and weaknesses, quick response to security incidents we have Incident Management Procedure.

Each employee reports to on duty IT Team member any system weakness, incident or event which could lead to a possible incident as soon as possible, by phone or in person.

IT Manager reviews all minor incidents and enters recurring ones, or those which may turn into major incidents on the next occasion, in the Incident Log. Information Security Manager analyzes Incident Log and suggests corrective action if necessary.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£6,000 a licence a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at aoife.whitford@thepayindex.com. Tell them what format you need. It will help if you say what assistive technology you use.