Worktribe Ltd

Worktribe Curriculum

Worktribe Curriculum is a user-friendly, integrated system to efficiently develop, manage, store and publish your curriculum - programmes and modules - in one place; pre-validation, review, approval, strategic validation, live management, external examination and marketing.


  • Central store of all curriculum-related data
  • Single sign-on integration via Shibboleth or Active Directory
  • Full control of user access and data visibility
  • Modules developed and approved separately from programmes
  • Programme Outcomes map to QAA Benchmark Statements
  • Configurable workflow control of approvals processes for programmes and modules
  • Marketing requirements and content captured, with formal approvals process
  • Users can create re-usable, shareable data searches and reports
  • Create external examiner reports for specified programme and module(s)
  • Automated rule checking, e.g. for credits in multiple pathways


  • Coherent 'single source of truth' makes for consistent management reporting
  • Central records aid CMA compliance
  • Workflow functionality ensures that approval processes are properly followed
  • Integration with external systems eases inter-system information flows
  • Consistent user-friendly interface reduces user training needs
  • Automated rule checking assists avoidance of programme structure errors
  • Independence of modules enables module sharing between programmes
  • Curriculum Maps and Assessment Maps provide effective overviews
  • Inclusion of marketing assists coherent programme development and marketing
  • 'Copy and adjust' features enable incremental development over multiple years


£45550.00 per licence per year

Service documents

G-Cloud 11


Worktribe Ltd

Jon Hackney

0870 020 1760

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The system does require some configuration to accommodate each client's internal approvals processes. The configuration is performed during the implementation project, which under G-Cloud is termed the 'onboarding process.'
System requirements Users require a modern browser with javascript enabled

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Second-line Worktribe support is available to technical client staff from 9am to 5pm UK time, Monday to Friday, excluding English bank holidays.

Faults are categorised and resolved based on their priority:
• High (Service is not available, multiple users affected): 1 hour response, 4 hour fix/workaround.
• Medium (Intermittent fault causing great difficulty in using the service, one or more users affected): 2 hour response, 8 hour fix/workaround.
• Low (Intermittent fault but service is still usable, one or more users affected): 8 hour response, fix time by agreement on a case-by-case basis.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support No
Support levels Support services are included within the annual SaaS fee.

We provide remote support between 9am and 5pm Monday to Friday, excluding English public holidays.

Typical support arrangements for ongoing support and maintenance are that the client provides first-line support in-house, with Worktribe providing second- and third-line support via our UK-based helpdesk.

Support requests are submitted to Worktribe using our online tool or, in exceptional circumstances, via email. Regardless of the channel through which the request is raised, a ticket is created on our portal to track the request through to resolution.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Worktribe immediately provide 3 environments as standard: Test; Train; and Live.

The implementation process then consists mainly of: onsite training for the client's project team; workshops to define the client's approvals processes; configuration of the system to accommodate the agreed approval processes; client staff setting up the base data (client-specific lookup lists, for example); client staff setting up integration links with their other systems (typically a Student Information system and website CMS); importing legacy data (optional); testing; client staff training the wider user base; and go-live. The following documentation is provided: User guides; Administrator guides; API documentation; data import documentation; documentation guidance on use of templates for documents containing Worktribe data.

Worktribe provides a project manager and an account manager. Support is provided from the start, and regular progress meetings are held. The key determinant of implementation speed are the readiness of the client and the client's assigned resources. As the system is already in wide use, the implementation process has become streamlined and quite straightforward.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Clients may extract their data using the following methods:

1) Using the Worktribe API, which is comprehensive and exposes all user data.

2) Using the SQL data extract, which is provided as part of the Worktribe service. This extract is normally provided on a regular basis for input to the client's Business Intelligence or other corporate reporting system, but it may also be used as a data source at the end of the contract.
End-of-contract process The costs of the end-of-contract process are included within the normal annual SaaS charge. The process is:

Some months beforehand, client and Worktribe to agree dates for trial data extracts and uploads to new system, and for final data extract.

On each extract date:
* All users (including system administration users) to be logged out at a previously-agreed time.
* Worktribe to shut down all user access to the Worktribe system.
* Client to perform whatever extracts they need via the API.
* Client to test the outcomes (including imports to the replacement system).

After the client has performed the final data extract:
* Worktribe to delete all copies of the client’s curriculum-related data from its systems, no matter how old, or where held or in what format. (This may require destruction of physical media.) Worktribe to inform client in writing when deletion is completed.
* Worktribe to retain data regarding business contacts between the client and Worktribe, and commercial data regarding the relationship, subject to the limitations of the Data Protection Act or equivalent(s) then in force.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing To assist in our accessibility evaluations, we use the Web Accessibility Versatile Evaluator (WAVE) tool. Text blocks are well formatted and readable by screen readers. Worktribe users can also customise the presentation for accessibility within the usual constraints of the web browser and their operating system (for example to increase the font size or change the contrast ratio).
What users can and can't do using the API Worktribe's comprehensive programmatic REST API has HATEOAS features. This is our preferred method for integrating with your other systems.

The API is a useful automated way of obtaining and presenting course information to other systems, commonly the Student Information system and university web site. It can also be used during the implementation stage to load legacy data into the Worktribe system.

The REST API exposes all data entities to full CRUD (Create, Read, Update, Delete) operations, and is fully under your control.

The integration mechanism consists of responding to authenticated HTTP commands sent by external applications. This means that creation, reading, updating and deletion of records within the Worktribe system by external applications are performed using the appropriate POST, GET, PUT and DELETE commands. Data is exchanged in JSON format.

The system also includes an event driven 'subscription' system. This means that you are able to have both 'push' and 'pull' integrations.

API-based interactions between the Worktribe system and the other systems may be managed by your own ‘integration layer’ or ‘middleware layer’. This is a flexible, ‘loose coupling’ approach to integration.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The Worktribe Curriculum system is provided as a package, with the following customisable/configurable aspects:

1) Clients can maintain their own specific lookup lists (e.g. organisation structure, delivery locations, PSRBs, tags of all types, report templates, and so on).

2) The system's workflow accommodates the approval processes for each client through the configuration of users’ and groups’ responsibilities at each workflow stage. This configuration is done during the implementation project, called the 'onboarding process' under the G-Cloud framework.

3) The system can also accommodate client branding. The login screen, home screen, downloadable PDF reports and those produced using the template functionality can include the client's logo, although the Worktribe colour scheme is fixed. Any logo needs to be supplied by the client as an image file.


Independence of resources We run a mixture of physical hardware and virtualised systems that give us the best balance of performance and redundancy, using load-balancers and private cloud systems for dynamic scaling. All virtualised systems are single-tenanted (i.e. clients do not share virtual disks or machines).


Service usage metrics Yes
Metrics types The support portal includes provision for client reports and data exports to be created at any time, so that performance against SLA is completely transparent.

Examples include:
• Uptime%
• Number of support tickets per month
• Average issue resolution time
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users may export data from the Worktribe system in JSON format via the API.

User-specified report datasets may also be exported in CSV and Microsoft Excel formats.

The Worktribe system also enables export of data directly into documents, using the mail-merge features of Microsoft Word. Clients may create many Word templates which retrieve the required data from the Worktribe system automatically and present it as part of the resulting document.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON (via the API)
  • Microsoft Excel
  • Microsoft Word
Data import formats
  • CSV
  • Other
Other data import formats
  • Microsoft Excel
  • JSON (via the API)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our standard availability is 99.8% uptime. The Worktribe Service Level Agreement includes provision of service credits if availability drops below 99.8%.
Approach to resilience We use virtualized servers and redundant disks that give us a high level of availability and resilience at our hosting provider. This maximises uptime and minimises the risk of system loss.

We take hourly encrypted backups to local backup systems at our primary secure host. These encrypted backups are themselves immediately backed up to a second secure hosting site, as a precaution against failure of both the system and backup at the primary host site.

In the event of disaster, we will trigger the restore from backup, prioritizing the database load. Any restoration of data from backups is performed by our in-house staff.

Worktribe uses automated provisioning software that enables us to quickly rebuild systems at a disaster recovery site. If we initiate the offsite recovery (e.g. if all network connections to the primary host were severed, with predicted downtime of hours or days) we can be up and running at the disaster recovery site within hours.

We regularly test our backup systems, both offsite and onsite. In practice we temporarily clone and restore live systems for testing and support, so the system is in constant use. The frequency of testing, for various reasons, approaches weekly.
Outage reporting The situation is presented on each client's support dashboard provided by Worktribe, so it is immediately visible to the client.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication The Worktribe system supports single-sign-on using customer Identity Providers including Shibboleth (via the UK Access Management Federation), Microsoft ADFS, Azure AD (SAML 2.0) and CoSign. With several of these systems, multi-factor authentication is also available. The Worktribe system also includes a built-in local authentication module (password based) and Active Directory integration (using LDAP over SSL).
Access restrictions in management interfaces and support channels There is no management interface available to client personnel or to hosting suppliers. Access to servers for management purposes is tightly restricted to just a few individuals within Worktribe.

For our own support personnel, access to client data is controlled by public key authentication rather than by password. The very few staff authorised to access client data have individual keys, and the authorised set is controlled by our provisioning systems. Alternatively, the support personnel can ask the client to grant access, which of course leaves the usual in-app audit trail.
Access restriction testing frequency At least once a year
Management access authentication Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI Assurance UK Limited
ISO/IEC 27001 accreditation date 27 March 2018
What the ISO/IEC 27001 doesn’t cover Secure hosting services are not covered by our ISO27001 certification, but are covered by that of the secure hosting suppliers we use. We only use hosting suppliers who are ISO27001 certified.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The Chief Information Officer (CIO) is an Executive Director of Worktribe, who ensures that:
• The Information Security systems are fully documented and implemented in accordance with ISO 27001:2013
• All employees are made aware of customer requirements and have the skills to ensure they are met.
• All employees are aware of the Information Security policy statements, and their role in the implementation of these. This is supported by provision of a Staff Security Procedures document on the company intranet, and frequent reminders on the intranet to keep security at the front of employees' minds.
• Management reviews of the performance and improvement potential of the Management System are regularly provided.

In practice, the CIO is also personally involved in the control of access to client data, which can only be obtained through explicit and time-limited permission, and is only granted to a few staff. Access to client data is also tracked through use of individual keys, so that each access can be traced to a specific individual.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All software is based on the secure Worktribe platform to minimise security risks. Each software release and each build within each release is uniquely identified. Each new release is tested before publication. Requests for new and amended functionality are normally discussed using our on-line user group forum. Those gaining sufficient support are discussed at formal user group meetings. Further specification refinement may then take place in special interest group meetings, so that new features embody best practice. The new functionality is then embedded into our road map, and provided as part of our planned release schedule.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our systems are hosted in a private cloud with secured access, so the server environment is tightly controlled. We receive the security patch streams for Ubuntu LTS (the operating system on our servers), which are installed automatically on our development systems, and we then patch production systems manually and promptly. Our DBMS is our own proprietary system which is stable and is guarded in several ways which prevent any unauthorised access. This prevents security attacks against the database. Also, user access permissions are enforced by the Worktribe platform at the lowest level of database access, so cannot be subverted.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use automated monitoring tools to keep a continual eye on the systems, and intervene immediately if we see any issues arising.

Our clients are often impressed with the speed with which we react to situations; no doubt you will ask our other clients about such matters.
Incident management type Supplier-defined controls
Incident management approach Users report incidents as support requests. If we ever had a data breach it would be accorded the highest importance and urgency, and escalated for immediate investigation by our most senior engineers, including the Chief Information Officer.

An integral part of our incident management process is frequent investigation progress updates by phone and email. For this purpose Worktribe maintains an 'In Case of Emergency' list which contains both phone and email details of emergency contacts within clients, to be used in the case of such an event.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £45550.00 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑