ORCHA Health Ltd

ORCHA Review/Accreditation, Dissemination and Activation Platform

ORCHA’s Platforms and Services provide a full solution to the challenges of embedding Digital-Health solutions into day-to-day Healthcare delivery systems. Powered by the worlds most advanced Digital-Health Review/Accreditation solution, the suite includes tailored Digital-Health Libraries with advance search/filter options and solutions that support Professionals to embrace this exciting new frontier


  • Existing library of over 4,500 Apps (May 2020)
  • Thousands of new apps added each year across 300+ categories
  • New versions of reviewed Apps are automatically re-reviewed
  • Unique review approach based on key standards & best practice
  • Tailorable libraries enabling a focus on your key needs/populations
  • Open APIs allow direct integration into existing platforms & assets
  • Unique App Matching capabilities driving 'right App first time' results
  • Simple and intuitive professional recommendation/prescribing solution
  • App licence management and distribution capabilities
  • Full implementation support and campaign management provided


  • Drives the uptake of digital health Apps in your populations
  • Empowers professionals to embrace and drive digital activation
  • Maximises 'right App, first time' results and longterm stickiness
  • Allows the tracking of patient, population and professional mHealth activation
  • Provides an accreditation and regulatory compliance framework
  • Delivers a constant market monitoring and horizon scanning solution
  • Helps to raise digital literacy for patients and clinicians
  • Assists in patient outreach and population health management
  • Part of a wider digital campaign - to change mindsets
  • Patients and the public gain a trusted digital adviser


£10,000 to £250,000 a instance a year

  • Education pricing available

Service documents


G-Cloud 12

Service ID

3 5 7 8 8 2 4 4 9 4 2 3 4 1 8


ORCHA Health Ltd

Tim Andrews



Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
Internet Explorer v

User support

Email or online ticketing support
Email or online ticketing
Support response times
Online support management solution for end users and an online/telephone support solution for ORCHA Pro-Account users, Client Assessors and Client Administrators. Operates between 8:00 and 18:00 (UK) on Business Days.

We will respond to:

Priority 1 tickets - six hours of receipt by Us;

Priority 2 tickets - twelve hours of receipt by Us; and

Priority 3 tickets - twenty four hours of receipt by Us.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
We conduct ongoing user testing with all user types
Onsite support
Onsite support
Support levels
We will endeavour to ensure that the ORCHA DHMP, Your App Library, sites and ORCHA APIs will be provided with a 99.7% availability rate (aside from scheduled maintenance slots which will be restricted to off peak times between the hours of 18:00 and 8:00 UK time).

We provide an online support management solution for end users and an online/telephone support solution for ORCHA Pro-Account users, Client Assessors and Client Administrators. The support function operates between the hours of 8:00 and 18:00 UK time on Business Days. The support function will look after all user and system related queries and bugs.

The relevant platform elements will be available during the term of the Contract. It will be decommissioned within four (4) weeks of the end of the Contract unless a further Contract has been put in place.

We will save all platform data for a period of three (3) months from the end of the Contract. This can be provided to You in csv. format upon request.
Support available to third parties

Onboarding and offboarding

Getting started
We provide a comprehensive Implementation Support Service as set out in the Service Summary documentation.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
We provide users with csv extracts of their Data for up to 3 months post contract end.
End-of-contract process
The extract of customer data in csv format.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
We use responsive technologies to manage the mobile view.
Service interface
Description of service interface
The ORCHA Platform is accessed via the web. Power Users access their services via a My ORCHA account which hosts all relevant services.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
We have undertaken extensive end user testing through the multiple iterations and updates to the overall ORCHA platform.
What users can and can't do using the API
Users can access all the data components of the hosted service through the ORCHA API's.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The ORCHA service is highly configurable with many elements that customers can tailor to their own requirements as detailed in the Service summary documents.


Independence of resources
We use standard load balancing solutions within our AWS hosting environment.


Service usage metrics
Metrics types
We provide a comprehensive set of Performance Dashboards and reporting as detailed in the Services Summary document.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Via a csv extract upon request.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We will endeavour to ensure that the ORCHA DHMP, Your App Library, sites and ORCHA APIs will be provided with a 99.7% availability rate (aside from scheduled maintenance slots which will be restricted to off peak times between the hours of 18:00 and 8:00 UK time).
Approach to resilience
Available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
All access to user specific - i.e. none free to access - services are restricted to user accounts that require user names and passwords.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
In Progress with TUV-SUD
ISO/IEC 27001 accreditation date
Planned September 2020
What the ISO/IEC 27001 doesn’t cover
All service elements and key processes are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We follow the processes in line with ISO 27001.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We adopt a security by design methodology. All updates to the core systems are rigorously tested through each stage of the testing cycle. This includes:

- Unit Testing
- Integration testing
- Regression testing and
- User Acceptance Testing

These elements are integral to the overall development process that follows an Agile methodology that is managed with a strict change control model underpinning it.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We undertake regular vulnerability and penetration testing. We regularly review our overall system security in preparation for these tests and we maintain a log of open source and third party software that we rely upon and monitor these elements for patches and updates on a regular basis.
Protective monitoring type
Protective monitoring approach
We have an e-ticketing system and a prioritisation process within this that enables us to rapidly identify issues as they arise. We will respond to P1 incidents within 6 hours of notification and resolve these within 48 hours. Our Account and Delivery management function will proactively manage liaisons with impacted users and clients throughout a P1 incident.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident management approach is via our e-ticketing system or telephony support model. Incidents can be raised directly by end user using these channels or via our dedicated Account and Delivery management function.

We maintain regular updates regarding live incidents and our Account and Delivery management team maintain regular contact with impacted users and monitor these issues on a monthly basis as part of the general client reporting and review processes.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£10,000 to £250,000 a instance a year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑