RH Environmental Limited

Whitedocs - Landlord Accreditation and HMO Licensing

Whitedocs (www.whitedocs.com) is a fully mobile responsive cloud platform. It will provide the landlord and businesses with an online portal to register their business, complete licence or accreditation applications and share compliance information with the Council throughout the term of their licence.


  • Fully customisable for simple or complex workflows
  • Create deliverables
  • Process payments
  • Share and collaborate
  • Analyse and monitor
  • Task creation
  • Scheduling and intelligent notifications
  • Instant messaging
  • Document management
  • API integration


  • Create channels for permit/licence applications and document exchange
  • Government to public communication and collaboration
  • Channel shift optimisation
  • Revenue generation
  • Provide business insights (AI)
  • Manage team workload
  • Cloud based solution
  • Mobile working
  • Optimise process automation
  • Cost efficient savings


£10000 to £15000 per licence per year

Service documents


G-Cloud 11

Service ID

3 9 4 6 6 7 1 7 8 6 9 2 8 8 4


RH Environmental Limited

RHE Tender Team

0117 403 3584


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
No constraints on service.
System requirements
  • Whitedocs Licence
  • IE11+

User support

Email or online ticketing support
Email or online ticketing
Support response times
A response will be provided within 48 hours and there is limited service on the weekend.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support is available by emailing support@rheglobal.com or on 01174 033584. We will aim to respond to support queries within one working day.
Support available to third parties

Onboarding and offboarding

Getting started
Onsite training is available at £575/day - we also provide free over the phone training for onboarding including full user documentation.
Service documentation
End-of-contract data extraction
Our offboarding process allows Admins an agreed time to download any data or documents off the system.
End-of-contract process
At the end of the contract all users will have access removed from their account. Any local documents that need to be downloaded off the system by the subscribed organisation will be taken off as part of the offboarding process.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile service is designed to assist with landlord submitting information to the council.
Service interface
What users can and can't do using the API
APIs can be used to link with other services such as payment portals and backend providers.
API documentation
API sandbox or test environment
Customisation available


Independence of resources
The senior development team actively monitor the server statistics on a daily basis and report any potential infrastructure requirements to the management team at scheduled, bi-monthly software strategy meetings. API request throttling is in place to prevent a single user maliciously or accidentally initiating a DoS attack. In addition to this, our AWS server arrangements allow for single-click scaling of hardware which can be provisioned immediately using our automated configuration management (ansible). As the application grows we will investigate the use of a load balancer to reroute traffic.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
.csv files can be downloaded with user data.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We outsource our servers and rely on third party SLA’s for availability. We currently use Amazon Web Services, Digital Ocean, Kingston Communications (KCom) and Helastel.

Contractually we do not guarantee availability unless specifically required due factors beyond our control.

We have had a handful of < 1 hour service interruptions in the past 2 years.

Our server hosts guarantee approximately 99.9% uptime, with service credits if they fail.


Approach to resilience
Information available on request.
Outage reporting
Email alerts are sent to all customers concerned. Outage messages may be circulated around social media, and dashboards will fall into maintenance mode with a reason for downtime.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
We have dedicated two senior team members in sales and development who are the gatekeepers of the management and support channels. Access to administration panels for user maintenance is restricted to these key personnel.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We use industry standards to operate our data security management. This includes a named Data Security Manager and data security training provided to all Development and Sales staff that deal in customer data. The Noise App had its own data security policy which is available on request.
Information security policies and processes
We review our information security policy annually. The whole company is registered with the IASME Cyber Essentials programme. Information Security is a standing item on the Company Management Team agenda. The information security policy is the responsibility of a Board Level Director, who receives reports from the Information Security Officer who is also supported by a Business Analyst in the Software Solutions team.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Software code and assets are tracked and versioned in Git. Releases are versioned and deployed through the Jenkins Continuous integration platform allowing for one-click rollback if required. Server software packages are managed with ansible which automates provisioning. Any code changes are reviewed by the Senior Development team and released to the staging server for testing before being released to production. Server software package changes between development machines, staging and production are all managed via ansible which ensures the environment is replicable. Feature changes require approval from sales, the business analyst and senior development team before coding begins.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We assess potential threats by monitoring for unusual activity that may indicate a system defect being exploited. Key entry points and interfaces are prioritised, as well as areas of the application that involve handling of secure information. If a third-party library is used, the development team will research the issues to assess whether there are known flaws which could affect our systems. We receive alerts from the National Cyber Security Centre regarding the latest threats which are forwarded to the development team if relevant. Patches are prioritised and tested on our staging server before released to production.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The senior development team monitor server data and statistics which shows a current and historical overview of the platform. Unusual activity (spikes or behaviour not typical to that time of day) are investigated by analysing the logs. Potential compromises can also be identified during testing on the staging server. Any issue would be raised with the development team and prioritised in the backlog before changes are made to production. In addition to manual testing, there is also some automated test-coverage across the application. Failed tests would indicate a potential flaw in the application and would be prioritised immediately.
Incident management type
Supplier-defined controls
Incident management approach
Dedicated support team who respond to incidents. Incident call raised by the "incident commander" who assembles relevant people to action the incident. Incident logged in an issue tracking system. Post-mortem with follow up actions to help detect and mitigate similar issues in the future. Use of a common post-mortem template so we can analyse where the majority of issues stem from. Users report incidents either through the app, or via the support page on the website. The support team then react to this and notify the incident commander.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£10000 to £15000 per licence per year
Discount for educational organisations
Free trial available
Description of free trial
The free trial of Whitedocs allows the full application of the system to be used for a maximum of 30 days.
Link to free trial

Service documents

Return to top ↑