L2P Enterprise Ltd

L2P Appraisal, Revalidation, Multi-source Feedback and Job Planning Management Software copy

Appraisal and Revalidation Software for the healthcare sector. One-stop solution with integrated Appraisal, 360-Multi-Source Feedback, Job Planning, CQC regulatory-documentation, and Medical Educator modules. Offers comprehensive real-time dashboards, full automation, and one-touch NHSE reports. Founded by NHS doctor with 10-years appraiser experience. Designed in collaboration with NHS trusts and private hospitals.


  • Integrated Appraisal, 360 Multi-Source Feedback, and Job Planning modules
  • Bespoke QA-checklist for improving quality of medical appraisal submissions
  • One-click NHS England reports and Extensive management reports
  • Action-oriented Dashboard
  • Quality Assurance modules and real-time performance overview toolkit
  • Integrated Medical Educator module with dashboard and HEE reports
  • CQC-module: assists doctors to keep regulatory information in one place
  • CQC-dashboard: enables organisations to track status of all regulatory document
  • Management of doctors' portfolio of Supporting Information inc. smartphone app
  • Appraisal, Revalidation, 360-MSF, Job Planning and Medical Educator dashboards


  • A system so intuitive, no training of doctors required
  • Fully-automated emails for all key reminders; minimal administration required
  • Developed by experienced NHS-appraiser in consultation with NHS/private hospitals
  • Instant NHS England reports and excellent management reports
  • Highly responsive system - 99.99% uptime
  • Smartphone friendly
  • Support desk with exceptionally fast response times
  • Powerful integrated multi-source feedback
  • Full integration across all modules: single sign-on, simple administration
  • 4 interconnected QA/performance management tools to assist all user-types


£28 to £100 per user

Service documents

G-Cloud 11


L2P Enterprise Ltd

Colin Wilkinson



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No constraints. Planned maintenance is conducted out of hours with prior notification.
System requirements
  • A modern web browser
  • Internet connection

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Less than one hour.
Weekends are usually within 4 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels First line support for administrators and doctors is provided by our own Helpdesk.
At implementation we provide full training to all administrative users.
We also provide training to groups of appraisers.
This is included in the implementation fee.
After that we provide live 1-to-1 webinars with administrators on an 'as required' basis throughout the contract, as part of the license fee.
Doctors are primarily trained via a library of videos on different aspects of the system.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started As part of our implementation, we provide onsite training to administrators and appraisers. We continue training via online webinars. In addition we provide multiple short video presentations for all user types.
Ongoing training is provided via our support desk for specific question types.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Organisations download the data required as per GDPR guidelines.
The data is still retained for the doctor user until such time as they no longer require it.
Most of the data required is summary PDFs of appraisal, MSF and Job Plans.
End-of-contract process At the end of the contract, clients are able to download all files to their own servers.
Individual users are offered the same opportunity or to maintain an account with L2P directly.
Data is maintained on our servers within the constraints of GDPR and is discussed with each client.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No difference between mobile and desktop
Service interface No
Customisation available Yes
Description of customisation Clients can choose from multiple different modules. The modules available are:
Appraisal and Revalidation,
Multi-Source Feedback,
Job Planning,
Medical Educators,
Medical Indemnity Module,
Post Appraisal Questionnaires (including bespoke questionnaires),
Quality Assurance,
Disclosure and Barring Service check module (automated checking and reminders),
ICO module (automated checking and reminders),
Resources modules,
Bespoke Checklists,
Mandatory training module.
In the configuration of the system for the client, there are also multiple different settings that can be applied - e.g. different emails and different timings of emails, different configurations of the dashboards.
As the software has evolved over 5 years, based on client feedback, the vast majority of specification change requests have been applied universally to the system. However, clients are offered the opportunity to tailor the system specifically for their organisation.


Independence of resources Access is load balanced over a pool of application servers. Application and database servers are monitored and scaled up or out as required based on usage.


Service usage metrics Yes
Metrics types Support desk perfomance, including response times and first-fix rate.
System uptime.
Change request logs.
User access data including: a full audit trail (login times and dates, access logs, last users).
We produce large numbers of reports related to performance of appraisals, MSF and job planning including submission dates, last modified, etc.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach All data is maintained in the cloud linked to their account when they 'share' it with other permitted users.
Users can download the required specific information such as file types and summary PDFs.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • PDF
  • MS Excel
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • MS Word, Apple Pages and other document formats
  • MS Excel, Apple Numbers and other spreadsheet formats
  • MS PowerPoint, Apple Keynote and other presentation formats
  • PDF files
  • Picture files e.g. JPEG, PNG, TIFF
  • Weblinks
  • Zip files
  • Data parsing from 3rd-party appraisal forms, including the MAG PDF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability L2P Enterprise offers a system uptime guarantee of 99.9% on a rolling 90 day period.
We will notify you within 24 hours if we fall below this level.
You will be entitled to credit or a refund as follows:
1.) 1 x daily average cost (your total invoice/365) for any and each day we fall below 99.9%.
2.) 3 x daily average fee for each and any day we fall below 99% availability.
3.) Calculations exclude Planned Maintenance notified in advance.

For information, we are currently running at above 99.99% availability
Approach to resilience Available on request. Not for public consumption.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Institutional administrators use two-factor authentication using both password and physical token (a 'Yubikey' USB-key) which generates a one-time password. Each administrator has their own OTP key uniquely linked to their account. Authorisation is checked for each data item which is accessed and all edits are logged and retained.

At the application level, doctors and appraisers have password-protected access to their own data or, in the case of appraisers, appraisals they are authorised to view. Authorisation is checked at the point of access for each data item requested or amended and all edits are logged, with previous versions retained indefinitely.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus (ISOQAR)
ISO/IEC 27001 accreditation date 31/07/2017
What the ISO/IEC 27001 doesn’t cover TBC
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Via Paypal and Stripe
PCI DSS accreditation date Not known
What the PCI DSS doesn’t cover Not known
Other security certifications Yes
Any other security certifications
  • ISO27017 – Cloud Security
  • PSN Service and Connection Compliant
  • SSAE 16 - Type ll
  • Cyber Essentials
  • ISO 27018 - 2014
  • ISO 27032:2012
  • ISO 27040:2015
  • ISO 27017:2015

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have full Information Governance and Security training for our staff, recently updated under GDPR 2016. All staff are expected to comply with our policies. Information and Security governance is also driven by the specific guidelines from NHSE on Appraisal and Revalidation Information Governance, complying with legislative and regulatory requirements.
Training includes awareness of:
Physical security,
Access and Passwords,
Using the Internet,
Mobile computing,
Removable media,
Information disposal and
Security incidents.
Reporting is directly to the Managing Director. All actual or suspected information security breaches are reported and are thoroughly investigated - The Information Security Policy is reviewed annually by the Directors. We carry out Risk Assessments and monthly internal audits to ensure our compliance is adhered to. All incidents are reported/logged and dealt with..

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Changes are prioritised and tracked through an issue management system. Each release goes through user acceptance testing before being rolled out as part of planned maintenance, with release notes provided to all clients. All releases are version controlled and can be rolled back if required. Releases include updates or patches to third-party software where appropriate.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Potential vulnerabilities are prioritised and tracked through an issue management system. All potential vulnerabilities are assessed for impact and probability by the Head of Development and the Management Team, and then addressed with an appropriate priority. Penetration testing is performed annually by an external security company and identified vulnerabilities are addressed immediately or within the next scheduled release, as appropriate.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Applications and servers are monitored 24/7, with initial alerts to the technical team and escalation to the Management Team if required. Any potential attacks are assessed and prioritised by the technical team in consultation with the hosting company and remedial action is taken immediately for threats which are service-impacting or put data at risk.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach All incidents are logged and tracked through an issue management system. All incidents are reviewed by the Head of Development and the Management Team to identify causes and prioritise actions to prevent future incidents. Any incidents with potential client impact are advised to clients with details of the cause, impact (actual or potential), and remedial and preventative actions undertaken.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £28 to £100 per user
Discount for educational organisations No
Free trial available Yes
Description of free trial Full system including full implementation and training (depending on circumstances). Time period can be negotiated.
Link to free trial By request

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑