SynApps Solutions Limited

Vendor Neutral Archive In-the-Cloud

The Vendor Neutral Cloud (VNA) SaaS offering provides a highly-secure and cost effective solution for the capture and management of both DICOM & Non-DICOM images and documents. The offering provides an N3 enabled platform for delivering Cross Document Sharing (XDS Repository/Registry) facilitating the sharing of documents between any healthcare enterprise.

Features

  • Pre-configured Vendor Neutral Archive (VNA) application
  • Robust security model, retention policy management and records management
  • High Resilience Tier 3 Data Centre with Protective Monitoring
  • Available as an Assured or Elevated Cloud-Platform service
  • Cross Document Sharing (XDS) with both repository and registry
  • Capture and management of DICOM and Non-DICOM images and documents
  • Integration to PACS, PAS, XDS, WADO, TIE via HL7
  • Capture and Management of Diagnostics, Medical Photography & Records, Documents.

Benefits

  • Substantial savings for management of both DICOM and Non-DICOM assets
  • Highly scaleable, on-demand solution
  • Assured Security. Highly resilient Tier3, UK sovereign data centres
  • Optional Class 2A “zero footprint” viewer.
  • "Zero Footprint" view for Remote Working and Cross Departmental access
  • Standard intuitive interface for ECM search, create, review, update functions

Pricing

£10.78 per person per year

Service documents

G-Cloud 10

415504613888167

SynApps Solutions Limited

James Paton

+44 (0)8702 405143

james.paton@synapps-solutions.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Support availability 9.00am - 5.30pm. Mondays - Fridays excluding UK Bank Holidays as standard.
System requirements Windows 7, 8 or 10 on the users desktop environment.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times One hour for Severity 1 (Critical) cases.
Two hours for Severity 2 Cases
Eight hours for Severity 3 Cases

Response time targets vary with case severity level - Service Description for details.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels SynApps Solutions standard support includes Service Managers, Infrastructure Engineers, and Application Support Engineers operated out of our Hatfield support office. We aim to assess and respond to ALL Priority 1 incidents within 1 hour when raised during the normal business hours of 09:00-17:30, excluding Bank Holidays and Weekends.

Please see our service definition document for a complete breakdown of our service levels.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started All new customers are assigned a Project Manager that will provide planning, proactive support and advice for the initial onboarding of the service. This will lay out timelines and procedures for the enablement of the platform for the customer. During this period the Project Manager will be responsible for engaging the assigned Service Manager to the customer and preparation of key service documentation. Additional services may be explored as required to engage additional training or configuration tweaks to the service.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The customer has complete complete control on how their data is exported although additional costs may apply.

A typical exit process would be as follows from the hosted environment on request, extract the data from the repository and provide the configuration source files. The extracted data will be typically provided in XML format for data and original native format for the content files. In addition any implementation source code/configuration for the solution will be exported from the code repository and supplied along with the data.
End-of-contract process We will return all your data and materials which cannot be deleted or exported by you, typically we will provide an as is snapshot of the repository. A more complete export which required the manipulation of the data from original structure in the repository will attract additional exit fees.

We will not penalise you for terminating your contract with us unless specifically stated in the Service Definition and within the first year. We will also return all of your confidential information, unless there is a legal requirement that we keep it.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 A
Accessibility testing Alfresco like many vendors undergoes significant Quality Assurance prior to any release this includes testing conformance to the standards the product adheres too. Alfresco is working towards WCAG 2.0 AA compliance but at present are not fully compliant. The current release was put forward for VPAT.
API Yes
What users can and can't do using the API Alfresco is a Java-based technology and is deployed on standard Java EE technology (e.g. Apache Tomcat). Integration with other systems is via multiple mechanisms but includes Web Services and RESTful APIs for access to and from other technologies such as .NET. This includes support for HL7.
API documentation Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment No
Customisation available Yes
Description of customisation Additional configuration can be added in to the service in the following forms. For example custom meta-data specific to a customer's business requirements. In addition business specific Workflows can be configured and added to the service to augment existing business processes. This configuration would be carried out by the Supplier on the customer's behalf.

Scaling

Scaling
Independence of resources Resources provided for the service are provisioned on uncontended hardware.

Analytics

Analytics
Service usage metrics Yes
Metrics types We provide standard KPI's for the services which include but are not limited too the following: -
* User Usage, including monthly logins, peak sessions, login failures.
* Platform performance in the form of Network throughput, CPU & Memory Usage
* Storage use.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Alfresco, J4Care

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Other
Other data at rest protection approach Physical access controls are managed by our hosting partner and we can deploy data encryption to the service if this required by the customer.
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The user interface provides users with the ability to perform one-off exports as required, or if a bulk export this can be arranged with our professional service's teams.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • All content is exported in its native format.
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network All services within the network are protected by dedicated firewalls. Keeping services seperate to ensure that data cannot be comprised.

Availability and resilience

Availability and resilience
Guaranteed availability 99.95%
Approach to resilience Our service is deployed across a number of zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware).
Outage reporting All outages will be reported via email notifications service.  Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.  In addition, the designated Service Manager will proactively contact customers as appropriate.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication Alfresco verifies that a user is who they claim to be. A user’s credentials can take many forms and can be validated in a number ways. For example, a password validated against an LDAP directory, or a Kerberos ticket validated against a Microsoft Active Directory Server, it may integrate with the Java Authentication and Authorization Service (JAAS).

A user ID can also be presented as an HTML attribute over HTTPS to integrate with web-based single-sign-on solutions, this maybe extended to write your own authentication integration.

Multiple authentication options maybe used simultaneously.
Access restrictions in management interfaces and support channels Access to Management interfaces and support channels is role based and defined by a users group membership and authorisation to access those interfaces.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date Latest Revision Date: 09/22/2017
What the ISO/IEC 27001 doesn’t cover The whole organisation has been included in the certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications CyberEssentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes As part of ISO 27001 certification we maintain a formal Information Security Management System, under which we maintain our Information Security Policy. The information security policy approval is conducted as part of the quarterly management review meetings which is driven by at least two directors and the Security and Compliance Manager.

Our Information Security Policies are subjected to a regular internal audit for which we have a pre-defined schedule of areas of the ISMS (ISO 27001) which are to be audited. The schedule ensures that all areas of the ISMS Scope are audited at least annually and, in some areas, twice a year. This is to ensure that appropriate adoption of the policy is monitored within the organisation. The auditor may be an individual within the organisation appointed to audit a specific area of the business.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach SynApps Solutions has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with best practise with ITIL and in-line with the change control procedure defined in our ISMS as part of our ISO27001 accreditation. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation.

Typically as part of the onboarding service where the customer has specific change control procedures then we will integrate with these.
Vulnerability management type Supplier-defined controls
Vulnerability management approach SynApps Solutions vulnerability management policy and process, which has been implemented, maintained and assessed in accordance with the guidance from the ISO27001 standards. SynApps Solutions receives regular updates where from the vendor suppliers, taking action where and when it is appropiate to the service. For other systems and software we monitor news letters published by our partners and reports published by industry standard news outlets to promptly identify and evaluate any emerging vulnerabilities which require our attention.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Following best practice from the National Cyber Security Centre, SynApps Solutions protects the proposed platform with enhanced protective monitoring services (SIEM). Protective Monitoring is pro-actively operated by our partner Falanx Assuria whose approach to protective monitoring continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems). It includes checks on time sources, audit monitoring, boundary traffic where not covered by UK Cloud, suspicious activities, network connections amongst many others. All alerts are immediately notified to the SynApps Solutions infrastructure team for prompt investigation.
Incident management type Supplier-defined controls
Incident management approach SynApps Solutions has a documented incident management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL and ISO27001 standards. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by SynApps Solutions personnel, and incidents identified and reported to SynApps Solutions by its customers and partners. All incidents are promptly reported into a central ticketing system, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • New NHS Network (N3)
  • Other

Pricing

Pricing
Price £10.78 per person per year
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑