QRoutes

QRoutes

QRoutes is a highly cost effective, cloud based GIS tool for planning SEND, mainstream school or adult social care transport. Planners can generate quality results in minutes, meaning provision can be re-optimised as and when requirements change. See https://qroutes.co.uk for more on how QRoutes customers' benefit from using the service.

Features

• Latest Ordnance Survey (OS) map data
• Automated address cleansing using OS Address Base
• Fast, automated and effective route planning
• Automated roll-over of provision e.g. for the new school year
• Automatically identify the best route for a new passenger
• Specify who can travel with whom
• Assign and schedule Passenger Assistants
• Automated Pick-up point calculation
• Export route itineraries with maps
• Web service API for system integration

Benefits

• Produces high quality results - better than human planners
• But planners can use their expertise to improve results further
• Planners can re-plan provision quickly throughout the year
• Brings all planners up to a similar high level
• Cost savings - one customer saved £1.5m re-planning 7 schools
• Keeps cutting costs through rapid re-planning
• Highly effective when planning SEN transport
• Highly effective when planning mainstrain school transport
• Highly effective when planning social care & health transport
• Highly effective at integrating disparate transport provisions

£19,500 to £26,325 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)

Framework

G-Cloud 12

Service ID

478497881983360

Contact

QRoutes

David Stewart

0117 4285780

david.stewart@qroutes.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Some older browsers, e.g. Internet Explorer version 10 and below, which can't support the latest data in transit protection (TLS 1.2 or above) are not supported.
• System requirements:
  • A web browser supporting security standard TLS 1.2 or above
  • A program to view and edit CSV files (e.g. Excel)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Email support is at support@qroutes.co.uk. ; ; Tickets can be raised at qroutes.zendesk.com.; ; QRoutes will reply to all emails and tickets within 1 normal working day.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: QRoutes prides itself in working closely with customers. The subscription price includes example processing of the customer's data, up to 5 days per annum of onsite training and workshops, and unlimited online support
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: QRoutes runs an on-boarding process to identify the customer's needs and to tailor the services to best meet those needs accordingly. Training is provided remotely or onsite using, wherever possible, the customer's own data. QRoutes staff will also visit the customer during the subscription to ensure the customer is achieving the most value from the service they can. There is in-application help and support is always available through the support site https://qroutes.zendesk.com.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: The application does not retain a customer's data. The customer uploads their data, processes it and downloads the output.
• End-of-contract process: The customer simply decides whether to re-subcribe or not. There is no tie-in of any sort.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• API: Yes
• What users can and can't do using the API: Users first create a log-in account on the cloud software. They then use those same authentication details to begin a session via the API. The core routing and scheduling functionality is provided - the loading of trip data, the setting of scheduling parameters and the downloading of the planned itineraries.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customer account administrators can control what functionality is available for standard users and how it is configured, including: ; Routing & scheduling performance objectives; ; Road speed calibration settings; ; Passenger type definition and management;; Vehicle type definition and management;; Pick-up point definition and management

Scaling

• Independence of resources: QRoutes has a scalable hosting architecture, whereby multiple servers are available for the potentially extensive back-end computations. Customer processing requests are allocated to free resource, meaning no one customer's usage affects another.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users download their processed data directly from the application as CSV files.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: QRoutes uses commercially reasonable endeavours to make its services available to users at qroutes.co.uk 24 hours a day, seven days a week, except for planned maintenance carried out between 10.00 pm to 2.00 am UK time.
• Approach to resilience: QRoutes' services are hosted by iomart (https://www.iomart.com). Each application is backed up at two of iomart’s UK datacentres. QRoutes has one or more application servers at each datacentre, each of which can be used for another server’s disaster recovery.; ; QRoutes has a SLA with iomart. It will establish the severity and impact of any outage within 15 minutes and troubleshoot the cause within 30 minutes. It also provides mission critical hardware replacement.
• Outage reporting: QRoutes notifies all its users by email of any scheduled service down time 2 weeks, and again at 1 day, prior to the down time. ; ; QRoutes emails users as soon as there is any unexpected outage and keeps users updated with the reasons for the outage and the likely time for resumption of service thereafter.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access to all user accounts is controlled by username and password. Users must all use an email address from their organisation's domain. ; ; There are two levels of customer user: User and Administrator. Only an Administrator can change the configuration of the service for the customer organisation and view audit history logs of usage. ; ; All users must reset their passwords every 42 days. These must be at least eight characters long; not contain the user name, real name, or company name and contain characters from at least three of: Uppercase letters, lowercase letters, numerals, symbols.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR
• ISO/IEC 27001 accreditation date: 31/07/2017
• What the ISO/IEC 27001 doesn’t cover: The iomart Statement of Applicability (SOA) defines how iomart implement Information Security. This details what is in scope and out of scope in relation to ISO27001. This document is iomart company confidential but can be provided under NDA for auditing purposes.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials, verified by Indelible data
  • Data Protection, verified by ICO

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: QRoutes ' services are hosted by iomart (https://www.iomart.com); ; The iomart Information Security Management System (ISMS) determines and outlines how iomart organises and manages the company’s information security in relation to internal information systems, operation and support including the provision of complex managed and cloud computing services for customers. The verifying body is ISOQAR.; ; iomart is also accredited as Cyber Essentials. Its business ICT defenses have been assessed as satisfactorily protected against commodity cyber threats, i.e. attacks using identified capabilities and techniques freely available on the internet. The verifying body is Indelible data.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Software updates are evaluated on a test server hosted by the same data centre company as the live servers. Change requests are processed in the support site (https://www.qroutes.zendesk.com) and the corresponding workflow, along with new feature development, is managed in JIRA. ; ; New versions are triple-blind tested manually for functionality, usability and security before their release to the live servers. An automated test suite is also run prior to deployment on the test server and after deployment on the live servers. It contains functional, regression, performance and stress tests.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The iomart vulnerability management process is aligned with ISO27001:2013 control A12.6.1 which addresses 3 key areas:; Timely identification of vulnerabilities; Assessment of or exposure to a vulnerability; Defined measures to address the risk.; ; QRoutes also runs regular penetration testing of its application; several QRoutes customers also perform penetration testing of the service.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Iomart Protective Monitoring process is aligned with ISO27001:2013 control A.12.4 which details: Event Logging; Protection of log information; Admin & operator logs; Clock synchronisation; Incident Management. ; ; QRoutes operational staff also monitor account log-in attempts and usage for abnormal activity on a daily basis.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Iomart incident management process is aligned with ISO27001:2013 control A.16.1 which details: The full incident management procedure; Responsibilities & procedures; Assessment of and decision on security events; Response process; Evidence collection; Learning from incidents. ; ; QRoutes reviews any incidents at its monthly management and board meetings.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £19,500 to £26,325 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: QRoutes will be provided to interested organisations free of charge for one week (longer periods may be possible upon request). ; ; The free trial service is not limited in any way other than the amount of time the user has to access it.
• Link to free trial: Please contact info@qroutes.co.uk for a free trial account.

Service documents

• Pricing document (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)