Toplevel

EQUINITI Toplevel - eCase

Secure, configurable, helps government meet Digital by Default Service Standards. Fast, scalable online customer services reduce phone enquiry costs and time managing cases. Strong multi-agency and customer self-service with multichannel correspondence. Workflow rules guide staff processing approvals and maintaining case register. Supports applications, claims, returns, enquiries, grants, appeals, and assessments.

Features

  • eCase Management helps government meet Digital by Default Service Standards
  • Design and deploy secure, citizen-facing digital services
  • Proven enhanced security in line with HMG Standards
  • Secure n-tier architecture and fully resilient hardware in data centres
  • Includes case workflow rules, full audit trail and electronic approvals
  • Configure eCase in-house, use our services or combine the two
  • Comprehensive wizard-driven configuration with toolkits and Open Standards support
  • Open Design Studio and ‘design once use many times’ capability
  • Offline data collection facility for data collection with no internet
  • Protect+ infrastructure option meets standards required for PGA accreditation

Benefits

  • Proven high take-up service, saves time and costs, improves services
  • Provides a secure collaboration portal for caseworkers and customers
  • Multi-agency support makes case notes available to all permitted staff
  • Multi-agency support enables joined up working between organisations
  • Workflow rules ensure that staff follow correct procedures
  • Management reports inform decisions that optimise staff utilisation and efficiency
  • Low code COTS solution; quick to set up and deploy
  • Government strength security built in with CLAS level security testing
  • Inclusive customer interface, supports all browsers, tablets and smartphones
  • Rapid configuration enables regular client input before testing and delivery

Pricing

£35.00 per user per month

Service documents

G-Cloud 9

495194071079536

Toplevel

Neill Duff

01453 852700

frameworks@toplev.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None.
System requirements
  • Internet access
  • Web browser

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times We are available via phone and email from 9:00am - 5:30pm (UK time) Mon-Fri (excluding English public holidays), with extensions options available. Response is immediate with agreed KPIs/SLAs for resolution, from our ITIL-aligned service desk.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing We use Skype for Business that is certified to EN 301 549.
Onsite support Yes, at extra cost
Support levels We offer support packages of various sizes with buyer agreed SLAs. Support is charged on a time basis, at an agreed rate. Toplevel provide access to a technical account manager. We also provide buyers with a published escalation route.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Toplevel works proactively with our clients to form a personalised bespoke training and implementation programme which suits individual requirements. On-site training is provided for the Open Design Studio, along with online training videos and user documentation. Further training and onboarding can be requested at any time. Training can be delivered remotely if required, which is particularly useful if clients have teams that are either fully or partly located outside of the UK.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats DOCX
End-of-contract data extraction Data is stored in individual cases by design for security purposes and so all data cannot be retrieved from the main interface via a single button click. Users will need to contact Toplevel to discuss the data that needs to be extracted from the system at contract end. We do however provide a service in which customer data can be extracted in a number of standard formats, including XML and CSV, and users can opt to retrieve this data themselves. Bespoke data export services can also be discussed and provided at additional cost.
End-of-contract process Off-boarding is charged at Toplevel's standard day rate. We will extract all relevant data in a suitable format and deliver it by secure methodology to our end customer and/or the data owners. This normally takes the form of being hand-delivered on an encrypted disk, with individually encrypted files with applicable passwords provided separately. We are happy to engage and work with third party suppliers to ensure a seamless transition when off-boarding a customer, particularly so that end-users aren't affected. We comply with all necessary G-Cloud 9 terms around off-boarding regarding data formats and SLAs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Toplevel specialise in providing secure, accessible government services, and so we are committed to making sure that screens within our services are automatically accessible to WCAG level AA. Similarly if the standard were to increase in future, you can be assured that Toplevel will meet this. As well as having considerable expertise in-house, we have also collaborated with external consultancies including RNIB, AbilityNet and Shaw Trust to ensure we meet all legislative requirements of the Equality Act 2010. Most recently, we contracted the Shaw Trust in order to carry out an accessibility review of Toplevel products as part of our R&D workstream. We have passed numerous GDS assessments, complying with the Digital Service Standard.
API Yes
What users can and can't do using the API The Toplevel APIs may be configured to allow interaction with screens, forms, processes and workflows from other services; to list, read, create and update cases; to download attachments from cases; and to progress cases through their defined workflow. We will work with clients during onboarding to ensure that APIs are configured correctly.
API documentation Yes
API documentation formats
  • ODF
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Toplevel’s Open Design Studio, included as standard, is our visual drag-and-drop design toolset that empowers developers and non-developers to flexibly develop, design and update digital interactive services. Open Design Studio combines a ‘Design once, use many times’ capability that allows users to design screens, case workflows, business processes, themes and branding, document layouts, forms and templates once and re-use these for other pages, projects and device types without needing to write code. Agile prototyping allows for fast delivery of working prototypes and provides built-in inclusivity and accessibility compliance. Delivery times can be cut by up to 50% vs bespoke software deployments, and it includes optimised integration, as Open Design Studio provides greater flexibility for customers using Service Orientated Architectures (SOA).
An administrative console enables the setting up of users and groups of users, defining roles they may undertake and therefore whether they may customise the service or simply act on cases in the service, and it is up to the client to determine who can make any necessary changes to the system.

Scaling

Scaling
Independence of resources We segregate enviroments so they do not impact on each other. We scale environments appropriately when designing and keep them under constant review by monitoring hardware metrics. In addition, a dedicated hardware team monitors the overall hosting solution using specialist technology to ensure the overall system and individual solutions always run with a significant amount of spare capacity at all times - which means that end users are not adversely affected during peak demands.

Analytics

Analytics
Service usage metrics Yes
Metrics types We provide the following on a monthly basis as part of the service performance report:
System uptime
Number of page requests
Server response times
Toplevel's performance on all raised and closed issues with the service desk against agreed SLA/KPIs
User numbers
Additional metrics are available on request.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach Our Dual Zone encryption is available that uses standard AES-256 encryption.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Toplevel's products use fully documented open APIs and web services allowing for integration to external services. We also use standards-based integration, supporting exchanging data using open data standards such as XML, PDF, CSV and SQL databases, that is point-and-click integration delivered out-of-the-box requiring minimal configuration. We also partner with Scribe, which operates as a product-to-product integration requiring no programming, for an additional approach to data export at extra cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • Direct to SQL database
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network We have segregation at an infrastructure level. This includes Access Control Lists, physical access controls and other network segregation technologies. There is also the additional option of separation between public and staff systems (known as Dual Zone) - which provides enhanced security should it be required. Dual Zone is an extension option to our Outreach case management platform that can partition and secure individual records using managed key encryption while still allowing public sector staff, their customers and outside agencies to collaborate seamlessly on cases.

Availability and resilience

Availability and resilience
Guaranteed availability We target an SLA for overall system availability of 99.5% minimum over 24/7. We regularly exceed this and most customers have an uptime of 100% each month. If we fail to meet 99.5% in a given month, the period of downtime is added on free of charge at the end of the contract.
Approach to resilience This information is available on request.
Outage reporting We have a proactive support team on our ITIL-aligned service desk who monitor the service for system outages 24/7. Should an outage be detected, our engineers will respond and start resolving the issue as a priority and, in parallel, will contact the nominated customer contact as appropriate. Communication will be via email and/or telephone, and we will discuss with the customer their preferred approach. Extension options are available.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication We can also authenticate with Government Gateway, GOV.Verify, GOV.Notify for two-factor authentication, as well as other methodologies including Biometrics.
Access restrictions in management interfaces and support channels Access is restricted to nominated and cleared personnel from dedicated devices within Toplevel. Management interfaces can be separated from public usage interfaces and access restricted by infrastructural means as well as software, such as by a VPN. Roles Based Access Control (RBAC) is implemented at an application level to ensure appropriate restrictions around visibility and read/write access to all data within the system.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SN Registrars Holding Ltd
ISO/IEC 27001 accreditation date 5th August 2016 (expires 2019)
What the ISO/IEC 27001 doesn’t cover We have a statement of applicability which is available on request.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations Pan Government Accreditation

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 27001 UKAS accredited and we have strict protocols to follow when a security incident is detected. We also have internal controls and processes, overseen by a dedicated security team. We host systems that comply with the HMG Security Policy Framework and HMG Information Assurance standards. We host some systems that have a full set of RMADS, and we're aiming to be ISO 27017 and ISO 27018 accredited in H1 2017. Additionally, we protect personal data with quarterly penetration testing and necessary IT Health Checks, have granular access control to data, and it’s our policy for all staff with access to customer data to be SC cleared. In 2015 we obtained Pan Government Accreditation, resulting in us creating our Protect+ cloud specifically for government customers. We have a unique dual server architecture (Dual Zone) option which allows government, citizens and outside agencies to communicate and participate seamlessly through a single joined-up service while keeping all personal information protected and secure.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have an ITIL-aligned change management process, of which all changes to our hosted services are assessed for potential security impact. The configuration of the service's software components is managed through documented, ISO9001 accredited processes and the use of Microsoft Team Foundation Server.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a number of sources for obtaining information about potential threats, including specialist security vendors, platform providers and our in-house security team. We have a policy of ensuring operating systems are patched within 1 week of receiving them from the OS vendor. Antivirus definitions are updated daily and application vulnerabilities are patched immediately upon identification.
Protective monitoring type Undisclosed
Protective monitoring approach We have proprietary, proactive monitoring programs which run on our systems. These are configured to alert our ITIL-aligned service desk when threats or suspicious behaviour is detected. Our service desk will respond immediately; based on impact analysis the incident will be raised as either Critical or Severe and will be prioritised accordingly. The priority can then be amended following further investigation. Remedial and/or mitigating actions will be taken as appropriate.
Incident management type Supplier-defined controls
Incident management approach We have pre-defined processes for each ITIL incident type (Incident, Problem, Change, Advice). These are followed by the team to conclusion and tracked through an incident management system, with appropriate escalation to expert teams. Users report incidents by phone, email or a web interface and receive confirmation with a unique ticket number. Monthly reports are provided to the service owner or service delivery manager. We also offer dedicated service delivery management calls.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £35.00 per user per month
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑