Conduent Incorporated

Platform as a Service (PaaS) - Communications Services

Conduent Automation Platform (CAP) will provide customers with a powerful platform to enable their digital transformation. CAP is a single, cloud-based integrated automation platform which offers customers to have an innovative product pipeline, faster resolution to fewer issues, improved user experience with improved dashboards, and deep business intelligence capabilities.

Features

  • Digital Document Processing
  • Case Management
  • Data Analytics
  • Live Dashboards
  • Real-time upgrades with Kubernetes
  • End-to-end Monitoring
  • Scriptable module deployment
  • Segregated Layered Architecture
  • Microservice architecture
  • Self-serve onboarding of customers

Benefits

  • Speedy business process changes
  • Elimination of Human error
  • More control with real-time metrics
  • Decreased costs of repetitive manual tasks
  • Higher quality in process results
  • Better customer engagement
  • Increased speed in process time
  • Higher process control with real time metrics
  • Increased customer insight with big data analytics

Pricing

£70 to £2,000 a user a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at celia.degge@conduent.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

5 1 5 7 9 9 8 6 6 4 6 8 4 2 5

Contact

Conduent Incorporated Celia Degge
Telephone: +44 (0) 7921 647905
Email: celia.degge@conduent.com

Service scope

Service constraints
None
System requirements
Customer specific blueprint is designed at the time of engagement

User support

Email or online ticketing support
Yes, at extra cost
Support response times
As support resources are staffed and available 24x7, response times are near-immediate. Response times for Client Management resources are typically within 30 minutes during business hours or within 60 minutes during off-hours. Conduent is confident in its ability to provide high-quality, constant support.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Conduent will provide valuable support in areas such as:
• Strategy & Positioning: Joint go-to-market planning and strategic specialization to help differentiate your firm
• Technical Guidance: Technical oversight, support, and application health checks
• Marketing & Promotion: Internal and external promotion, co-branded collateral and assets, and market exposure via CAP marketing channel.

Currently, on premise infrastructure requires onsite support including security patches, upgrades, hardware, and maintenance agreements.
• Global Service Delivery – Professional Services
o Yes, offering team develops Implementation schedule, will need local teams to execute/roll-out documents
o Transition Management – Solution Architects and Product Owners
• Global Service Delivery – help desk support
o Yes, we will need to leverage support level 1, level 2 and level 3 support resources
• Global Service Delivery Change Management Methodology
o Yes, will leverage methodology and look to include steps in Work Breakdown Structure.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
The training plan will be developed based on the ADDIE model (Analysis, Design, Development, Implement and Evaluate).
• As part of the Analysis phase, we’ll examine the internal and external personas and define the needs of each learner. Measurable, instructional objectives are also defined in the analysis phase.
• During the Design phase, the team will sequence content and determine instructional and evaluation strategies based on the objectives. Instructional strategies include the use of student and instructor guide templates, classroom delivery training, utilization of case studies, in-line training videos, microlearning sessions, recorded training courses and fact sheet reference guides. Instructional strategies will also encompass the use of a learning platform, as well as gamification of the material to ensure learner comprehension.
• During the Implementation phase, the team will manage, track and support instructor-led classroom and virtual training.
• The Evaluation phase will assess the data collected during the implementation phase and make updates/changes as needed. This evaluation will include not only feedback on the learner’s understanding of the training, but also evaluation and feedback to the course instructor for continued training development.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
At the end of all contracts, Conduent will apply our standard exit plan, fully project managed by our Project manager and IT lead, to ensure the project is exited professionally and ready for complete handover to incoming supplier. Final erasure of all electronic Conduent or Conduent client information will occur as part of a documented process indicating that the information will be both physically and electronically impervious to interception or interpretation by unauthorised persons.

When applicable, prior to erasing electronic confidential information, authorisation will be obtained from the client. Documentation of all authorizations to erase confidential information will be retained. Erasure, sanitizing or other actions to remove or render inaccessible data on equipment is subject to any “litigation hold” or other instruction from the Conduent Legal Department.
For systems not able to support the required standard of data erasure, alternative measures commensurate with the level of sensitivity of the data contained on the drive will be documented and observed. These may include but not be limited to, the complete destruction of the drive, degaussing of the disk, or the complete overwriting of the drive.
End-of-contract process
• Drives physically damaged which cannot be accessed, will be destroyed, degaussed, or transported observing the Secure Media Movement requirements in this document. Local IT Departments, Systems/LAN Administrators must maintain documentation of all equipment sanitized, including relevant dates, asset numbers, equipment type, method or location of disposition, and the responsible Conduent employees.
• When transferring computer equipment among employees and/or sections, local IT Departments must review the contents of the electronic equipment to ensure removal of applications, software, and/or data not required by the receiving employee and/or section.
• Local procedures for erasing and sanitizing may include leaving the operating system (if doing so does not violate licensing), deleting all licensed software, deleting/clearing the registry, purging the recycle bin, and following DoD specifications, as applicable.

Using the service

Web browser interface
No
API
Yes
What users can and can't do using the API
The platform is based on a plug-in architecture for extensibility. The workflow engine for each customer orchestrates the execution of plug-ins. Plug-ins may in turn call other services to store and access data as well as perform additional processing. Control of plug-in execution is a function of the workflow and not of other services. Special event driven plug-ins, however, may initiate a workflow.
API automation tools
OpenStack
API documentation
Yes
API documentation formats
PDF
Command line interface
No

Scaling

Scaling available
Yes
Scaling type
Manual
Independence of resources
For each Conduent service deployment, a detailed client-specific blueprint is created defining system capacity, data security, and user accessibility requirements based on operational needs during the term of the contracted period. This framework enables Conduent to apply real-time system monitoring metrics to anticipate and apply pre-determined contingency measures and resources to maintain system integrity should user demand changes.
Usage notifications
Yes
Usage reporting
  • Email
  • SMS
  • Other

Analytics

Infrastructure or application metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Files
  • Databases
  • Virtual Machines
Backup controls
An agreed schedule is undertaken at the approved times, and different items can be backed up with different schedules
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Logical security controls will act as a boundary between the client network segments, Conduent networks and affiliates and the Internet. Typical logical controls deployed in Conduent contracts include the following components:
• Firewall traffic filtering
• Traffic analysis
• Intrusion detection systems
• VPN technologies
• Routing boundaries
• VLAN
• Logical access control
Data protection within supplier network
Other
Other protection within supplier network
• Directive Controls - These include management’s actions, policies and procedures. This will direct system availability, auditing, integrity and security of systems and data.
• Preventive Controls - Our practices, tools, techniques and operational standards provide quality and reliability and prevent unwanted events.
• Detective Controls - These controls monitor systems and data to ensure directive and preventive controls have been followed.
• Corrective Controls - Checklists, procedures and processes to take corrective actions compose these controls.
• Recovery Controls - Recovery controls include backups, logging, auditing, disaster recovery, contingency plans and business continuity plans.

Availability and resilience

Guaranteed availability
The overall availability of the system SHALL be at least 99% additional details can be found at: http://uptime.is/99.

The system SHOULD however be available over all at least 99.5% of the time. Additional details can be found at: http://uptime.is/99.5.

The system SHOULD be available from an individual component level at least 99.72% of the time. Additional details can be found at: http://uptime.is/99.72
Approach to resilience
Available on request
Outage reporting
The Real-time Reports are designed to show overall statistical data and supports drill down to the lowest level to identify the cause of any error. There is also a view that is used to show the operator their errors. This view will show the image or image snippet, the error, the correction, the keying instructions for the field and auditor comments. All reports will be available, real-time via secure internet sites mails and saved in Share location (remote machine).

Identity and authentication

User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
“The network” includes security devices to restrict external access to the Conduent managed client networks and Conduent Corporate Network, restrict access between the Conduent Corporate Network and the Conduent Managed Client environments for user entities, and to segregate user entities within the Conduent Managed Client environment. The Conduent network architecture is designed to mitigate risks from public “untrusted” networks as well as limit access from inside "trusted" networks through secure configurations on routers, firewalls, and secure Virtual Private Network (“VPN”) devices.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
AuditScripts
ISO/IEC 27001 accreditation date
01/10/2019
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Reciprocity Labs
PCI DSS accreditation date
01/01/2020
What the PCI DSS doesn’t cover
N/A
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
All Conduent business and technology managers must ensure their units, at a minimum, meet all applicable requirements in the Conduent Information Security Policy (InfoSec001)
The Conduent Information Security Office (CISO) is led by Linda Angeles Chief Information Security Officer. Their mission is establish and execute an information security program that partners with the business in delivering secure and compliant solutions, services, platforms and infrastructure.

Conduent Information Security Office has different dedicated teams to ensure security and privacy of Conduent client’s data. The different CISO teams are responsible for Risk Assessment, Internal Security Audits, Cybersecurity, Privacy and others. Conduent also has a technology division supporting security initiatives based on internal and external requirements.
Security Incidents will be managed in order to mitigate and minimize exposure to Confidential Information stored or processed on Conduent Systems. Each business unit and location will respond to and report Security Incidents in accordance with Conduent Incident Reporting and Crisis management policies and, where applicable, location-specific procedures and client requirements.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Formal change management policies and procedures have been documented and outline the guidelines for making changes to system software, including system patches and updates. Requests can only be initiated by the customer, the Business Analyst, or the Business Unit Manager and are formally documented using a standard form. The standard change request form includes a description of the change, change risk, expected impact of the change, pre-implementation testing, post-implementation testing, back out plans, planned start date/time, implementation approval, and installation instructions. Requests for additions, deletions, and changes to the network environment are made in accordance with our change management process.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our services risk management process incorporates more than two decades of industry-leading worldwide expertise in customer service relationships plus external benchmarking. This discipline allows us to proactively identify and manage events or conditions that threaten achievement of your business objectives. At the highest level, this process follows a five-step iterative approach.

The form includes a description of the change, change risk, expected impact of the change, pre-implementation testing, post-implementation testing, back out plans, planned start date/time, implementation approval, and installation instructions. Requests for additions, deletions, and changes to the network environment are made in accordance with our change management process.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Production assets are protected against intrusion and virus attacks, and proactive monitoring is in place as well as automated notification of potential threats. Procedures are in place to ensure that any assets showing anomalies are quarantined from the rest of the platform until the threat is understood and eradicated.
Enterprise scanning for vulnerabilities is performed using the corporate standard for enterprise vulnerability scanning. A documented vulnerability remediation process are also in place where detected security vulnerabilities are remediated within a minimum timeframe based upon criticality of exposure, impending risk to Conduent system resources and data, regulatory and client contractual requirements
Incident management type
Supplier-defined controls
Incident management approach
Each business unit and location will respond to and report Security Incidents in accordance with Conduent Incident Reporting and Crisis management policies and, where applicable, location-specific procedures and client requirements.

A new incident is logged online or via phone and a ticket is opened with a unique reference and impact level is identified, dependent on the impact level, it may be resolved at first line, where the ticket is closed and the incident is resolved. However, there may be escalation required for second line support where a secondary ticket level is opened and managed

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
No

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
https://www.microsoft.com/en-us/legal/compliance/energy

Pricing

Price
£70 to £2,000 a user a month
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at celia.degge@conduent.com. Tell them what format you need. It will help if you say what assistive technology you use.