Evolve

Pro-evaluate

Pro-evaluate is a SaaS solution offering two distinct modules: 1; Audit & Compliance Module can be used across any function and area of business that requires regulating, and be compliant to a standard . 2; Incident Reporting Module takes users through investigations from a regulation breach, near miss or accident.

Features

  • Unlimited, flexible and comprehensive question sets
  • Inspections and Audits for any business function or standard
  • Enables checking for GDPR, PCI, H&S compliance
  • Scheduling and Workflows
  • Task Management
  • Reporting and Analytics
  • Smart Forms
  • Root Cause Analysis
  • Anonymous Incident Reporting
  • Fully Configurable modules

Benefits

  • Audit anything to check it meets required level or standard
  • Allocate Audits to anyone, anywhere, promoting accountability
  • Track non-compliance
  • Identify areas of risk
  • Report and analyse data
  • Capture all incidents
  • Investigate and capture all evidence
  • Prevent serious breaches and incidents

Pricing

£8.75 to £99 per user per month

  • Free trial available

Service documents

G-Cloud 10

568740378347055

Evolve

Leanne Bonner-Cooke

0116 298 7460

sophie.watkins@evolve-consultants.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints As a SaaS service we will have planned maintenance and scheduled releases.
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Critical - 2 hr response, 4 hr target resolution
Serious - 2hr response, 8 hr target resolution
Moderate - 4hr response, 2 day target resolution
Minor - 8hr response, 5 day target resolution
Mon-Fri 8am-6pm GMT
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support is included within the annual hosting fee, 9-5 Monday to Friday.

Extended support is provided dependent on requirements and is costed on a bespoke basis.

We provide access to a technical account manager.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a managed set up service, and this can include on site training.
We have an online how-to guide to help users navigate their way through tasks and this is available to all customers via the service desk
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction We can provide an export of the database in raw format.
End-of-contract process At the end of the contract we return, destroy or permanently erase all data. We disable any and all licence access for the product.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service is a web responsive application that will work on desktop and mobile devices
Accessibility standards None or don’t know
Description of accessibility Accessible online with connectivity to the internet, using computers, desktop and mobile devices.
Accessibility testing None
API No
Customisation available No

Scaling

Scaling
Independence of resources Application is shared and fully load balanced across customers. Monitored by DevOps and capacity planned upgrades.
The SQL data store is independent for each customer ensuring they are fully insulated from demand elsewhere

Analytics

Analytics
Service usage metrics Yes
Metrics types The tool has full auditability and fully configurable usage metrics as reports or dashboards. Service uptime, access, support metrics are all available.
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The customer can run built in reports in the system. Customised reports can also be created at an extra cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF reports
  • Word
  • Excel
Data import formats Other
Other data import formats Evolve handle data upload for the customer

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Availability is based on the availability of Azure - 99.95%
Approach to resilience Available on request
Outage reporting Email alerts and a public dashboard

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels All databases are firewall restircted; to the application server requiring access and to a management VPN which is authenticated via a central user directory with multi-factor enabled.

Access to these channels is restricted to staff as required.
Access restriction testing frequency At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We follow best practise and aim to comply with ISO 27001 and utilise the security governance within Azure. Regular security process reviews and risk analysis. Following of industry best practices, such as OWASP.
Information security policies and processes Development:
- only using vendor supported frameworks/tools
- code reviews & change management (all tracked)
- secure coding practices followed (regular training)
- regular penetration testing and review of live platforms

IT:
- all corporate machines running up to date anti-virus/malware prevention
- all email systems held in a secure cloud
- all core services access via controlled AD single-signon
-

Reporting:
- monthly risk/security council to table any concerns with the outcome being decided by the council
-

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes to our services require an approved work ticket in JIRA; from software development to infrastructure changes. This approval mandates a 3rd party member to assess any security concerns.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Regular penetration testing, by a 3rd party company, of our externally facing services. Results reviewed in monthly security council meetings.

IT patch all systems on a monthly schedule.

IT check with https://www.cvedetails.com/ on a weekly schedule for applicable CVE information and these are refered up to the security council. Also checked are official lists for our key development frameworks, such as http://php.net/ChangeLog-7.php
Protective monitoring type Supplier-defined controls
Protective monitoring approach IT team check access logs for all infrastructure servers/devices every morning. Any suspicious activity is reported via a JIRA ticket and, if required, directly contact the senior management team for an emergency meeting.

All staff memebers have access to and are fully briefed on our incident process; which is to be followed by anyone who thinks there may be a security risk.
Incident management type Supplier-defined controls
Incident management approach All staff are briefed on and have access to our incident report process. We hold twice-annual incident drills whereby an incident is simulated.

Incidents are reported via JIRA on our internal service desk, or in the event of an IT outage on paper reports which are pre-printed and stored in the common office areas.

Once the impact of an incident is mitigated/resolved a root cause report is drawn up by the relevent team and the security council & senior management are briefed. Any changes are put into an immediate change request.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £8.75 to £99 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial We offer one free trial for 30 days with a limited question set

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑