Hanlon Software Solutions

Hanlon (SR) Case Management

Modular CRM to track client interventions addressing barriers to progression and helping jobseekers into employment, education and training. Employer engagement and vacancy management. Management of business support, grants, and loans. Community benefit, social value and Section106 monitoring. Manage student work experience programmes. Programme funding management. Programme performance reporting and analysis.


  • Web enabled, multi-provider employability tracking system
  • Customer registration and e-signature. ESF and GDPR compliant
  • Customer assessment, profiling and progression analysis
  • Customer referral, intervention tracking and outcomes analysis
  • Virtual labour market. Employer engagement, vacancy management and skills matching
  • Business enquires tracking and impact analysis
  • Real-time, flexible reporting using embedded pivot grids. Statutory reporting
  • Public facing portal, Employability and business development Content Management System
  • Community benefit and Section 106 tracking and reporting
  • On-line student work experience management


  • Connects customers, businesses, service providers to everyone's mutual benefit
  • Co-ordinate customer services across multiple providers saving time and money.
  • Single customer registration reduces frustration and potential errors
  • Holistic customer record enables providers to work more collaboratively
  • Achieves positive customer outcomes more quickly through safe data sharing
  • Bulk email, messaging, mail-merge and SMS for easy contact management.
  • Single, shared business record reduces un-necessary, repeated contact
  • Centralised, real-time reporting. Quick, easy and comprehensive
  • Flexible, simple reporting meets statutory requirements saving time and effort
  • Highly configurable data framework fits any programme, value for money


£75 per user per year

Service documents


G-Cloud 11

Service ID

5 7 0 5 3 0 1 5 4 7 7 2 3 5 0


Hanlon Software Solutions

Kevin Hanlon

0115 9590077


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • Broadband, 5G, 4G or 3G internet connectivity
  • System administrators require Remote Desktop Connection

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response within 1 hour during office hours. Response at weekends is next working day unless special arrangements are agreed.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels All customers can access the following support functions:

activation of user licences;
access to a helpdesk via email and phone for advice and problem resolution;
remote, on-line support and user training;
help with data management, including bulk data updates and development of ad-hoc reports as and when required;
regular site visits to check on system usage, share best practice, discuss issues and deliver refresher training if necessary;
development and release of new software builds containing enhancements and modifications to meet the requirements of new and existing programmes. We aim to release at least four new software builds per year.
We do not set a limit on the number of helpdesk calls or emails per customer.

All of the above is included in the annual hosting, support and maintenance charge which is based on 17.5% of the system and software module charges.

Service Level Agreements are available covering our response framework and fault resolution
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide any or all of the following, depending on which are most appropriate to meet the requirements of the customer:

online, context sensitive help on the web forms within the application;
digital user manuals, including a quick guide;
onsite train the trainer;
onsite user training based on user roles - there is a training session for each module in the application - each session lasts a maximum of 4 hours and users can select, or be advised, which sessions are most appropriate for them based on their user role;
remote, online training.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction At the outset we agree an exit plan with our customers that includes options for data extraction. These include:

supply of a copy of all data in csv format. The data is structured with master records, for instance client core data, with separate spreadsheets for sub records such as activities and outcomes, linked on the unique master ID, such as Client ID;
continuation of storage of the database on our servers for analysis and reporting purposes only, subject to compliance with GDPR.

Users can select whichever option suits their purposes best. Their decision is generally based upon the length of time beyond the contract end date that they have to report to funders. For ESF programmes, this could be up to 7 years. We have incorporated data redaction facilities in to the application to enable extended reporting periods in order to remain compliant with GDPR.
End-of-contract process Customers generally purchase the Hanlon service to meet the requirements of a specific funded programme that has an end date. The end date of the contract for the Hanlon service is generally set to coincide with the end date of the programme. At this point the customer may decide that they have no further need of the service and request their data to be returned. However, many customers decide that the service meets the requirements of other programmes that they are running and therefore seek a contract extension with Hanlon so that they can continue to use the service. Many organisations have used the Hanlon service for over 10 years which has proved to be very cost effective for them.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Web pages within the Hanlon application are developed using Bootstrap 4 and are designed to be responsive. The layout of each page adjusts to fit the size of the user's screen. So the same page renders correctly on both PC / laptop monitors and mobile devices, such as tablets and mobile phones
Service interface Yes
Description of service interface The service interface is configurable depending on the user's role. There is a side panel and breadcrumb navigation control providing access to user role specific modules and records within the application. tabs are used to navigate to sub elements within
Accessibility standards None or don’t know
Description of accessibility All pages have large, clear headings and descriptions. Users can clearly see what element of a record they are on. The size of text on the system is in line with modern screen resolutions. Level A accessibility has been achieved for all elements with some achieving AA and AAA.
Users can change the system theme CSS which can bring various accessibility improvements, such as changing colours and increasing text size. Also, we will respond to individual user accessibility requests by creating tailored CSS rules for them that help to improve their experience of the system.
Accessibility testing We use Powermapper to test our web pages against the W3C accessibility standard.
What users can and can't do using the API Users can read data from the system (API v1). Users have read access only and cannot make any changes via the API. Authentication is handled by Hanlon's using generated tokens which can be redacted as required.

The API can be used to export client, enterprise and vacancy data to external systems. In development is a facility to manage the importation of data from external systems.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customisation of the application is achieved by configuring settings and content within the system. Options include:

amend the data framework to capture the data users require on activities, interventions, outcomes, demographics, barriers to progression, support needs, aspirations and skills - to name just a few;

design the content and layout of client registration forms and assessments;

design employer and opportunity registration forms;
customise business profile options such as sector, size, accreditations and locations;

create personalised user dashboards;

design the content and layout of user reports.

Administrative tools are available within the web and windows sections of the application. The tools enable users to customise the application as described above.

Users are assigned to system roles. Roles can be created with prescribed functionality. System administration is one of the elements of functionality that can be assigned to specified users.


Independence of resources We have built redundancy into our network to ensure applications are not adversely affected by high usage.
Network monitoring software alerts our support team to high CPU / memory usage.
Also, processor intensive functionality, such as real-time embedded pivot grid reports, are firstly queued and then allocated a maximum percentage of server memory rather than being allowed to overload the server.
Long running operations, such as GDPR redactions/deletions are handled by web services.
We closely monitor memory and disc usage and our network can be easily expanded if required.


Service usage metrics Yes
Metrics types History of user log ins.
Date and user who created records in the database.
Email send logs.
Document send logs.
Record search and loading times.
Report and query processing times.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach There are two methods to export data:
1. Every aspect of data within the system is reportable and all reports are exportable. Users can apply criteria to data for reporting purposes so that only the data they wish to see comes back and they can also create their own report layouts. Each report is exportable in a number of formats, such as .PDF, .DOCX and .XLSX.
2. At no additional cost our support team will create ad hoc data extracts to users' specifications. This option is included in our support service
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • PDF
  • DOCX
  • XLSX
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats SQL

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We aim to provide 99.95% service availability. The only exception is planned maintenance scheduled in advance and usually conducted out of normal working hours.

In the unlikely event of us failing to meet the above SLA (in any one month rolling period) the customer will be eligible for a credit. We'll refund 1 day's service fee for every hour that connectivity has been unavailable over the specified SLA, up to a maximum value of one month’s service.
Approach to resilience Our data centre has 20MB fibre optic backbone supplied and managed by GTT Communication and there is a 2MB ADSL backup line.

The data centre contains multiple web servers and SQL servers and clients can be moved on to any of these if required.

There are primary and secondary kit options at every potential point of failure.

There is an onsite backup to removable disc facility. Backups are scheduled to run automatically every evening. They operate on a fortnightly schedule, with the current week's backup discs held in a fire-proof safe onsite and the previous week's discs stored securely offsite by Iron Mountain.
Outage reporting Service outages are reported by email.

We are in the process of making an outage dashboard available externally.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels MS Asp.Net Identity authentication framework is used to manage access to the web application. Active Directory is used for the Windows (RDP) application.
Two factor authentication is available on request.
Password changes require an access sent directly form the system via email.
User based privileges manage user access to certain parts of the application based upon their role.
Security settings are used to manage access to:
specific cohorts of clients, enterprises and vacancies;
specific information on client profiles, interventions and action plans;
documents and document types
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 14/01/2011
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our information security policies are detailed in our ISMS (Information Security Management System) and constitute the main element of our ISO27001 certification, first achieved in 2011 and most recently re-assessed in November 2018.

Policies cover all elements of information security, including: risk framework, all aspects of assets, patch control, usage policies, staff (recruitment, induction, on-going training and leavers), data handling, documents, physical security, business continuity / disaster recovery.

Our system administrator creates a schedule of security compliance checks at the start of each year and produces a report for the operations director each month.

Our information security policies are reviewed each quarter and updated as necessary.

Staff are trained on their information security responsibilities as part of their induction and undergo refresher training regularly thereafter.

Posters are displayed throughout the offices reminding staff of their responsibilities.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Firstly, Team Foundation Server (TFS) is used to manage the cycle of build development, testing and roll out. TFS allows us to assess and document data security risks associated with each new build.

Both new software developments and infrastructure enhancements are subject to risk analysis prior to implementation. The three elements of
Confidentiality, Integrity and Availability are assessed. The risk plan assesses likelihood and potential impact for each scenario with options for mitigation, before arriving at a decision on whether to proceed.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Firstly, within our BCM we maintain a risk register with impact assessments.

We also use various tools to monitor our system. Manage Engine network monitoring software is deployed on our servers. This reports any issues to our system administrator.

In addition, application and network penetration testing is carried out regularly by our own team and once per year by an external, fully accredited company.

Virus protection is managed by Windows Defender on the servers and Bit Defender on stand-alone devices.

Security patches are deployed as soon as they are available, or at least once per week.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Monitoring software is deployed on servers and stand alone machines. An email is automatically sent to the system administrator if potential compromises are identified.

In addition, we perform our own internal tests on a monthly basis. Application testing leading up to the release of a new software build is far more intensive .

External penetration testing is also used to identify potential compromises.

The response an incident is dependent on its nature, but all would be treated as a priority.

We have a documented Business Continuity Plan available to staff, that provides guidance on how to deal with incidents.
Incident management type Supplier-defined controls
Incident management approach Some incidents are emailed directly by the application to a Helpdesk folder. Users can also report incidents to our Support folder.

Each incident is logged on our ISMS and assigned a status, priority and a support team member.

Users are notified that the incident has been logged and provided with a resolution date/time.

The operations director checks the incident log daily and ensures deadlines are being met. One of the business KPIs is the response time for incident resolution.

Incident reports are provided on request. We are developing a feature on our web site to allow users to download reports.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £75 per user per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Users can experience the current system build containing demonstration data for up to four users and for up to four weeks. They have unlimited access to the support / helpdesk during this time.
Link to free trial Www.hanlon2019.hanlonsonline.co.uk

Service documents

Return to top ↑