DEPSTA Limited

CONTORA | The Off-Payroll Compliance Framework

CONTORA provides a common framework for organisations to manage contracted out and off-payroll contingent resources outside of IR35.

Fully GDPR compliant, easy to use and highly cost effective CONTORA captures project, statements of work, milestones deliverables and approvals information in a single, fully compliant off-payroll system.

Features

  • Real-time reporting of Milestones and Deliverables
  • Remote access via web or mobile app
  • Simple deployment - standardised compliance workflows
  • Unified System Integration
  • Feature rich and GDPR compliant
  • Provides full visibility across the entire resource supply chain
  • Fully Secure - two factor authentication
  • Alert mechanisms based on Machine Learning/Artificial Intelligence
  • Dashboard monitoring and alerting
  • Light touch application integration

Benefits

  • Off-payroll framework for outside IR35 and Fully Contracted Out Services
  • Pro-active compliance of project procurement & delivery
  • Simplified workflow with full supply chain transparency
  • e-signature integration for agile review and sign off
  • Provides data assurance for IR35 compliance and regulatory needs
  • Zero transaction loss - Blockchain and Quantum ledger audit trails
  • Visibility of MSA, SoW integrity and supplier performance
  • Cost effective and extremely powerful service engagement & delivery tool
  • Automated monitoring and reporting of project delivery & costs
  • Reduced costs and improved operational efficiency for contingent resource engagement

Pricing

£25 to £250 a device a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.rossiter@depsta.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

6 3 7 7 5 3 8 8 2 8 2 4 6 5 3

Contact

DEPSTA Limited Paul Rossiter
Telephone: 447889643582
Email: paul.rossiter@depsta.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Any platform or application capable of generating logs or data files.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
None. The solution is designed to be agnostic and easy to implement
System requirements
Can be installed on any machine

User support

Email or online ticketing support
Yes, at extra cost
Support response times
SLA driven

Bronze SLA - 24 hours (8/5)
Silver SLA - 12 hours (8/5)
Gold SLA - 4 hours (8/7)
Platinum SLA - 1 hour (24/7
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Bronze
Silver - 8/7 12 hour response time
Gold - 8/7 4 hours response time with a technical account manager and support engineer available
Platinum - 24/7 1 hour response time with a technical account manager and support engineer available

Pricing based on volume
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Whilst the functional elements of the solution are logical we conduct an introductory train the trainer session and provide documentation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
At the end of the contract we will extract all retained information and transfer this by means of electronic storage
End-of-contract process
At the end of the contract all data will be extracted and transferred to the client by way of electronic storage.

Data will still be accessible for a period of 1 month via the portal or mobile app.

Access to portal and mobile apps will be retained for a period of 1 month after which the licence will expire

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile app provides a realtime visualisation of data data status and allows users to raise support tickets with all the necessary technical data prepopulated.

Users are able to drill down and analyze data issues before raising a ticket using either a web service or mobile app.
Service interface
No
API
Yes
What users can and can't do using the API
The API is currently under development and will be released in Q4 2020
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The service can be customised to collect any data the user requires in relation to an integration model.

The solution is configuration based so once the service is set up, new services, applications, servers and data, can be fully customised.

Scaling

Independence of resources
Our architecture is developed to ensure that the data volumes are managed and load balanced to ensure maximum performance through a hot/cold architecture.

Analytics

Service usage metrics
Yes
Metrics types
No of users
Average time
Anomalies detected
Tickets raised
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export the data by way of CSV files
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Uptime = 99.9%

Depending on the service level agreement a 10% - 100% refund on the monthly fee for the period affected
Approach to resilience
Available on request
Outage reporting
Our service is designed to monitor outages and data disruption and, through resilience and by design, it is able to monitor itself and report status through the dashboard, push notifications and API's

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Access control is managed through a combination of Active Directory and user privileges. Only data required for support and interface management is displayed to the user.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
We are currently working toward ISO27001 certification and our approach follows this standard
Information security policies and processes
We are currently undertaking ISO27001 accreditation so are following this

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
As part of the architecture roadmap we identify potential changes through Azure DevOps and conduct an impact assessment looking at all areas of the change including performance and security.

Once the assessment has established the change meets the required criteria for approval only then doesn't it move into development where. as part of the cycle we test for vulnerability and performance. Each change is documented and notified to clients prior to release with a test environment available for UAT
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
As mentioned previously, we assess every change for potential impact and try to address these as part of the design phase.

During the release phase we initiate a period of 24-7 hypercare which monitors the solution in detail for a 2-week period.

We notify all clients of the forthcoming changes with details on how and where to report issues via the hypercare process.

We conduct regular research and are members of several threat communities
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The tool itself is designed to monitor for loss or unauthorized acquisition of data and triggers an alert to the central team - because our monitoring is conducted in real-time we are able to react instantaneously.
Incident management type
Supplier-defined controls
Incident management approach
We have a monitoring and ticket process to report and manage incidents.

Each incident will result in root cause analysis and fix in an effort to prevent re-occurrence.

Where requested we can provide clients with incident reports detailing the RCA

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£25 to £250 a device a month
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.rossiter@depsta.com. Tell them what format you need. It will help if you say what assistive technology you use.