DEPSTA Limited

CONTORA | The Off-Payroll Compliance Framework

CONTORA provides a common framework for organisations to manage contracted out and off-payroll contingent resources outside of IR35.

Fully GDPR compliant, easy to use and highly cost effective CONTORA captures project, statements of work, milestones deliverables and approvals information in a single, fully compliant off-payroll system.

Features

• Real-time reporting of Milestones and Deliverables
• Remote access via web or mobile app
• Simple deployment - standardised compliance workflows
• Unified System Integration
• Feature rich and GDPR compliant
• Provides full visibility across the entire resource supply chain
• Fully Secure - two factor authentication
• Alert mechanisms based on Machine Learning/Artificial Intelligence
• Dashboard monitoring and alerting
• Light touch application integration

Benefits

• Off-payroll framework for outside IR35 and Fully Contracted Out Services
• Pro-active compliance of project procurement & delivery
• Simplified workflow with full supply chain transparency
• e-signature integration for agile review and sign off
• Provides data assurance for IR35 compliance and regulatory needs
• Zero transaction loss - Blockchain and Quantum ledger audit trails
• Visibility of MSA, SoW integrity and supplier performance
• Cost effective and extremely powerful service engagement & delivery tool
• Automated monitoring and reporting of project delivery & costs
• Reduced costs and improved operational efficiency for contingent resource engagement

£25 to £250 a device a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.rossiter@depsta.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

637753882824653

Contact

Paul Rossiter
447889643582
paul.rossiter@depsta.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Any platform or application capable of generating logs or data files.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None. The solution is designed to be agnostic and easy to implement
• System requirements: Can be installed on any machine

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: SLA driven; ; Bronze SLA - 24 hours (8/5); Silver SLA - 12 hours (8/5); Gold SLA - 4 hours (8/7); Platinum SLA - 1 hour (24/7
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Bronze; Silver - 8/7 12 hour response time; Gold - 8/7 4 hours response time with a technical account manager and support engineer available ; Platinum - 24/7 1 hour response time with a technical account manager and support engineer available; ; Pricing based on volume
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Whilst the functional elements of the solution are logical we conduct an introductory train the trainer session and provide documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: At the end of the contract we will extract all retained information and transfer this by means of electronic storage
• End-of-contract process: At the end of the contract all data will be extracted and transferred to the client by way of electronic storage. ; ; Data will still be accessible for a period of 1 month via the portal or mobile app.; ; Access to portal and mobile apps will be retained for a period of 1 month after which the licence will expire

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile app provides a realtime visualisation of data data status and allows users to raise support tickets with all the necessary technical data prepopulated.; ; Users are able to drill down and analyze data issues before raising a ticket using either a web service or mobile app.
• Service interface: No
• API: Yes
• What users can and can't do using the API: The API is currently under development and will be released in Q4 2020
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The service can be customised to collect any data the user requires in relation to an integration model.; ; The solution is configuration based so once the service is set up, new services, applications, servers and data, can be fully customised.

Scaling

• Independence of resources: Our architecture is developed to ensure that the data volumes are managed and load balanced to ensure maximum performance through a hot/cold architecture.

Analytics

• Service usage metrics: Yes
• Metrics types: No of users; Average time; Anomalies detected; Tickets raised
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export the data by way of CSV files
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Uptime = 99.9%; ; Depending on the service level agreement a 10% - 100% refund on the monthly fee for the period affected
• Approach to resilience: Available on request
• Outage reporting: Our service is designed to monitor outages and data disruption and, through resilience and by design, it is able to monitor itself and report status through the dashboard, push notifications and API's

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
• Access restrictions in management interfaces and support channels: Access control is managed through a combination of Active Directory and user privileges. Only data required for support and interface management is displayed to the user.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We are currently working toward ISO27001 certification and our approach follows this standard
• Information security policies and processes: We are currently undertaking ISO27001 accreditation so are following this

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: As part of the architecture roadmap we identify potential changes through Azure DevOps and conduct an impact assessment looking at all areas of the change including performance and security.; ; Once the assessment has established the change meets the required criteria for approval only then doesn't it move into development where. as part of the cycle we test for vulnerability and performance. Each change is documented and notified to clients prior to release with a test environment available for UAT
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: As mentioned previously, we assess every change for potential impact and try to address these as part of the design phase.; ; During the release phase we initiate a period of 24-7 hypercare which monitors the solution in detail for a 2-week period.; ; We notify all clients of the forthcoming changes with details on how and where to report issues via the hypercare process.; ; We conduct regular research and are members of several threat communities
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The tool itself is designed to monitor for loss or unauthorized acquisition of data and triggers an alert to the central team - because our monitoring is conducted in real-time we are able to react instantaneously.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a monitoring and ticket process to report and manage incidents.; ; Each incident will result in root cause analysis and fix in an effort to prevent re-occurrence.; ; Where requested we can provide clients with incident reports detailing the RCA

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £25 to £250 a device a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.rossiter@depsta.com. Tell them what format you need. It will help if you say what assistive technology you use.