Capita Business Services Limited

Capita One Education

Cloud Service for One Education helps your teams work more efficiently, so you can invest your time and resources on improving the lives of children and families. Provides a clear picture of a child or family’s circumstances, giving you the information you need to intervene early and improve outcomes.


  • Capita One Education provided as a complete software-as-a-service
  • Availability, Capacity, Security and Performance managed by Capita One
  • All Software updates, technology refreshes, patches and continuous improvements
  • Monitoring of school attendance, attainment and achievement
  • One Education is single comprehensive record of children and families
  • Online portals for parents
  • Wide range of functionality as standard and as options
  • Flexible pricing models available
  • Supports effective administration of services
  • Azure underpins the Service building upon Microsoft accreditations


  • Migration to Cloud service (onboarding)
  • One price for complete service giving budget certainty
  • Immunity from technology changes
  • Can focus on improving lives of children and families
  • Supports safeguarding of children across your Authority
  • Allows delivery of targeted support.
  • 24*7 Service availability
  • Can monitor the performance and outcomes for vulnerable children
  • Supports efficient team working with time-saving solutions
  • Supports early intervention and improved outcomes in your Authority


£13737 per instance per month

Service documents

G-Cloud 10


Capita Business Services Limited

Capita Business Services Ltd


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Capita One Education forms part of the Capita One portfolio of software services delivering comprehensive solutions across the Public Sector and Housing Association marketplace.
Cloud deployment model Private cloud
Service constraints One Education will provide at least 99.0% availability during supported office hours, defined as 08:00 – 18:00 Monday to Friday, excluding English public holidays and scheduled downtime. Scheduled downtime covers tasks including, but not limited to, new releases (software upgrades) and server patching. In cases of unscheduled downtime for emergency changes, we will endeavour, but cannot guarantee, to complete work outside normal office hours (09:00 – 17:30 Monday to Friday).
System requirements
  • Compatible access technology as identified in this response.
  • Users need to be members of the Authority’s Active Directory.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The majority of communication from us will be in the form of updates added to My Account. For P2 or higher priority incidents, we will aim to call you in the first instance. We aim to make our initial response to cases based on their priority:
Response times are based on working hours – 08.00 – 17.30 Mon – Thurs 08.00 – 17.00 Fri.

High Severity (must be logged by telephone) : response within one working hour (30 minutes for critical issues).
Medium Severity: Response within four working hours.
Low Severity: Response within two working days.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support requests can be logged with the Capita One Service Desk by telephone or online using our My Account facility. Access to the My Account system is available 24/7/365. Access to the knowledge base can successfully assist you with resolving an issue without the need to log a call.

Response times are priority based and our aim is to meet and exceed the response times outlined in the Capita One Support Charter 2018 and to deliver excellent customer service.

P1 incident response is by telephone within 1 hour (30 mins for critical issues) and lower priority responses are typically under 8 hours. Additionally, the Hosted solution includes all application version upgrades including hot fix, service pack and major version changes. Ownership of problems is from initial problem determination through to resolution of the issue and restoration of service.

The standard level of support is included with the monthly service charge.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Capita recognises that transition of a service to and from a new solution presents potential business risks. To reduce risk, a Technical Project Manager will help you assess your business needs and provide an overall solution design before onboarding takes place.

This process will provide a transition plan for setting up the services, reducing risk, ensure clarity of tasking and maximising uptime. Capita will work to support the applications and database installation.

For end users of the service there are options for on-site training, online training (often via webinars) and extensive online user documentation.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The off-boarding process is intended to provide a complete set of data back to the Customer and the eventual closing down of the hosted infrastructure. The One data will be transferred in standard Oracle Database format and standard SQL server database format following secure file transfer protocol within 14 days of the termination of this hosting agreement.

The process to prepare the data is essentially the same as that of the onboarding process where all of the data and associate files will be provided to the Customer. Infrastructure components will not be provided as part of the process.
End-of-contract process At the end of the Contract, following the off-boarding of data, the infrastructure managed by Capita will be decommissioned and all data held within the One product will be securely deleted. If applicable any non-shared hardware will be securely disposed of. The extract and removal of data and decommissioning form the basis of the Exit Plan included in the services. Additional services can be provided at additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Users can make use of desktop based accessibility features e.g. magnifier.
Accessibility testing None - We do not currently test using assistive technologies or with assistive technology users.
What users can and can't do using the API The Hosted service itself does not have a web interface. As such, there are no automation tools that work with our service.

The One products available to the end users do have an API Service which is read-only. This API covers the following modules/ areas:
Students, Bases, Involvements, CSS, SEN, Attendance, Exclusions, Attainment.
API documentation Yes
API documentation formats
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The service itself may be customised in various ways by the inclusion of optional services and software.

The Capita One Education software itself can be customised by authorised users to adapt the operation of the software to the specific needs of an individual local authority.


Independence of resources The technical solution provides for application software that is not multi-tenanted; each customer has their own dedicated application instances and isolated databases, meaning that other instances will not have a negative impact on your implementation. Shared services and resources are also part of the system, but automated systems and the ability to scale out resources within minutes protect performance and availability.


Service usage metrics Yes
Metrics types These can include
• Infrastructure metrics eg, CPU, disk, memory, number of instances.
• Backup reporting.
• Security/ Threat reporting.
• Patching reporting.
• Custom reporting agreed with individual customers.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach All data is stored encrypted at rest. Access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimising standing access to production data, and other controls.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users may export data in standard Oracle Database format and standard SQL server database formats and via use of the relevant database or reporting toolsets.
Data export formats Other
Other data export formats Determined by the relevant database technology and associated reporting toolsets.
Data import formats Other
Other data import formats Data imports are via supplier facilities supporting multiple formats

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network The hosting platforms are designed to be compliant with the UK Government cloud security principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA256 bit encryption.

Availability and resilience

Availability and resilience
Guaranteed availability Capita One Education shall provide at least 99.0% availability during supported office hours, defined as 08:00 – 18:00 Monday to Friday, excluding English public holidays and scheduled downtime.

Scheduled downtime covers tasks including, but not limited to, new releases (software upgrades) and server patching. In cases of unscheduled downtime for emergency changes, we will endeavour, but cannot guarantee, to complete work outside normal office hours (09:00 – 17:30 Monday to Friday).

The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
Approach to resilience Capita One Education is provided from a world-class private cloud platform with proven reliability and resilience at the core of the platform.

The Capita One Education service makes active use of high availability, resilience and disaster recovery features, across multiple UK regions, and availability zones.

Additional information is available upon request.
Outage reporting Service outages are communicated in differing ways dependent on the magnitude of the service outage. For a multi customer service outage, email communications will be sent out to all customers advising the status of outage with regular updates on progress as well as a status message being provided on the Home Page of the online ticketing system. A service outage that affects a single customer will be communicated both by email and by telephone. Historical outage reporting is provided as part of the quarterly service review pack as well as being available at an individual Customer level via the online ticketing system which offers an on-demand view of this.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.

Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Support Desk are encouraged to register on the Support Portal. If Customers contact us by telephone or email, their details are matched to an existing registration. If none exists, they are either asked to register or, if appropriate, the details of their call are linked to a colleague who is registered.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Cloud service hosting certified by BSI.
ISO/IEC 27001 accreditation date Microsoft recertification date: 20/06/2017; Expiry: 19/06/2020.
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date Microsoft dates: 20/06/2017 expires 19/06/2020.
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover N/A
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Our cloud service provider complies with many standards including CSA CCM v3.0, ISO/IEC 27018, ISO/IEC27001, UK Cyber Essentials PLUS.

Capita has a significant number of Information Security Policies and Standards that cover ISO 27001 clauses and controls.

Further details on the comprehensive compliance offerings are available upon request.
Information security policies and processes As part of Capita Business Services, we work to policies and standards that are aligned with ISO27001, these are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when staff complete their annual training they agree to comply with both Group and Business Unit Level policies.

Information Security staff as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.

Information Security is dealt with at all levels of the business including at the Business Unit, Divisional Unit and Capita Group.

The maintained ISMS Management Policies include:
• Acceptable Use Policy
• Access Control Policy
• Access Control Policy
• Compliance Policy
• Data and Asset Management Policy
• Information Security Management Policy
• Mobile Working Policy
• Personnel Policy
• Physical Security Policy
• Risk Management Policy
• Systems Acquisition Development and Maintenance Security Policy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Capita maintains the assets which make up the solution using ITIL v3 incident, problem and change management processes which align to the ISO27001 standard. No configuration items are added or changed without the appropriate review and backout planning to ensure that the risks and impact are appropriately managed prior to delivery of the change into live.
Vulnerability management type Undisclosed
Vulnerability management approach Capita has a significant number of Information Security Policies and Standards that cover ISO 27001 clauses and controls to triage vulnerabilities. Capita will monitor security alerts from various sources such as Secunia, NIST or Gov Cert UK and will assess the patches that are released by operating systems’ suppliers, and software vendors. All patches are graded Critical, Recommended or Low. The grade of the patch will determine the timescale in which a patch will be installed. Critical patches will be installed at the next available opportunity. Automated vulnerability and threat detection services will also be employed.
Protective monitoring type Undisclosed
Protective monitoring approach Incident Response methodology:
•Monitoring, control, communication
Nominated stakeholders will perform communication and data gathering with users.

•Ensure the privacy of those affected
•Report and document potential breaches of confidentiality to Governance and Compliance.

•Ensure integrity of data is maintained throughout the lifecycle
•Maintain a full inventory of the data tracking additions and amendments
•Encrypt and store data securely.

•Ticket with event description made for correspondence and reporting purposes.

•An Incident Manager will own an event through its lifecycle
•ISO27001 standards for accountability are reviewed for the lifecycle at each stage.
Incident management type Supplier-defined controls
Incident management approach We have a defined, approved and tested Incident Management process; the process has a list of example incidents that are designed to cover a wide range of scenarios. All staff are made aware of the incident reporting process and randomly tested for effectiveness.
Incident reports will be passed to relevant customers if there has been an impact to their environment or data.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £13737 per instance per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑