Worktribe Ltd

Worktribe Research

Worktribe Research enables Higher Education Institutions and research institutes to: record and disseminate research opportunities; cost research projects; manage funding submissions; manage contracts; track project spend; record and manage project impact, outputs and rich researcher profiles, presented via our Open Access repository; and prepare their REF2021 submission.


  • Modular construction, covering full research life cycle including REF submission
  • Modules integrate to create fully consistent, coherent, single database system
  • Single sign-on integration via Shibboleth or Active Directory
  • Full control of user access and data visibility
  • Full fEC project costings using TRAC structure
  • Configurable workflow control of approvals processes
  • Project spend tracking with milestones etc.
  • Storage, submission and harvesting of research outputs
  • Recording of research impact, evidence and rich researcher profiles
  • Support for preparing your REF2021 submission


  • Coherent 'single source of truth' makes for consistent management reporting
  • Workflow ensures that approval processes are properly followed
  • Integration with external systems means all systems are synchronised
  • Modular approach means extra functionality can be added later
  • Full integration avoids inter-system mapping issues and re-keying
  • Relationships with external organisations can be seen 'in the round'
  • Consistent user-friendly interface reduces training needs and enhances uptake
  • Simplified project budget creation, approval and submission processes
  • Easier management of outputs, impact and researcher profiles
  • Data easily collected and scored for REF2021 submissions


£5950 per licence per year

Service documents

G-Cloud 10


Worktribe Ltd

Jon Hackney

0870 020 1760

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The system does require some configuration to accommodate each client's internal approvals processes. The configuration is performed during the implementation project, which under G-Cloud is termed the 'onboarding process.'
System requirements Users require a modern browser with javascript enabled

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Faults are categorised and resolved based on their priority:
• High (Service is not available, multiple users affected): 1 hour response, 4 hour fix/workaround.
• Medium (Intermittent fault causing great difficulty in using the service, one or more users affected): 2 hour response, 8 hour fix/workaround.
• Low (Intermittent fault but service is still usable, one or more users affected): 8 hour response, fix time by agreement on a case-by-case basis.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support No
Support levels Support services are included within the annual SaaS fee.

We provide remote support between 9am and 5pm Monday to Friday, excluding English public holidays.

Typical support arrangements for ongoing support and maintenance are that the client provides first-line support in-house, with Worktribe providing second- and third-line support via our UK-based helpdesk.

Support requests are submitted to Worktribe using our online tool or, in exceptional circumstances, via email. Regardless of the channel through which the request is raised, a ticket is created on our portal to track the request through to resolution.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Worktribe immediately provide 3 environments as standard: Test; Train; and Live.

The implementation process then consists mainly of: onsite training for the client's project team; workshops to define the client's approvals processes; configuration of the system to accommodate the agreed approval processes; client staff setting up the base data (client-specific lookup lists, for example); client staff setting up integration links with their other systems (typically HR, finance and website CMS); importing legacy data (optional); testing; client staff training the wider user base; and go-live. The following documentation is provided: User guides; Administrator guides; API documentation; data import documentation; documentation guidance on use of templates for documents containing Worktribe data.

Worktribe provides a project manager and an account manager. Support is provided from the start, and regular progress meetings are held. The key determinant of implementation speed are the readiness of the client and the client's assigned resources. As the system is already in wide use, the implementation process has become streamlined and fairly straightforward.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • The API documentation is embedded within the system.
  • Guidance on data imports is also embedded within the system.
  • Guidance on using templates is also embedded within the system.
End-of-contract data extraction Clients may extract their data using the following methods:

1) Using the Worktribe API, which is comprehensive and exposes all user data.

2) Using the SQL data extract, which is provided as part of the Worktribe service. This extract is normally provided on a regular basis for input to the client's Business Intelligence or other corporate reporting system, but may also be used as a data source at the end of the contract.
End-of-contract process The costs of the end-of-contract process are included within the normal annual SaaS charge. The process is:

Some months beforehand, client and Worktribe to agree dates for trial data extracts and uploads to new system, and for final data extract.

On each extract date:
* All users (including system administration users) to be logged out at a previously-agreed time.
* Worktribe to shut down all user access to the Worktribe system.
* Client to perform whatever extracts they need via the API.
* Client to test the outcomes (including imports to the replacement system).

After the client has performed the final data extract:
* Worktribe to delete all copies of the client’s research-related data from its systems, no matter how old, or where held or in what format. (This may require destruction of physical media.) Worktribe to inform client in writing when deletion is completed.
* Worktribe to retain data regarding business contacts between the client and Worktribe, and commercial data regarding the relationship, subject to the limitations of the Data Protection Act or equivalent(s) then in force.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing We use the Web Accessibility Versatile Evaluator (WAVE) tool to assist in our accessibility evaluations.
What users can and can't do using the API Worktribe's comprehensive programmatic REST API has HATEOAS features. This is our preferred method for integrating with your other systems.

Typical API uses include: loading legacy data; receiving HR data (including salary data) from your HR system; integrating with your finance system to synchronise budget codes and receive 'actual spend' data; integrating with your web site CMS to expose researcher profiles and research outputs.

The REST API exposes all data entities to full CRUD (Create, Read, Update, Delete) operations, and is fully under the control of the client.

The integration mechanism consists of responding to authenticated HTTP commands sent by external applications. This means that creation, reading, updating and deletion of records within the Worktribe system by external applications are performed using the appropriate POST, GET, PUT and DELETE commands. Data is exchanged in JSON format.

The system also includes an event driven 'subscription' system. This means that the client is able to have both 'push' and 'pull' integrations.

API-based interactions between the Worktribe system and the other systems may be managed by your own ‘integration layer’ or ‘middleware layer’. This is a flexible, ‘loose coupling’ approach to integration.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The Worktribe Research system is provided as a package, with the following customisable/configurable aspects:

1) Clients can maintain their own specific lookup lists (e.g. organisation structure, salary scales, lists of journals and publishers, tags of all types, report templates, and so on).

2) The system's workflow is configured to accommodate the approvals processes for each client. This configuration is done during the implementation project, called the 'onboarding process' under the G-Cloud framework.

3) The system can also accommodate client branding. The login screen, home screen, research portal, downloadable PDF reports and those produced using the template functionality can include the client's logo, although the Worktribe colour scheme is fixed. Any logo needs to be supplied by the client as an image file.


Independence of resources We run a mixture of physical hardware and virtualised systems that give us the best balance of performance and redundancy, using load-balancers and private cloud systems for dynamic scaling. All virtualised systems are single-tenanted (i.e. clients do not share virtual disks or machines).


Service usage metrics Yes
Metrics types The support portal includes provision for client reports and data exports to be created at any time, so that performance against SLA is completely transparent.

Each client has their own preferred service KPIs, so we would be pleased to discuss which KPIs would consider to be most appropriate for your installation. Examples include:
• Uptime%
• Number of support tickets per month
• Average issue resolution time
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users may export data from the Worktribe system in JSON format via the API.

User-specified report datasets may also be exported in CSV and Microsoft Excel formats.

The Worktribe system also enables export of data directly into documents, using the mail-merge features of Microsoft Word. Clients may create many Word templates which retrieve the required data from the Worktribe system automatically and present it as part of the resulting document.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON (via the API)
  • Microsoft Excel
Data import formats
  • CSV
  • Other
Other data import formats
  • Microsoft Excel
  • JSON (via the API)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our standard availability is 99.8% uptime. The Worktribe Service Level Agreement includes provision of service credits if availability drops below 99.8%, but this has never been invoked.
Approach to resilience We use virtualized servers and redundant disks that give us a high level of availability and resilience at our hosting provider. This maximises uptime and minimises the risk of system loss.

We take hourly encrypted backups to local backup systems at our primary secure host. These encrypted backups are themselves immediately backed up to a second secure hosting site, as a precaution against failure of both the system and backup at the primary host site.

In the event of disaster, we will trigger the restore from backup, prioritizing the database load. Any restoration of data from backups is performed by our in-house staff.

Worktribe uses automated provisioning software that enables us to quickly rebuild systems at a disaster recovery site. If we initiate the offsite recovery (e.g. if all network connections to the primary host were severed, with predicted downtime of hours or days) we can be up and running at the disaster recovery site within hours.

We regularly test our backup systems, both offsite and onsite. In practice we temporarily clone and restore live systems for testing and support, so the system is in constant use. The frequency of testing, for various reasons, approaches weekly.
Outage reporting The situation is presented on each client's support dashboard provided by Worktribe, so it is immediately visible to the client.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication The Worktribe system supports Shibboleth IDP v3, via the UK Access Management Federation. This provides Single-Sign-On functionality, and is our recommended authentication mechanism.

The Worktribe system also includes built-in Active Directory identity management integration (using LDAP over SSL) for authentication, and optionally to determine permission group membership.

For Active Directory authentication, the application accepts the credentials (over HTTPS) in a standard login form and passes these onto the Active Directory, asking to authenticate the user. This enables users to be authenticated using their standard Active Directory credentials.
Access restrictions in management interfaces and support channels There is no management interface available to client personnel or to hosting suppliers. Access to servers for management purposes is tightly restricted to just a few individuals within Worktribe.

For our own support personnel, access to client data is controlled by public key authentication rather than by password. The 5 staff authorised to access client data have individual keys, and the authorised set is controlled by our provisioning systems. Alternatively, the support personnel can ask the client to grant access, which of course leaves the usual in-app audit trail.
Access restriction testing frequency At least once a year
Management access authentication Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI Assurance UK Limited
ISO/IEC 27001 accreditation date 27 March 2018
What the ISO/IEC 27001 doesn’t cover Secure hosting services are not covered by our ISO27001 certification, but is covered by that of the secure hosting suppliers we use. We only use hosting suppliers who are ISO27001 certified.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The Chief Information Officer (CIO) is an Executive Director of Worktribe, who ensures that:
• The Information Security systems are fully documented and implemented in accordance with ISO 27001:2013
• All employees are made aware of customer requirements and have the skills to ensure they are met.
• All employees are aware of the Information Security policy statements, and their role in the implementation of these. This is supported by provision of a Staff Security Procedures document on the company intranet, and frequent reminders on the intranet to keep security at the front of employees' minds.
• Management reviews of the performance and improvement potential of the Management System are regularly provided.

In practice, the CIO is also personally involved in the control of access to client data, which can only be obtained through explicit and time-limited permission, and is only granted to a few staff. Access to client data is also tracked through use of individual keys, so that each access can be traced to a specific individual.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All software is based on the secure Worktribe platform to minimise security risks. Each software release and each build within each release is uniquely identified. Each new release is tested before publication. Requests for new and amended functionality are normally discussed using our on-line user group forum. Those gaining sufficient support are discussed at formal user group meetings. Further specification refinement may then take place in special interest group meetings, so that new features embody best practice. The new functionality is then embedded into our road map, and provided as part of our planned release schedule.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our systems are hosted in a private cloud with secured access, so the server environment is tightly controlled. We receive the security patch streams for Ubuntu LTS (the operating system on our servers), which are installed automatically on our development systems, and we then patch production systems manually and promptly. Our DBMS is our own proprietary system which is stable and is guarded in several ways which prevent any unauthorised access. This prevents security attacks against the database. Also, user access permissions are enforced by the Worktribe platform at the lowest level of database access, so cannot be subverted.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use automated monitoring tools to keep a continual eye on the systems, and intervene immediately if we see any issues arising.

Our clients are often impressed with the speed with which we react to situations; no doubt you will ask our other clients about such matters.
Incident management type Supplier-defined controls
Incident management approach Users report incidents as support requests. If we ever had a data breach it would be accorded the highest importance and urgency, and escalated for immediate investigation by our most senior engineers, including the Chief Information Officer.

An integral part of our incident management process is frequent investigation progress updates by phone and email. For this purpose Worktribe maintains an 'In Case of Emergency' list which contains both phone and email details of emergency contacts within clients, to be used in the case of such an event.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5950 per licence per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑