TWME8 Limited

iRIS Health Simulation Authoring Platform

iRIS is a unique web-based platform to help you design high quality health simulation scenarios and offer the best learning experience possible, as well as helping you get the best value from the investments you have made in manikins and other resources.


  • Standardised web development template for simulation scenarios
  • Step by step template and guidance to improve quality
  • Collaborative authoring
  • Develop a centralised repository of simulation scenarios
  • Sharing of simulation scenarios across departments and organisations
  • Access with any web browser on any device


  • Ensure scenarios are developed in a standardised, high quality manner
  • Reduce the time required for designing scenarios
  • Reduce the time and effort required to train colleagues
  • Build engagement with a wider range of clinicians
  • Drive interprofessional collaboration/sharing of content with other simulation professionals


£250 per user per year

Service documents

G-Cloud 11


TWME8 Limited

Gary Taylor

07976 908934

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements None. Only a web browser is required

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support is included to the administration team of iRIS. This is typically managed remotely. Onsite support is available from a consultant at a cost of £850 + VAT per day plus expenses at cost.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Each client signing up to iRIS receives support from the Product Management Team through a serious of online inductions. This includes supporting the client in the development of their first scenarios.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction All scenarios can be explorted as Microsoft Word files
End-of-contract process At the end of the contract exporting of scenarios is included. Contracts may be renewed. All access to the solution will be revoked on the date of expiry, but not permanently deleted for a period of 90 days to allow late renewal if required.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None. iRIS is built using a responsive design.
What users can and can't do using the API IRIS utilises Microsoft SharePoint meaning that the SharePoint APIs are available to access the information held. This means that integration with other solutions is possible and we are happy to explore with clients.
API documentation No
API sandbox or test environment No
Customisation available No


Independence of resources IRIS is held on virtual servers with Rackspace to ensure that the solution can be easily scaled as required.


Service usage metrics Yes
Metrics types Metrics can be requested by clients to understand which users have accessed iRIS. The system automatically records and notifies teams of content changed by team members.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Scenarios can be exported by the user as Microsoft Word files
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The target for 24/7 Service Availability is 99.00% of the time in any given month. The target for Service Hours availability is 99.5%.

Downtime exists when all or a significant number of customers are unable to access the application and is measured from the time the issue ticket is opened until the downtime condition as defined here no longer exists.

Service hours for this service are 8.30 to 17.30 on normal business working days (excluding bank holidays and public holidays).

Contract terms may be renegotiated if we failed to meet this level of availability
Approach to resilience IRIS is hosted by Rackspace, within their SharePoint Cloud.

Rackspace are a Tier 4, ISO27001 compliant datacentre in the UK.

The technical resilience of the service is supported through:
• Use of an established data-­‐centre, Rackspace, registered to ISO27001
• Multiple data-­‐lines and ISPs to the data-­‐centre
• High specification Cloud server for the application and data.

Each night an image of the whole server is fully replicated to a second virtual server so this can be fully restored to another virtual server. This
is an automated process.

Each Sunday, an image of the whole server is fully replicated to a third
virtual server so this can be fully restored to another virtual server.
This is an automated process.

At any point in time there are therefore two complete images of the server
– a daily and the most recent weekly image. These two methods provide a
robust and secure backup process should a rebuild of the services ever be

Prior to software upgrades we take a full backup of the SharePoint Farm.
This enables complete recovery of a previous version if required.
Outage reporting Clients will be notified of an outage by email from our support team in the event of any problems. We will always strive to rectify problems as soon as possible.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication We utilise SharePoint Claims Authentication
Access restrictions in management interfaces and support channels Support is given administrators only and identity is confirmed via security questions.

Management interface access is restricted through a permissions model incorporated in to the iRIS solution. Access is via username and password using SharePoint Claims Authentication.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI accredited Rackspace. Certificate IS 636168
ISO/IEC 27001 accreditation date 07/10/15
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Visa accredited Rackspace
PCI DSS accreditation date 01/06/2009
What the PCI DSS doesn’t cover N/a
Other security certifications Yes
Any other security certifications

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security is included in all staff induction and regular briefings are held with all staff.

All staff credentials are recorded securely
Any breach is recorded in a security incident log
The log and improvement are reviewed quarterly
Information security policies and processes All information security is overseen by Alex Clark, Managing Director and Product Director in collaboration with Rackspace, our ISP used for hosting. Information security policies form part of all staff inductions. Any breach is reported directly to Alex Clark.

All client data falls into two categories
Restricted – disclosure causes significant risk to clients and/or TWME8
Private – disclosure causes moderate risk to clients and/or TWME8
We are responsible for ensuring the security of data held
Access to systems:
- Auto-secure of unattended workstations
- Auto-secure of TFS Server
- User Authentication for each Developer
- All code changes tracked
- All versions of code maintained
- Rackspace – RDP Autosecure

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach A defined SDLC process is followed. All tasks are tracked and managed via project management software. Strict quality guidelines and followed for all aspects of the solution development process including development, Testing, code review, code management, etc. Code is managed and stored in Team Foundation Server with scheduled backups.

All client driven change requests are controlled and managed using Vivantio and Wrike is used for internal change requests. Before client server update, backups are taken to ensure complete reversibility in case of any unexpeceted issues.
Regular Daily and Weekly cloud servers backups are automated
Vulnerability management type Supplier-defined controls
Vulnerability management approach Logs are reviewed on a monthly basis to identify any potential threats. Should a vulnerability be detected, it is treated as urgent and prioritised over all other development and hotfixes issued as quickly as possible.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Logs are reviewed on a monthly basis to identify any potential threats. Should a vulnerability be detected, it is treated as urgent and prioritised over all other development and hotfixes issued as quickly as possible. Should an incident be identified or reported, we aim to respond to incidents within 4 hours.
Incident management type Supplier-defined controls
Incident management approach Whether incidents are internal or external, users are asked to complete our Incident Response Report Form which is then added to our Incident Log. Information captured includes a summary, notifications made and action taken.
For each incident there is a post incident analysis which generates a lessons learnt. Processes are then updated accordingly.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £250 per user per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑