RegulAItion Ltd

Self-Service Automated Guidance System

Our system allows institutions to answer questions raised by their customers or employees in an automated manner. Customers interact with our engine in free text and receive a response which is approved by the institution and auditable. Our system captures interaction data and connects to CRM systems through APIs.


  • natural language virtual interface with customers and employees
  • data classification
  • self-service automated advice/guidance portal
  • API integration with CRM
  • multiple languages
  • ability to add links, pictures, videos, tutorials
  • real-time customer interaction reporting
  • auditable system
  • white-label
  • integration of multiple internal departments workflows and external pertners


  • automate call centre interaction with customers
  • automate interaction with employees
  • full control of content, self-service immediate amendment and roll-out
  • capture all interaction with customers/employees in customised report
  • data can be captured anonymously while retaining full analytics benefit
  • classify data to be used with other intelligent systems
  • virtual call centre: reduce costs, increase accuracy


£100000 per unit

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

7 0 2 2 6 6 1 9 2 6 6 6 0 3 2


RegulAItion Ltd

Sally Sfeir-Tait


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Our system is a white-label cloud based system. It can be licensed as a standalone system without connecting to a CRM. It is designed to connect to other systems through APIs. The time and effort required to roll-out CRM integration depends on each institution's existing systems and workflows.
System requirements None

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Support can be provided as per the customer's request. It will be priced separately.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Our system has 2 categories of users: the Institution (Expert Users) and its customers (Customer User). The Expert User will have a dedicated relationship manager included. If Customer User technical webchat is required, this can be provided at an additional cost.
Web chat accessibility testing To be provided upon request.
Onsite support Yes, at extra cost
Support levels Tiered system:
1- FAQs and documentation - Free of Charge
2- relationship manager - included in price
3- technical account manager - Variable depending on requirements
4- cloud support engineer - Variable depending on requirements
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide on-site training, Video tutorials and user documentation.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Customer information can be extracted in JSON or CSV. Know-how can be extracted in JSON. We provide the data models for each.
End-of-contract process Data extraction and Cloud sanitisation are at an extra cost as these vary depending on the customer's requirements.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No functionality or features differences. Only lay-out and design differences.
Service interface Yes
Description of service interface Service can be accessed on a standalone URL and through APIs
Accessibility standards None or don’t know
Description of accessibility General interface
Accessibility testing None
What users can and can't do using the API User Categories: Our system has 2 categories of users: Institutional User and Customer/Employee User. The Institutional User is divided into 2 types: Admin User and Expert User.

Admin User: Can create know-how 'flows' which look like decision trees using drag/drop and free text features. Can create/amend/delete/share/print/export flows. Is the only User that can 'publish' flows. Only published flows are visible to Customer/Employee Users. Can create/delete/change permissions of other users. Can test flows and amend them simultaneously. Can amend language to be shown to customers throughout the application such as disclaimers, pop-ups etc. Has access to customised Management Information Dashboard and analytics reports. Has a customised 'feedback' interface which allows him/her to interact with the intelligent NLP engine.

Expert User: same rights as Admin User except MI, ability to publish flows, ability to amend language relating to certain customer information. Has no 'feedback' interaction with the intelligent NLP engine.

Customer User: Interacts with the engine through an NLP 'search' feature. The customer interaction is a mixture of free text and predefined questions and answers (yes/no, more/less, 100/1000, choose one of the following). The customer receives a tailored response to his/her journey which downloadable and connects him/her to follow-up information and actions.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Institutional Users have full control of the content/know-how they develop into our system. They develop their flows and what they would like their customers to see. This is a plug-and-play solution through free text and drag-and-drop. They can develop the know-how in any language (including non-latin languages such as mandarin or arabic). They can create links, upload videos and photos.

All other features can be customised/tailored based on requirements of the client. To be agreed on a case-by-case basis.


Independence of resources The current architecture of the system is designed around the assumption that there are 1000 active users accessing the system simultaneously. User queries pass through load balancer and onto a Kubernetes cluster that manages the query based on micro-services. The system has been tested to handle these levels of demand, ensuring that the user response times for each query is the same. Further work is being done to improve and greatly scale this through the use of messaging queues (Kafka in particular). Additionally, the application stack has been designed to easily enable vertical and horizontal scaling if need be.


Service usage metrics Yes
Metrics types Our system includes a 'Reports' section which provides analytics on customer interaction with the system. Our system captures every interaction by Customer/Employee Users with the system. Tailored reports can be provided which show the 'top 10 flows' that Customer/Employee Users interacted with, times of interaction, drop-off points, duration of interaction, exact words that were used etc...
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach We use Google Cloud or AWS depending on our customer's preference. Encryption is by default in both instances.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users receive JSON files
Data export formats Other
Other data export formats JSON
Data import formats Other
Other data import formats Free text multimedia (MP4/PNG/JPEG)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our system has different types of users and multiple features.

We use commercially reasonable efforts to make our services available for at least 99% of the time during any monthly billing cycle. If we do not meet the SLA commitments during a monthly billing cycle, we provide a Service Credit. Service Credits apply against future payments from the customer for the applicable service.

Service Credits apply differently to different types of services and users. They are calculated as a percentage of the total charges paid by a relevant customer.
Below is an indicative example of how Service Credits will apply.
- Service availability is less than 99.99% but equal to or greater than 99.0%: 10% Service Credit
- Service availability is less than 99.0% but equal to or greater than 95.0%: 30% Service Credit
- Service availability is Less than 95.0%: 100% Service Credit
Approach to resilience The system has been designed to be integrated deeply with the resiliency and scaling mechanisms of the given cloud provider. Load balancers have been used to monitor servers and distribute traffic to servers that can best handle requests, additional virtual machines are placed on standby and a robust storage solution has been implemented. For example, the GCPs “Autoscaler” feature has been used to provide a robust scaling mechanism to automatically configure, manage dependencies and start handling requests when there is added stress on the system. This is true for the databases as well through the use of GCPs “Cloud SQL” feature. Additionally, instance health checks are implemented to monitor, notify and automatically replace potentially unhealthy instances.
Outage reporting Email alerts and dashboard

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels There is a roles based access control within the system. Therefore users who are not intended to access management interfaces cannot do so.
Access restriction testing frequency At least every 6 months
Management access authentication Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards CSA CCM version 3.0
Information security policies and processes Our information security framework follows the below principles. We have a board level individual (Security Officer) who is responsible for Information Security. Escalation procedure includes reporting to our CEO and Security Officer.
1. Information is classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant
legislative, regulatory and contractual requirements.
2. Persons with particular responsibilities for information must ensure the classification of that information, must handle that information in accordance with its classification level and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
3. All users must handle information appropriately and in accordance with its classification level.
4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
5. Information is protected against unauthorised access and processed in accordance with its classification level.
6. Breaches are reported in accordance with policy.
7. Information security provision and the policies that guide it are regularly reviewed, including through the use of annual internal audits and penetration testing.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach At a technical level, configuration management is currently managed via a tool called Saltstack. It is supported by the cloud provider, GCP, and has a number of compliance policy profiles based on CIS. The tool enables continuous item-level policy checks to locate non-compliant sub-systems within the environment and, by way of automatic enforcement, fixes violations or kicks off the configured remediation workflows.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerabilities are detected via the Cloud Security Scanner tool that identifies risks in the App Engine, Compute Engine and Kubernetes Engine. Any vulnerability alarms raised are treated severe and resources are deployed to correct them as soon as possible. Any true positives and negatives are then assessed at once, and security patches are consequently deployed. Most patches are deployed within a day from the time of threat identification.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The Cloud Security Scanner also identifies potential threat vectors. Any flags raised are assessed, depending on the potential severity of these flags, they are either addressed in consequent sprint or elevated to be addressed at once in accordance with customer SLA.
Incident management type Supplier-defined controls
Incident management approach Incidents are managed through the ITIL incident management workflow. Once identified, they are logged and categorised. Categories include hardware, software and security. These are then prioritised and then managed through response and diagnosis. Incidents are escalated in accordance with policy and then resolved. The problem and the course of action taken are then documented. Incidents can be reported via the platform.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £100000 per unit
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The entire system is provided for a free trial period of 30 days. All features of the system can be viewed and tested. Customisation of features, integration with existing customer systems, branding and support are not included.

Service documents

Return to top ↑