One Plus One

Virtual Support Environment

The virtual support environment is a software service enabling a customer to build a support environment for their audience. This is labeled 'support' environment rather than 'feature-rich digital environment' because it includes specialist functionality to enable behaviour change, tailored content related to personal goals, precise user data collection, private communication.

Features

  • Expert and user posts w comment functionality
  • Live chat (group and 1-2-1) + chat booking system
  • Outcome / impact measurement tools
  • Interactives and Behaviour Modelling Training programmes
  • Bespoke CMS with admin controls
  • 2-party communication space w shareable outputs on/off-line
  • Goal setting and content tagging
  • Flexible framework for white labeling
  • Reminder and feedback functionality
  • Profile collectors and detailed usage reporting

Benefits

  • Multi device access
  • User friendly CMS
  • Allows for cost effective service scalability
  • Covered by technical support
  • Different levels of administrative controls
  • Self reporting and analysis tools
  • Convenient booking system
  • Self managed password reset functionality
  • Blocking capabilities to block spam and controversial posting
  • Multiple content formats to meet different needs

Pricing

£5000 per licence per year

  • Education pricing available

Service documents

G-Cloud 10

706465972669674

One Plus One

Verity Glasgow

020 3096 7871

verity.glasgow@oneplusone.org.uk

Service scope

Service scope
Service constraints Software repairs and bug fixes may temporarily prevent or delay access.

Notification would be provided to the customer with due notice as well as a time frame for normal service to resume.
System requirements
  • Up-to-date browsers
  • An email account

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Responses depend on issue severity and are offered within the following timeframes:
24hrs
48hrs
72hrs
These time frames apply between Monday - Friday
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels - Incident Prioritisation - incidents are prioritised as P1, P2 and P3 according to desired priority levels for resolution
(P1 - Major; P2 - Partial; P3 - Minor)
- flexible support packages to choose from, e.g. all-in capped support under an annual fee, or ad-hoc support priced up per hour;
- an account manager is allocated to each contract;
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started - both onsite and online training available;
- user manuals;
- an assigned account manager Mon-Fri;
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction User data is available throughout the licence agreement, can be extracted to a degree by the customer. Custom data extraction may be requested and with sufficient notice can be provided before the end of the licence period.
End-of-contract process Data analysis is a service that can be provided at an additional cost if required by the client.

At the end of the Licence agreement the client will be entitled to all data captured throughout the Licence agreement period.

Any data requests outside of the Licence agreement are charged at a fee and require a notice period.

Using the service

Using the service
Web browser interface No
API No
Command line interface No

Scaling

Scaling
Scaling available No
Independence of resources The service has been built to scale. Through frequent monitoring, testing and through direct and indirect feedback, this can be ensured.
Robust quality assurance processes.
Usage notifications Yes
Usage reporting Email

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • Number of active instances
  • Other
Other metrics
  • Analytics of user traffic
  • User profile data
  • Interactive data
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Content database
  • User profile database
  • Administrative files and settings
Backup controls Backups are controlled by the supplier.
Datacentre setup Single datacentre
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The Virtual Support Environment will be available 24/7.
Downtime is unlikely given the AWS datacentre but any downtime will be recorded and compared against recognised standards and managed appropriately.
Approach to resilience - Access to the server is via SSH, using public/private keys and is locked down by IP address
- Database access is IP restricted and over secure connection
- Data volumes on attached to the server are encrypted using AES-256
- Backup snapshots are encrypted
- Website access is over HTTPS
- The wordpress site uses the Wordfrence security plugin to help prevent against issues within the Wordpress site
- Email addresses in the database are encrypted
- Fail2ban intrusion protection runs on the server
- Clamav virus protection runs on the server
- rkhunter runs on the server to protect against root kit threats
- All sites built with OWASP 10 in mind
Outage reporting Communicate directly with the customer via email / phone when outages occur. This would be followed up with a full report for the year.

Identity and authentication

Identity and authentication
User authentication Username or password
Access restrictions in management interfaces and support channels Administrators would be selected based on the agreement with the customer. Customer would allocate administrators to have access to the management interfaces and support channels. They would also be expected to inform the supplier when administrator access is to be revoked or altered.
Access restriction testing frequency At least once a year
Management access authentication Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials Plus Accreditation
Information security policies and processes We follow the principles set out by the Information Commissioners Office.
https://ico.org.uk/for-organisations/guide-to-data-protection/

We comply with the GDPR data protection policy and affiliated policies.

We follow the standards set out through our accreditation for Cyber Essentials Plus

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach 1. Administrators with complete access to the system are always kept to a minimum.
2. Administrators with complete access to the system are evaluated regularly to ensure that full access is required over time.
3. Any new administrators receive full security briefing and training.
4. Any changes to access levels document and the customer is notified.
5. Individual software components are assessed frequently against new and improved alternatives on the market.
6. Customer will be notified of any major changes that will affect the system.
7. All changes to configuration and changes are recorded and documented in house.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach 1. If the central database is attacked, AWS will alert the Supplier.
2. If the Suppliers internal server is attacked, the security software sophos intercept X should identify and quarantine viruses/malware. It is possible that the sonic wall firewall will also detect an attempted breach which will notify the IT manager.
3. The response would be immediate, there is a member of staff that is responsible for managing these occurrences.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach 1. If the central database is compromised, AWS will alert the Supplier.
2. If the Suppliers internal server is compromised, the security software sophos intercept X should identify and quarantine viruses/malware. It is possible that the sonic wall firewall will also detect an attempted compromise which will notify the IT manager.
3. The response would be immediate, there is a member of staff that is responsible for managing these occurrences.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach 1. We keep a fully comprehensive risk register which allocates responsibility and mitigative actions to individuals. Risks are amended accordingly.
2. Staff members are required to log incidents where user data is involved.
3. The customer would be notified of the incident and the Supplier's actions to manage the incident.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes

Pricing

Pricing
Price £5000 per licence per year
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑