One Digital Enterprise
One Digital Enterprise is an end-to-end digital platform, enabling organisations to deliver exceptional customer service. One Digital Enterprise incorporates the One Digital Portal and One Digital Forms and Contact Manager services. These individual components are both available via G-Cloud.
- Customer registration, secure login and self-service sign-up facilities.
- Single sign-on and integration to back office services and solutions.
- Fully responsive pages across PC, tablet, smartphones and TV.
- Interactive widgets providing customer-specific or location-based information.
- Comprehensive management information including dashboards and reporting.
- A highly flexible, rapid forms creation and configuration tool.
- Contact management with document upload facility and document viewer.
- Sophisticated workflow, enabling task automation and configuration of business logic.
- Automatic creation of follow-up forms and notifications to customers.
- Payments–customers can make secure payments for services in seconds.
- An organisation-wide digital solution delivering customer services securely.
- Provide 24/7 access to online services–self-service with convenience.
- Remove rekeying errors via powerful integration and workflow.
- Quick return on investment–rapid, simple form and process creation.
- Simple to use-intuitive navigation for both customers and employees.
- Deliver proactive and personalised content using the Promotions Manager.
- Highly flexible platform design–any sector, any business, any department.
- Mobile responsive providing a multi-channel customer experience.
- Reduce customer contact and processing time, improving customer experience.
- Achieve cost and time savings through effective channel shift.
£20000 per instance per year
7 6 1 5 3 5 6 9 4 9 1 7 6 8 1
Capita Business Services Limited
Capita Business Services Ltd
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Delivered as a Software as a service (SaaS), One Digital is an end-to-end digital platform, enabling exceptional customer service. It incorporates the One Digital Portal and One Digital Forms and Contact Manager services. These components are all available via G-Cloud|
|Cloud deployment model||Public cloud|
The public-facing components of the One Digital Enterprise services shall provide at least 99.5% availability during scheduled operating hours, defined as 24 hours a day, 365 days a year, excluding scheduled maintenance.
Not all maintenance requires downtime and we will schedule downtime to be outside of core business hours wherever possible – The scheduled maintenance cover tasks including, but not limited to:
• New releases (software upgrades) and server patching.
• Monthly schedules of planned downtime published in advance.
In cases of unscheduled downtime for emergency changes, we will endeavour to complete work outside normal office hours.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Response times apply Monday – Friday, 08:00 – 18:00.
High Severity (must be logged online and then followed up by telephone): day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one working hour and, whenever possible, provide a solution/ advise how quickly a solution will be available.
Medium Severity: day-to-day work can be continued but there is still a requirement for a speedy resolution. We aim to respond within four working hours.
Low Severity: day-to-day work can be continued but the problem is minor. We aim to respond within two working days.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Help Desk requests are logged on a call tracking system and dealt with in priority and severity order. The Help Desk is operated Monday–Friday, 08:00 – 18:00.
Requests are logged online, by email or telephone.
24/7 Platform Availability Monitoring and fix of ‘site down’ P1 incidents.
High Severity: day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one hour. Resolution: continuous monitoring and customer updating until the fault is resolved, which we aim to be within four hours.
Medium Severity: day-to-day work can be continued but there is a requirement for speedy resolution. We aim to respond within four working hours. Resolution: whenever possible, a solution will be given or we will advise how quickly a solution will be available, within eight hours.
Low Severity: day-to-day work can be continued and the problem is minor. We aim to respond within two working days. Resolution: whenever possible, a solution will be given or we will advise how quickly a solution will be available, within five working days.
A Technical Account Manager is available via standard escalation procedures within our Service Charter.
The standard level of support is included with the monthly service charge.
|Support available to third parties||No|
Onboarding and offboarding
Onboarding to One Digital Enterprise can be a very swift process and delivered within any reasonable timescale, varying accordingly to project dependencies and deliverables. Once requirements have been analysed and configuration of the relevant components has been completed, on-site training will be delivered, supported by a comprehensive set of user documentation. This documentation is updated in line with each release of the software and is available in PDF format. User acceptance testing (UAT) will be carried out in the One Digital pre-production environment where applicable. Completing UAT will be undertaken by customer employees while feeding back any reported issues and having a regular dialogue with our teams to prioritise such issues and plan for resolutions. The UAT stage will include a nominated contact within Capita for reporting any such issues. Once the UAT stage has been completed within the pre-production environment and the solution has been signed off, deployment to the production environment will commence, along with Go Live activities.
To support the onboarding process, Capita can provide a range of services, including Project Management, Business Analysis, Technical Consultancy and Business/ Training Consultancy.
|End-of-contract data extraction||The data extraction format may be via standard methods such as CSV, SQL database extract or XML. At the end of the Contract, Capita and the buyer will determine the most appropriate method of data extraction, depending upon the buyer’s specific requirements and availability.|
At the end of the Contract, Capita and the buyer will determine the most appropriate method of data extraction, depending upon the buyer’s specific requirements and availability. This process will be fully scoped and project managed with Capita’s technical employees. Any cost associated with end of Contract activity will be provided as scoped.
All customer data is managed in clearly segregated data stores. Upon withdrawal from our cloud service, all data will be securely deleted from our infrastructure. This includes all secondary data sources, such as backups. The deletion is enforced by the Microsoft Azure Cloud Platform. Microsoft implement security controls which ensure no unauthorised access to deleted data and, ultimately, secure wiping or physical destruction of the storage hardware when it is de-commissioned from service.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The platform provides a fully mobile-responsive user interface which renders appropriately to the screen size of the device being used, whether this is a mobile phone, tablet or desktop. We recognise that mobile browsing is now becoming the dominant method for accessing the web and our platform supports this fully. This responsive behaviour is built into the platform and happens automatically. No special configuration or styling is required. HTML5 and the Bootstrap framework are utilised to enable this device-agnostic user interface.|
|Description of service interface||
The service interface is browser-based. For One Digital Portal, textual elements are customisable, including the style and language. Specific functions of the portal can be enabled/disabled, with many functions including configurable settings.
One Digital Forms is configurable and customisable. Themes can be designed/applied, for forms to appear the same as the main website, including headers and footers, with the option to apply target URLs to header images. One Digital Contact Manager is a back-office solution; therefore, customisation isn’t required in the same way as One Digital Forms and One Digital Portal. However, it includes functions controlled through comprehensive user-based permissions.
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
Accessibility is considered at every stage of design and development of the One Digital platform. Our solution meets the current requirements of the WCAG 2.0 guidance to AA standard and we regularly test all the One Digital components to ensure this standard is maintained as new features are added to the solution. We believe our platform is accessible to those with differing needs and it supports assistive technologies, such as screen readers used by those with sight problems.
One Digital meets the requirements for compliance to the following standards:
- WCAG 2.0 guidance to AA standard
- British Standard 8878:2010 – Web Accessibility – Code of Practice
- ISO 9241 Ergonomics of Human-System Interaction.
|What users can and can't do using the API||
One Digital Enterprise supports several different integration scenarios, depending on the unique business needs of the Customer. Each component of One Digital Enterprise has a range of web services which allow integration from and to both Capita services and third party solutions.
For exact details regarding the API capability associated with the components of One Digital Enterprise, please refer to the following individual G-Cloud entries:
- One Digital Portal
- One Digital Forms and Contact Manager.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
For exact details regarding the customisation capability associated with the components of One Digital Enterprise, please refer to the following individual G-Cloud entries:
- One Digital Portal
- One Digital Forms and Contact Manager.
For example, all wording throughout the One Digital Portal can be customised by non-technical employees with appropriate access, through updating text files. This also incorporates a custom style sheet that can be altered to apply custom styles to the portal deployment.
One Digital Forms allows themes to be created and configured, allowing customisation of the colour scheme (buttons, text colour, font size, etc) and logos. Further customisation includes adding or amending introductory text and form hints, updating existing questions, adding new questions and updating qualifying criteria. Where relevant, all such updates are made within the boundaries necessary for a successful submission and for back office integration.
|Independence of resources||
Each customer will have their own single tenant dedicated application instance, including isolated databases. We enforce segregation and prevent cross contamination using multiple layers of network segregation, including a dedicated subnet per customer, secure namespaces and encrypted overlay VXLAN-based virtual networks per customer. This means that other instances cannot have a negative impact on each other.
The solution has automatic elastic scalability built in; it scales resources responding to unforeseen spikes of usage to protect the Customer’s user experience. Additionally, Capita will work with customers to predict and plan for known events that will require extra resources or capacity.
|Service usage metrics||Yes|
Analytics are provided in the form of a Reporting Module, accessible to non-technical users. These reports detail platform usage in terms of registered users and linked services or transactions completed. Reports on the successful completion and drop-out rates of forms are also provided.
Software, such as GovMetric (and Google Analytics in respect of the portal), can be incorporated into the response page following form submission, providing details regarding user interactions.
Additionally, a monthly report will be provided detailing the status of the system against availability targets.
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
All customer data within the Secure Capita One Cloud is isolated and encrypted at rest through 256-bit AES encryption. Symmetric encryption using a multiple key hierarchy is used to encrypt and decrypt this data.
Access to customer data is restricted based on business need and by role-based access control, multifactor authentication and minimising standing access to data. Data encryption keys created and controlled by Capita.
Microsoft cannot access customer data. Microsoft Azure is the hosting service which provides the underlying highly resilient and secure data centres, physical hardware, networks and services that underpin the Secure Capita One Cloud.
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
The One Digital Enterprise service provides components, allowing extracts of data and reports in one or more of these formats: CSV, XML, PDF, MS Excel and MS Word.
Reporting, both predefined and ad hoc, can also be provided using MS SSRS and exported in the same formats.
During the deployment, customer-specific requirements associated with data import/ export will be identified and configured accordingly.
For more details please refer to the following individual G-Cloud entries:
- One Digital Portal
- One Digital Forms and Contact Manager.
|Data export formats||
|Other data export formats||
|Data import formats||Other|
|Other data import formats||MS Excel|
|Data protection between buyer and supplier networks||
|Other protection between networks||
All data in transit between the Customer and the Secure Capita One Cloud is secured and encrypted.
Data in transit to/ from our SaaS is secured by the following methods:
• Website traffic accessed via a browser is HTTPS only, encrypted and secured with SHA-2 x.509 certificates.
• Restricted features for specific back office employees/ roles can be secured to be only accessible via an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
• Secure integrations facilitated by an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
|Data protection within supplier network||
|Other protection within supplier network||The hosting platforms are designed to be compliant with the UK Government Cloud Security Principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA-256 bit encryption. All backup data and secure keys backed up between the two Microsoft UK regions are secured and encrypted in transit.|
Availability and resilience
One Digital Enterprise SaaS is built to run 24/7 but is optimised for high availability and performance during core hours.
For public-facing portals, the service shall provide at least 99.5% availability 24 hours a day, 7 days per week, 365 days per year, excluding scheduled maintenance.
For the internal-facing application, the service shall provide at least 99.5% availability during supported office hours, which is defined as 08:00 – 18:00, Monday – Friday, excluding English public holidays and excluding scheduled maintenance.
The scheduled maintenance will cover tasks including, but not limited to:
•New releases (software upgrades) and server patching. Not all maintenance will require downtime.
•In addition to any scheduled maintenance, there will be occasions where Capita is required to initiate unscheduled downtime for emergency changes. In exceptional cases when emergency changes are required, we will endeavour but cannot guarantee to complete this work outside of the core normal office hours.
•Monthly schedules of planned downtime published in advance.
The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
|Approach to resilience||
One Digital Enterprise is made up of a set of virtualised, containerised components that rely on specific Infrastructure as a Service and Platform as a Service features of Microsoft Azure that have been configured and optimised to make up the Secure Capita One Cloud.
The Secure Capita One Cloud only uses resources that are a commodity, highly available and easy to bring up, scale and configure on-demand.
Each dedicated customer instance will live within the Secure Capita One Cloud within one of the two UK Microsoft Azure regions (UK South and UK West). Within each region we are using highly available and highly resilient services with no single points of failure.
• Automated backups of all databases, data and configuration to support RPO and RTO targets.
• Backups are written to disk immediately within region.
• Backups are automatically copied to the second region to protect from region-wide issues.
• Unique security keys for each customer are written into both regions to protect from region-wide issues.
• Data Recovery processes tested regularly.
• Complete Disaster Recovery testing performed regularly.
• Application components are built from golden images and can be spun up easily.
More information available on request
|Outage reporting||The solution is a SaaS-based offering and as such the monitoring of system availability, resource utilisation, etc, is performed as part of the managed service by Capita. These real-time processes are not normally made available to the end user. All incident management type events and activities are recorded within our CRM and accessed via the customer portal.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
Access to the One Digital Contact Manager is by username and password.
Where One Digital Forms are accessed via users registered on the One Digital Portal or authenticated against services available on the portal, access can be provided by two-factor authentication (portal), username and password (portal), online authorisation (authenticated services) or PIN (authenticated services). Please see our entry on G-Cloud for the One Digital Portal for further details.
|Access restrictions in management interfaces and support channels||
Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.
Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Help Desk are encouraged to register on the support portal. If customers contact us by telephone or email, their details are matched to an existing registration.
The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees. We have reduced risk by giving no data access via cloud service management. All access is audited and only granted on a need basis.|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||British Assessment Bureau.|
|ISO/IEC 27001 accreditation date||24/11/2017.|
|What the ISO/IEC 27001 doesn’t cover||Our ISO 27001 Certification Scope only covers the hosted environment as offered on G-Cloud.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Security Essentials.|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Our cloud service provider complies with many standards, including CSA CCM v3.0, ISO/ IEC 27018, ISO/ IEC27001, UK Cyber Essentials PLUS.
Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls. Capita has UK Cyber Essentials certification.
Further details are available upon request.
|Information security policies and processes||
As part of Capita Business Services, we work to policies and standards that are aligned with ISO 27001. These are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when employees complete their annual training they agree to comply with both Group and Business Unit Level policies.
Information Security employees as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.
Information Security is dealt with at all levels of the business including at the Business Unit, Divisional Unit and Capita Group.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||As part of the ISO 27001 Accredited ISMS we have a defined and documented change control process. At the core of this change control process is an assessment on all areas of the system, including security. If the risk to security is deemed to be high, it is assessed by Information Security. All change requests are stored on a CRM system and, as part of our ISO 27001 audit schedule, are randomly checked to ensure accurate record-keeping is maintained and the process followed.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||We employ a market-leading AVS tool that is scheduled to run regularly. These results are then fed into the ongoing threat assessment and management program. Patching is completed on a scheduled basis and any failures are identified by the AVS and raised. Out of cycle patches are risk assessed and scheduled, if required they could be in place within less than 24 hours. Capita subscribes to multiple information sources for threats, including CISP and ISF. In addition, Information Security regularly reviews other public and private websites for threat information.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||The platform uses a system that was designed to comply with GPG13. Events are categorised and events that have been flagged for review are reviewed daily. In addition, the information is stored with controlled access for investigations.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
We have a defined, approved and tested Incident Management process, forming part of our ISO 27001 accredited ISMS. The process has a list of example incidents that are designed to cover a wide range of scenarios. All employees are made aware of the incident reporting process and randomly tested for effectiveness.
Incident reports will be passed to relevant customers if there has been an impact to their environment or data.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£20000 per instance per year|
|Discount for educational organisations||No|
|Free trial available||No|