iaptus CYP

iaptus CYP is the patient management solution designed specifically for CAMHS, CYP IAPT and children and young people’s primary care mental health services. It supports community psychological therapy teams to manage workflows, record patient data, track patients' progress in sessions, measure outcomes (ROMS) and report on the MHSDS national dataset.


  • Analysis: Reports to review patient and service level data
  • Clinical risks and alerts: Maintains focus on high risk clients
  • Group therapy: Complete clinical notes for groups from one screen
  • Customised fields: Services can add their own labels and tags
  • Outcome measures: Collect and display GAD7, PHQ, RCADS, CORS etc.
  • Supervision: Enabling efficient monitoring of cases and therapist workload
  • Questionnaires at home: Completed by patients prior to their appointment
  • Autocomplete: Searching by NHS number/DOB populates client’s full details
  • Text message notification: Sends reminder text messages automatically
  • Complies with MHSDS for reporting on national dataset


  • Streamlines administrative tasks, saving valuable appointment time
  • Efficiently manages high numbers of patients and waiting lists
  • Customised to follow your service’s care pathway
  • Enables efficient capturing and sharing of information across professionals
  • Records and monitors patient outcomes and recovery rates
  • Manages client safety and risk using custom labels and alerts
  • Offers child-friendly questionnaires for use in session, engaging patients
  • Questionnaires can be completed from home saving valuable therapy time
  • Enables outcome questionnaires to be completed in-session, on a tablet
  • Analysis tools allow review of patient and service level data


£9200 per instance per year

Service documents

G-Cloud 10



Chris May

01249 701100

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Customer's computers should be capable of running the current release, or one of the two previous major releases of Firefox®, Safari®, Microsoft® Edge™, and Internet Explorer®. As each new version of a browser is released, Mayden will begin supporting that version and stop supporting the fourth most recent version
System requirements
  • Windows Service Pack 3 or above
  • Supported web browser (see response above)
  • At least 1-2 Gb RAM
  • Javascript and cookies to be enabled on browsers
  • Stable internet connection, recommended 1 Mb
  • Currently supported Microsoft Operating System

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 working days, but typically about 4 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Iaptus CYP has a Help website containing full step by step instructions on how to use the system which is accessible to all users.

The support log built into iaptus CYP enables users to log, track, update, and sign-off support requests, and rate us on how well we responded. Updates to support log items are automatically sent to the user and your designated iaptus CYP contact via email. This provides full and efficient transparency of all support requests logged.

The office is staffed from 8 until 6 and the first point of contact is the reception or account management teams. Emails may be responded to out of hours, but this is not guaranteed.

Response times to requests vary depending on the nature of the request, but all queries will be receive an initial response within two working days, normally within four hours.

Urgent requests are responded to within three hours (system unavailability, data integrity questions). Important requests are responded to within one day and usually implemented in four days.

All support requests relating to a problem with the software will be assessed and an appropriate Priority Type assigned.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started A project plan will be provided at the start of commissioning. A dedicated project manager will support the service throughout the setup process to ensure the system is setup to service requirements and within the appropriate time frames. Full system training will be provided and a help site will be available to users from within the system to support use of the system. Each service is assigned an Account Manager to offer additional help and guidance both at the start of the contract and throughout the life of the contract.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Shared GoogleDoc
End-of-contract data extraction Services have two extract options when the contract ends. The first option is a number of CSV files which contain all patients records. The files can then be exported to a separate data warehouse or alternative Patient Management System. Alternatively we can download a summary of each patient record as a PDF with appropriate lookup tables for ease of use when providing information about a specific patient.
End-of-contract process At the end of the contract we will discuss with you what you would like us to do with the data we store and arrange for a system closure date and data transfer date. We will keep the data for 90 days after the contract ends. When it is nearing 90 days, we will contact you to confirm we will shortly be removing the data. If the data is requested as a number CSV files, there is no additional charge. There is an additional charge for a summary of each patient record as a PDF.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing The software has been tested by an Independent Dragon Speak expert. We invite regular feedback from all users including those with disabilities and using assistive technology, building this into our UI/UX development.
What users can and can't do using the API Detailed API document is available on request. Existing implementations using API include receiving referrals, sending letters, sending and receiving data to and from online therapy platforms
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Iaptus CYP has been designed to be as flexible as possible for the local service manager to maintain. Almost every drop down menu and checkbox in the system can be controlled and updated via the “List Manager” feature in iaptus CYP. Here new options can be added, mapped to national datasets and re-ordered. The control panel in the super user section of the system also allows an additional level of control and customisation locally.

There are times when fields are not relevant in a system and need to be switched off or perhaps another field should be mandatory. Your account manager can make these changes for you in most instances.


Independence of resources The architecture of our hosting allows new application servers to be added to the Load balancers so that increased demands can be matched to increased capacity.


Service usage metrics Yes
Metrics types Iaptus CYP contains built-in dashboards and a reporting suite that can be used to monitor service usage metrics. The reporting suite produces standard reports and enables users to select filters and generate custom reports. Service usage metrics include user logins, user actions, patients added, appointments booked, contacts added and many more.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Web downloads of delimited files on a nightly basis
Data export formats CSV
Data import formats
  • CSV
  • Other
Other data import formats Access

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Service Level Agreement is available on request. Current historic system availability is 99.97%. Details of liquidated damages are contained within the SLA and our contract. Service disruptions are categorised from 1 - 4 (1 being the highest). Target resolution times are detailed for each category. Where our delivery against these targets is not met a proportion of the monthly subscription will be deducted from the quarterly invoice up to a set maximum for each period.
Approach to resilience We operate a redundant model at all tiers in our application. We use redundant load balancers, application and database servers to ensure that if a single server or service were to fail we would be able to failover to an alternative.
Outage reporting We have a web page which users can access to view service bulletins and live status updates of our applications and communication channels through our Account Management team to advise customers of downtime.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Other
Other user authentication Users will either authenticate through a 2FA portal (if accessing over the public internet) and then authenticate with the application, or authenticate directly with the application if accessed over a government network (ie N3
Access restrictions in management interfaces and support channels We restrict access to production systems by job role within the company; developers do not get access to the same number of systems, or to the same level, as the systems team (for example)
Access restriction testing frequency At least once a year
Management access authentication Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Standards Institute
ISO/IEC 27001 accreditation date 24/07/2015
What the ISO/IEC 27001 doesn’t cover All departments within Mayden are included in the scope of certification. Individual product lines designed by Mayden are not included within the scope of certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Current PCIDSS - we use a Third party provider

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards NHS Digital Information Governance Toolkit - Level 3 compliance
Information security policies and processes We are accredited to ISO27001:2013 and have policies and controls in place in order to manage risks and threats across all our projects.

To ensure compliance with ISO27001 and the NHS Digital Information Governance Toolkit we have a full Information Security Management System in place which consists of 29 policies that all staff have to comply with. These policies range from the following, Information Security Policy, Risk Management , Internal Audit Plan, Business Continuity, Clear Desk and Screen, Email Security and Acceptable Use, Laptop and Portable Device Security, Physical Access to Information Systems, Confidentiality Code of Practice, Personal Information Handling, Network and Router Security, Document and Record Control, Record Retention and Disposal, IT & Software, Development Change Management & Control, Principles for Secure System Engineering, Software Update and Patch Policy and Server Network and Laptop Computer Malware Management.

Staff have to complete a quarterly IG checklist to verify compliance and sign a declaration to this affect. This along with the policies are audited for compliance by our Information Security and Assurance Lead who is a qualified Lead Auditor. The Information Security and Assurance Lead reports to the Information Governance Lead who is also the Managing Director.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes are tracked through GitHub and our issue tracking tool Jira. This ensures that all automated tests are run on every change as well as manual testing being performed on every change in accordance with ISO27001. Risk is then assessed and any appropriate action taken to reduce risk to an acceptable level in accordance with our clinical risk policy.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have CVE and NVD security bulletins delivered to us daily. These are monitored for any bulletin affecting any package, utility of piece of software we use. We aim to open internal discussions and begin the overall emergency patch process within 48 hours of a vulnerability being identified. Where possible, this will then incur a rapid patch timeline with an aim to have the vulnerability patched within 14 days of initial discovery.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We monitor CVE/NVD bulletins on a weekly basis, checking for any critical package vulnerabilities that may exist in our environment.
Incident management type Supplier-defined controls
Incident management approach All incidents are added to our internal CRM System and communicated to the client. The customer is regularly updated with the proposed corrective and preventive actions. In accordance with Mayden’s standard terms of service initial reporting to the customer is communicated within 24 to 48 hours. Incidents are discussed at quarterly IG group meetings. The incidents are reviewed to ensure that corrective and preventive action has been implemented, any possible trends have been identified and that root cause analysis has been effectively undertaken. Incidents are added to the risk register and monitored by the Information Security and Assurance Lead.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £9200 per instance per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑