Worktribe Research enables Higher Education Institutions and research institutes to: record and disseminate research opportunities; cost research projects; manage funding submissions; manage contracts; track project spend; record and manage project impact, outputs and rich researcher profiles, presented via our Open Access repository; and prepare their REF2021 submission.
- Modular construction, covering full research life cycle including REF submission
- Modules integrate to create fully consistent, coherent, single database system
- Single sign-on integration via Shibboleth or Active Directory
- Full control of user access and data visibility
- Full fEC project costings using TRAC structure
- Configurable workflow control of approvals processes
- Project spend tracking with milestones etc.
- Storage, submission and harvesting of research outputs
- Recording of research impact, evidence and rich researcher profiles
- Support for preparing your REF2021 submission
- Coherent 'single source of truth' makes for consistent management reporting
- Workflow ensures that approval processes are properly followed
- Integration with external systems means all systems are synchronised
- Modular approach means extra functionality can be added later
- Full integration avoids inter-system mapping issues and re-keying
- Relationships with external organisations can be seen 'in the round'
- Consistent user-friendly interface reduces training needs and enhances uptake
- Simplified project budget creation, approval and submission processes
- Easier management of outputs, impact and researcher profiles
- Data easily collected and scored for REF2021 submissions
£5950 per licence per year
0870 020 1760
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||The system does require some configuration to accommodate each client's internal approvals processes. The configuration is performed during the implementation project, which under G-Cloud is termed the 'onboarding process.'|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Second-line Worktribe support is available to technical University staff from 9am to 5pm UK time, Monday to Friday, excluding English bank holidays.
Faults are categorised and resolved based on their priority:
* High (Service is not available, multiple users affected): 1 hour response, 4 hour fix/workaround.
* Medium (Intermittent fault causing great difficulty in using the service, one or more users affected): 2 hour response, 8 hour fix/workaround.
* Low (Intermittent fault but service is still usable, one or more users affected): 8 hour response, fix time by agreement on a case-by-case basis.
|User can manage status and priority of support tickets||No|
|Web chat support||No|
Support services are included within the annual SaaS fee.
We provide remote support between 9am and 5pm Monday to Friday, excluding English public holidays.
Typical support arrangements for ongoing support and maintenance are that the client provides first-line support in-house, with Worktribe providing second- and third-line support via our UK-based helpdesk.
Support requests are submitted to Worktribe using our online tool or, in exceptional circumstances, via email. Regardless of the channel through which the request is raised, a ticket is created on our portal to track the request through to resolution.
|Support available to third parties||No|
Onboarding and offboarding
Worktribe immediately provide 3 environments as standard: Test; Train; and Live.
The implementation process then consists mainly of: onsite training for the client's project team; workshops to define the client's approvals processes; configuration of the system to accommodate the agreed approval processes; client staff setting up the base data (client-specific lookup lists, for example); client staff setting up integration links with their other systems (typically HR, finance and website CMS); importing legacy data (optional); testing; client staff training the wider user base; and go-live. The following documentation is provided: User guides; Administrator guides; API documentation; data import documentation; documentation guidance on use of templates for documents containing Worktribe data.
Worktribe provides a project manager and an account manager. Support is provided from the start, and regular progress meetings are held. The key determinant of implementation speed are the readiness of the client and the client's assigned resources. As the system is already in wide use, the implementation process has become streamlined and fairly straightforward.
|End-of-contract data extraction||
Clients may extract their data using the following methods:
1) Using the Worktribe API, which is comprehensive and exposes all user data.
2) Using the SQL data extract, which is provided as part of the Worktribe service. This extract is normally provided on a regular basis for input to the client's Business Intelligence or other corporate reporting system, but may also be used as a data source at the end of the contract.
The costs of the end-of-contract process are included within the normal annual SaaS charge. The process is:
Some months beforehand, client and Worktribe to agree dates for trial data extracts and uploads to new system, and for final data extract.
On each extract date:
* All users (including system administration users) to be logged out at a previously-agreed time.
* Worktribe to shut down all user access to the Worktribe system.
* Client to perform whatever extracts they need via the API.
* Client to test the outcomes (including imports to the replacement system).
After the client has performed the final data extract:
* Worktribe to delete all copies of the client’s research-related data from its systems, no matter how old, or where held or in what format. (This may require destruction of physical media.) Worktribe to inform client in writing when deletion is completed.
* Worktribe to retain data regarding business contacts between the client and Worktribe, and commercial data regarding the relationship, subject to the limitations of the Data Protection Act or equivalent(s) then in force.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
To assist in our accessibility evaluations, we use the Web Accessibility Versatile Evaluator (WAVE) tool.
Text blocks are well formatted and readable by screen readers.
Worktribe users can also customise the presentation for accessibility within the usual constraints of the web browser and their operating system (for example to increase the font size or change the contrast ratio).
|What users can and can't do using the API||
Worktribe's comprehensive programmatic REST API has HATEOAS features. This is our preferred method for integrating with your other systems.
Typical API uses include: loading legacy data; receiving HR data (including salary data) from your HR system; integrating with your finance system to synchronise budget codes and receive 'actual spend' data; integrating with your web site CMS to expose researcher profiles and research outputs.
The REST API exposes all data entities to full CRUD (Create, Read, Update, Delete) operations, and is fully under the control of the client.
The integration mechanism consists of responding to authenticated HTTP commands sent by external applications. This means that creation, reading, updating and deletion of records within the Worktribe system by external applications are performed using the appropriate POST, GET, PUT and DELETE commands. Data is exchanged in JSON format.
The system also includes an event driven 'subscription' system. This means that the client is able to have both 'push' and 'pull' integrations.
API-based interactions between the Worktribe system and the other systems may be managed by your own ‘integration layer’ or ‘middleware layer’. This is a flexible, ‘loose coupling’ approach to integration.
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||
The Worktribe Research system is provided as a package, with the following customisable/configurable aspects:
1) Clients can maintain their own specific lookup lists (e.g. organisation structure, salary scales, lists of journals and publishers, tags of all types, report templates, and so on).
2) The system's workflow is configured to accommodate the approvals processes for each client. This configuration is done during the implementation project, called the 'onboarding process' under the G-Cloud framework.
3) The system can also accommodate client branding. The login screen, home screen, research portal, downloadable PDF reports and those produced using the template functionality can include the client's logo, although the Worktribe colour scheme is fixed. Any logo needs to be supplied by the client as an image file.
|Independence of resources||We run a mixture of physical hardware and virtualised systems that give us the best balance of performance and redundancy, using load-balancers and private cloud systems for dynamic scaling. All virtualised systems are single-tenanted (i.e. clients do not share virtual disks or machines).|
|Service usage metrics||Yes|
The support portal includes provision for client reports and data exports to be created at any time, so that performance against SLA is completely transparent.
• Number of support tickets per month
• Average issue resolution time
|Reporting types||Real-time dashboards|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Users may export data from the Worktribe system in JSON format via the API.
User-specified report datasets may also be exported in CSV and Microsoft Excel formats.
The Worktribe system also enables export of data directly into documents, using the mail-merge features of Microsoft Word. Clients may create many Word templates which retrieve the required data from the Worktribe system automatically and present it as part of the resulting document.
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Our standard availability is 99.8% uptime. The Worktribe Service Level Agreement includes provision of service credits if availability drops below 99.8%.|
|Approach to resilience||
We use virtualized servers and redundant disks that give us a high level of availability and resilience at our hosting provider. This maximises uptime and minimises the risk of system loss.
We take hourly encrypted backups to local backup systems at our primary secure host. These encrypted backups are themselves immediately backed up to a second secure hosting site, as a precaution against failure of both the system and backup at the primary host site.
In the event of disaster, we will trigger the restore from backup, prioritizing the database load. Any restoration of data from backups is performed by our in-house staff.
Worktribe uses automated provisioning software that enables us to quickly rebuild systems at a disaster recovery site. If we initiate the offsite recovery (e.g. if all network connections to the primary host were severed, with predicted downtime of hours or days) we can be up and running at the disaster recovery site within hours.
We regularly test our backup systems, both offsite and onsite. In practice we temporarily clone and restore live systems for testing and support, so the system is in constant use. The frequency of testing, for various reasons, approaches weekly.
|Outage reporting||The situation is presented on each client's support dashboard provided by Worktribe, so it is immediately visible to the client.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||The Worktribe system supports single-sign-on using customer Identity Providers including Shibboleth (via the UK Access Management Federation), Microsoft ADFS, Azure AD (SAML 2.0) and CoSign. With several of these systems, multi-factor authentication is also available. The Worktribe system also includes a built-in local authentication module (password based) and Active Directory integration (using LDAP over SSL).|
|Access restrictions in management interfaces and support channels||
There is no management interface available to client personnel or to hosting suppliers. Access to servers for management purposes is tightly restricted to just a few individuals within Worktribe.
For our own support personnel, access to client data is controlled by public key authentication rather than by password. The 5 staff authorised to access client data have individual keys, and the authorised set is controlled by our provisioning systems. Alternatively, the support personnel can ask the client to grant access, which of course leaves the usual in-app audit trail.
|Access restriction testing frequency||At least once a year|
|Management access authentication||Public key authentication (including by TLS client certificate)|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI Assurance UK Limited|
|ISO/IEC 27001 accreditation date||27 March 2018|
|What the ISO/IEC 27001 doesn’t cover||Secure hosting services are not covered by our ISO27001 certification, but are covered by that of the secure hosting suppliers we use. We only use hosting suppliers who are ISO27001 certified.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
The Chief Information Officer (CIO) is an Executive Director of Worktribe, who ensures that:
• The Information Security systems are fully documented and implemented in accordance with ISO 27001:2013
• All employees are made aware of customer requirements and have the skills to ensure they are met.
• All employees are aware of the Information Security policy statements, and their role in the implementation of these. This is supported by provision of a Staff Security Procedures document on the company intranet, and frequent reminders on the intranet to keep security at the front of employees' minds.
• Management reviews of the performance and improvement potential of the Management System are regularly provided.
In practice, the CIO is also personally involved in the control of access to client data, which can only be obtained through explicit and time-limited permission, and is only granted to a few staff. Access to client data is also tracked through use of individual keys, so that each access can be traced to a specific individual.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All software is based on the secure Worktribe platform to minimise security risks. Each software release and each build within each release is uniquely identified. Each new release is tested before publication. Requests for new and amended functionality are normally discussed using our on-line user group forum. Those gaining sufficient support are discussed at formal user group meetings. Further specification refinement may then take place in special interest group meetings, so that new features embody best practice. The new functionality is then embedded into our road map, and provided as part of our planned release schedule.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Our systems are hosted in a private cloud with secured access, so the server environment is tightly controlled. We receive the security patch streams for Ubuntu LTS (the operating system on our servers), which are installed automatically on our development systems, and we then patch production systems manually and promptly. Our DBMS is our own proprietary system which is stable and is guarded in several ways which prevent any unauthorised access. This prevents security attacks against the database. Also, user access permissions are enforced by the Worktribe platform at the lowest level of database access, so cannot be subverted.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
We use automated monitoring tools to keep a continual eye on the systems, and intervene immediately if we see any issues arising.
Our clients are often impressed with the speed with which we react to situations; no doubt you will ask our other clients about such matters.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Users report incidents as support requests. If we ever had a data breach it would be accorded the highest importance and urgency, and escalated for immediate investigation by our most senior engineers, including the Chief Information Officer.
An integral part of our incident management process is frequent investigation progress updates by phone and email. For this purpose Worktribe maintains an 'In Case of Emergency' list which contains both phone and email details of emergency contacts within clients, to be used in the case of such an event.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£5950 per licence per year|
|Discount for educational organisations||No|
|Free trial available||No|