Independent Inquiry Website
The Independent Inquiry Website service provides a way for public inquiries to fulfil their remit for transparency, by publishing news, reports and evidence online, using a specially customised version of a major open source web CMS.
Features
- Cloud-hosted as standard, with option for on-premise
- Designed with government, for government
- Highly user friendly design and workflow
- Powerful search helps locate documents
- Secure environment (SaaS version suitable for OFFICIAL)
- Hands-on helpful support, with extensive launch support & training
- Built on open source tools, works with open standards
- Your data stays in your own instance of the system
Benefits
- Save money by using a standard website for Inquiries
- Save time by reducing manual work in publishing documents
- Well-defined workflows reduce the chances of mistakes
- Achieve the requirement for transparency with maximum efficieny
- Reduce risk by minimising the amount of custom development
- Manage the 'whole life' of the website
Pricing
£50,000 to £300,000 an instance a year
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at hello@convivio.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 11
Service ID
8 4 0 4 6 6 3 4 4 1 4 2 0 4 0
Contact
Convivio
Steve Parks
Telephone: 020 7031 6990
Email: hello@convivio.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- N/a
- System requirements
- Linux, PHP, Apache/Nginx, MySQL/MariaDB stack
User support
- Email or online ticketing support
- Yes, at extra cost
- Support response times
- Within 4 hours during office hours
- User can manage status and priority of support tickets
- No
- Phone support
- No
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
- We use a 3rd party system that has been selected for meeting accessibility standards. We haven't done separate testing of our own
- Onsite support
- Yes, at extra cost
- Support levels
-
During the launch period we provide extra support at a level agreed with the customer. Our daily rate for onsite support is £900/day.
We provide a technical account manager. - Support available to third parties
- No
Onboarding and offboarding
- Getting started
- We work with clients to develop an inception to launch path that will work for them and their teams. This can include configuration, customisation, design and branding, training, and on site support. We provide documentation, including short video tutorials.
- Service documentation
- Yes
- Documentation formats
- HTML
- End-of-contract data extraction
- We can either provide an arrangement to transfer the entire instance, including the software platform (which is built with open source tools), or data can be exported from the platform either via API or export in a range of formats.
- End-of-contract process
- We provide 3 person/days of hands on support to transition away from our service free-of-charge. If you'd like us to provide more help, including training new providers, assisting with migrations etc, this is available at our normal day rate.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari 9+
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The service is designed to be highly user friendly on a mobile device in terms of searching for and managing documents. However, due to device restrictions, document upload will not work on some mobile devices.
- Service interface
- No
- API
- Yes
- What users can and can't do using the API
- Initially the secure API can be used for ingesting new documents, obtaining a catalogue listing, searching the catalogue. Further features are planned.
- API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
We work with clients to customise the service in terms of:
- look and feel, to match branding
- configuration, to enable/disable features
- permissions and workflow, to match client needs
We can also be commissioned to develop new functionality for the service for particular clients.
Scaling
- Independence of resources
- We provide each client with an independent instance of the service.
Analytics
- Service usage metrics
- Yes
- Metrics types
- We provide clients with integration for their preferred analytics service (Google Analytics by default).
- Reporting types
- Real-time dashboards
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Encryption of all physical media
- Data sanitisation process
- No
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- Either via the API, or by exporting in a range of formats. The documents themselves can be exported in their original format and any formats they have been transcoded to. The metadata can be exported in CSV or JSON formats.
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
- JSON
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- MS Word
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- The independent inquiry website isn't seen as a mission-critical application, and so (unless agreed otherwise with customers) there is an SLA for 99.5% availability. Upgrades to this are available.
- Approach to resilience
- Our service is deployed on AWS with automated deployment and configuration of services. This allows us to respond rapidly to issues and in many cases mitigates them before they become apparent.
- Outage reporting
- We provide a support dashboard for clients providing details of current status. This is augmented by email alerts.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- Clients have their own instance of the service so we are able to configure access restrictions to suit each client. Usually the main restriction is that access is locked down to a particular IP range, in addition to having authenticated user accounts with defined permissions.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Our security policies and processes are detailed and kept up to date in our 'cookbook' our public intranet: https://cookbook.weareconvivio.com/business-operation-recipe/security-policy
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Proposed changes are evaluated when they begin to be developed. Automated tests are written (unit and behavioural tests), and with each change that is committed the full suite of tests is automatically run. Each code change is peer reviewed, and then has a final review by the tech lead before it can be pushed to staging for acceptance testing.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Our service is built ontop of open source tools so we start by monitoring declared vulnerabilities in upstream projects. As soon as these are released we evaluate them in order to assess the need to patch the service and determine a priority. We also monitor server and application logs, and system monitoring, to identify potential threats or vulnerabilities to be addressed.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- We monitor server and application logs, and system monitoring tools, to identify unusual activity that may indicate a potential compromise. Where necessary this is escalated to the tech lead. Response varies from blocking specific users or IP ranges, to temporarily suspending the service to allow investigation and additional protective measures. During this whole process we alert and involve the client.
- Incident management type
- Supplier-defined controls
- Incident management approach
- As each client receives their own independent instance of the service, we work with them to define incident management processes to fit in with their business needs. These can include blocking specific users or IP ranges or, at the other end of the scale, opening up access to other IP ranges where a client's building has become unavailable due to an incident. Users report incidents through email or an online ticket system. Updates are tracked in the ticket. For P1 incidents a full report is provided in writing within 7 days.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £50,000 to £300,000 an instance a year
- Discount for educational organisations
- No
- Free trial available
- No
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at hello@convivio.com.
Tell them what format you need. It will help if you say what assistive technology you use.