Convivio

Independent Inquiry Website

The Independent Inquiry Website service provides a way for public inquiries to fulfil their remit for transparency, by publishing news, reports and evidence online, using a specially customised version of a major open source web CMS.

Features

  • Cloud-hosted as standard, with option for on-premise
  • Designed with government, for government
  • Highly user friendly design and workflow
  • Powerful search helps locate documents
  • Secure environment (SaaS version suitable for OFFICIAL)
  • Hands-on helpful support, with extensive launch support & training
  • Built on open source tools, works with open standards
  • Your data stays in your own instance of the system

Benefits

  • Save money by using a standard website for Inquiries
  • Save time by reducing manual work in publishing documents
  • Well-defined workflows reduce the chances of mistakes
  • Achieve the requirement for transparency with maximum efficieny
  • Reduce risk by minimising the amount of custom development
  • Manage the 'whole life' of the website

Pricing

£50000 to £300000 per instance per year

Service documents

Framework

G-Cloud 11

Service ID

8 4 0 4 6 6 3 4 4 1 4 2 0 4 0

Contact

Convivio

Steve Parks

020 3875 3438

hello@weareconvivio.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints N/a
System requirements Linux, PHP, Apache/Nginx, MySQL/MariaDB stack

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Within 4 hours during office hours
User can manage status and priority of support tickets No
Phone support No
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing We use a 3rd party system that has been selected for meeting accessibility standards. We haven't done separate testing of our own
Onsite support Yes, at extra cost
Support levels During the launch period we provide extra support at a level agreed with the customer. Our daily rate for onsite support is £900/day.
We provide a technical account manager.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We work with clients to develop an inception to launch path that will work for them and their teams. This can include configuration, customisation, design and branding, training, and on site support. We provide documentation, including short video tutorials.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction We can either provide an arrangement to transfer the entire instance, including the software platform (which is built with open source tools), or data can be exported from the platform either via API or export in a range of formats.
End-of-contract process We provide 3 person/days of hands on support to transition away from our service free-of-charge. If you'd like us to provide more help, including training new providers, assisting with migrations etc, this is available at our normal day rate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service is designed to be highly user friendly on a mobile device in terms of searching for and managing documents. However, due to device restrictions, document upload will not work on some mobile devices.
Service interface No
API Yes
What users can and can't do using the API Initially the secure API can be used for ingesting new documents, obtaining a catalogue listing, searching the catalogue. Further features are planned.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation We work with clients to customise the service in terms of:
- look and feel, to match branding
- configuration, to enable/disable features
- permissions and workflow, to match client needs

We can also be commissioned to develop new functionality for the service for particular clients.

Scaling

Scaling
Independence of resources We provide each client with an independent instance of the service.

Analytics

Analytics
Service usage metrics Yes
Metrics types We provide clients with integration for their preferred analytics service (Google Analytics by default).
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Either via the API, or by exporting in a range of formats. The documents themselves can be exported in their original format and any formats they have been transcoded to. The metadata can be exported in CSV or JSON formats.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • PDF
  • MS Word

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The independent inquiry website isn't seen as a mission-critical application, and so (unless agreed otherwise with customers) there is an SLA for 99.5% availability. Upgrades to this are available.
Approach to resilience Our service is deployed on AWS with automated deployment and configuration of services. This allows us to respond rapidly to issues and in many cases mitigates them before they become apparent.
Outage reporting We provide a support dashboard for clients providing details of current status. This is augmented by email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Clients have their own instance of the service so we are able to configure access restrictions to suit each client. Usually the main restriction is that access is locked down to a particular IP range, in addition to having authenticated user accounts with defined permissions.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our security policies and processes are detailed and kept up to date in our 'cookbook' our public intranet: https://cookbook.weareconvivio.com/business-operation-recipe/security-policy

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Proposed changes are evaluated when they begin to be developed. Automated tests are written (unit and behavioural tests), and with each change that is committed the full suite of tests is automatically run. Each code change is peer reviewed, and then has a final review by the tech lead before it can be pushed to staging for acceptance testing.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our service is built ontop of open source tools so we start by monitoring declared vulnerabilities in upstream projects. As soon as these are released we evaluate them in order to assess the need to patch the service and determine a priority. We also monitor server and application logs, and system monitoring, to identify potential threats or vulnerabilities to be addressed.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We monitor server and application logs, and system monitoring tools, to identify unusual activity that may indicate a potential compromise. Where necessary this is escalated to the tech lead. Response varies from blocking specific users or IP ranges, to temporarily suspending the service to allow investigation and additional protective measures. During this whole process we alert and involve the client.
Incident management type Supplier-defined controls
Incident management approach As each client receives their own independent instance of the service, we work with them to define incident management processes to fit in with their business needs. These can include blocking specific users or IP ranges or, at the other end of the scale, opening up access to other IP ranges where a client's building has become unavailable due to an incident. Users report incidents through email or an online ticket system. Updates are tracked in the ticket. For P1 incidents a full report is provided in writing within 7 days.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £50000 to £300000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑