G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with Convivio are still valid.
Convivio

Independent Inquiry Website

The Independent Inquiry Website service provides a way for public inquiries to fulfil their remit for transparency, by publishing news, reports and evidence online, using a specially customised version of a major open source web CMS.

Features

  • Cloud-hosted as standard, with option for on-premise
  • Designed with government, for government
  • Highly user friendly design and workflow
  • Powerful search helps locate documents
  • Secure environment (SaaS version suitable for OFFICIAL)
  • Hands-on helpful support, with extensive launch support & training
  • Built on open source tools, works with open standards
  • Your data stays in your own instance of the system

Benefits

  • Save money by using a standard website for Inquiries
  • Save time by reducing manual work in publishing documents
  • Well-defined workflows reduce the chances of mistakes
  • Achieve the requirement for transparency with maximum efficieny
  • Reduce risk by minimising the amount of custom development
  • Manage the 'whole life' of the website

Pricing

£50,000 to £300,000 an instance a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@convivio.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

8 4 0 4 6 6 3 4 4 1 4 2 0 4 0

Contact

Convivio Steve Parks
Telephone: 020 7031 6990
Email: hello@convivio.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
N/a
System requirements
Linux, PHP, Apache/Nginx, MySQL/MariaDB stack

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Within 4 hours during office hours
User can manage status and priority of support tickets
No
Phone support
No
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
We use a 3rd party system that has been selected for meeting accessibility standards. We haven't done separate testing of our own
Onsite support
Yes, at extra cost
Support levels
During the launch period we provide extra support at a level agreed with the customer. Our daily rate for onsite support is £900/day.
We provide a technical account manager.
Support available to third parties
No

Onboarding and offboarding

Getting started
We work with clients to develop an inception to launch path that will work for them and their teams. This can include configuration, customisation, design and branding, training, and on site support. We provide documentation, including short video tutorials.
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
We can either provide an arrangement to transfer the entire instance, including the software platform (which is built with open source tools), or data can be exported from the platform either via API or export in a range of formats.
End-of-contract process
We provide 3 person/days of hands on support to transition away from our service free-of-charge. If you'd like us to provide more help, including training new providers, assisting with migrations etc, this is available at our normal day rate.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The service is designed to be highly user friendly on a mobile device in terms of searching for and managing documents. However, due to device restrictions, document upload will not work on some mobile devices.
Service interface
No
API
Yes
What users can and can't do using the API
Initially the secure API can be used for ingesting new documents, obtaining a catalogue listing, searching the catalogue. Further features are planned.
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
We work with clients to customise the service in terms of:
- look and feel, to match branding
- configuration, to enable/disable features
- permissions and workflow, to match client needs

We can also be commissioned to develop new functionality for the service for particular clients.

Scaling

Independence of resources
We provide each client with an independent instance of the service.

Analytics

Service usage metrics
Yes
Metrics types
We provide clients with integration for their preferred analytics service (Google Analytics by default).
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Either via the API, or by exporting in a range of formats. The documents themselves can be exported in their original format and any formats they have been transcoded to. The metadata can be exported in CSV or JSON formats.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
JSON
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • PDF
  • MS Word

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The independent inquiry website isn't seen as a mission-critical application, and so (unless agreed otherwise with customers) there is an SLA for 99.5% availability. Upgrades to this are available.
Approach to resilience
Our service is deployed on AWS with automated deployment and configuration of services. This allows us to respond rapidly to issues and in many cases mitigates them before they become apparent.
Outage reporting
We provide a support dashboard for clients providing details of current status. This is augmented by email alerts.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Clients have their own instance of the service so we are able to configure access restrictions to suit each client. Usually the main restriction is that access is locked down to a particular IP range, in addition to having authenticated user accounts with defined permissions.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our security policies and processes are detailed and kept up to date in our 'cookbook' our public intranet: https://cookbook.weareconvivio.com/business-operation-recipe/security-policy

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Proposed changes are evaluated when they begin to be developed. Automated tests are written (unit and behavioural tests), and with each change that is committed the full suite of tests is automatically run. Each code change is peer reviewed, and then has a final review by the tech lead before it can be pushed to staging for acceptance testing.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our service is built ontop of open source tools so we start by monitoring declared vulnerabilities in upstream projects. As soon as these are released we evaluate them in order to assess the need to patch the service and determine a priority. We also monitor server and application logs, and system monitoring, to identify potential threats or vulnerabilities to be addressed.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We monitor server and application logs, and system monitoring tools, to identify unusual activity that may indicate a potential compromise. Where necessary this is escalated to the tech lead. Response varies from blocking specific users or IP ranges, to temporarily suspending the service to allow investigation and additional protective measures. During this whole process we alert and involve the client.
Incident management type
Supplier-defined controls
Incident management approach
As each client receives their own independent instance of the service, we work with them to define incident management processes to fit in with their business needs. These can include blocking specific users or IP ranges or, at the other end of the scale, opening up access to other IP ranges where a client's building has become unavailable due to an incident. Users report incidents through email or an online ticket system. Updates are tracked in the ticket. For P1 incidents a full report is provided in writing within 7 days.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£50,000 to £300,000 an instance a year
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@convivio.com. Tell them what format you need. It will help if you say what assistive technology you use.