G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with zsah Limited are still valid.
zsah Limited

zsahForms data collection and visualisation

ZsahForms is a dynamic configurable data capture and collection software tool that allows you to build workflows and global configurations, which can be used in a variety of situations to collect and visualise data

Features

  • Completely customisable eform/data collection development and deployment to users
  • Question logic (triggering, logic, calculated fields)
  • Multiple workflow capability (multiple organisations/users) contributing to same collection
  • Web services API (import/export and data upload facility (batch upload)
  • Pre-designed bank of eforms/data collections (audit, case/incident management)
  • Messaging facility built-in, and case sharing capability (different organisations)
  • Built-in dashboards, reports and analytical tools (custom reports available separately)
  • Clinical workflows, clinical research, clinical trial data collection, infections
  • Rapid "build-test-deploy" modular electronic data collection design
  • Web-based software (government cloud, commercial cloud (Azure, AWS), on premises)

Benefits

  • Rapid data collection configuration and deployment across any topic/workflow
  • Automated data dictionary creation during data collection configuration
  • Intuitive system administration, role creation and user management functions
  • Multi-format, coded data extracts mapped to security model (configurable)
  • Case management (integrated metadata from different disciplines in one space)
  • Accelerate digital transformation and speed up data collection methods
  • Reduced administrative load on data analysis and reporting staff
  • Produces cost savings for organisation (many data collections/single platform)
  • Multiple uses (esurveys, questionnaires, feedback, training, case management, research)
  • Messaging facility built-in, and case sharing capability (different organisations)

Pricing

£13,250 an instance

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@zsah.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

8 9 2 3 5 4 1 7 5 0 9 4 4 2 0

Contact

zsah Limited David Kennedy
Telephone: 020 7060 6032
Email: sales@zsah.net

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Can be integrated with parent electronic patient record (EPR), case management system, clinical trial software, lab software
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
There are no service constraints ; we will work with customers on all planned projects and specific configurations if required.
System requirements
  • ZsahForms requires internet access to receive installation and upgrades
  • There are no licencing dependencies for the solution
  • There are no specific operating system requirements
  • Web browser for end-users

User support

Email or online ticketing support
Email or online ticketing
Support response times
During normal hours of service, which are Monday to friday, 8am - 6pm, contacts are answered within 20 seconds, with initial response to issues within 15 minutes. Service levels can though be varied and agreed for individual contracts.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
In progress
Onsite support
Yes, at extra cost
Support levels
We provide three basic levels of support, as follows:
Bronze - email support
Silver - email + phone + webchat
Gold - email + phone + webchat

Each level can be modified to provide different levels of response times and hours of operation, from basic Monday to Friday, 9am to 5pm, up to full 24/7 support if required.
Each client will be assigned a technical account manager / service manager.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
When ZsahForms is deployed, the configuration of the platform is designed to be simple and intiutive (create ZsahForms, target to users and organisations, deploy, collect data and report). Onsite and remote training is available at an extra cost and there is a comprehensive knowledge base and FAQ section to help administrators and users.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Data is extractable from the front end and back end of the system, to the customer, and de-commissioning and offboarding processes will ensure final and complete data extraction is fully complete.
As an example zsahForms has been deployed for multiple clients in the medical field, where patient and clinical data confidentiality is critical. Data security and integrity is therefore at the core of ZsahForms services, including the ability to extract data at the end of a contract.
End-of-contract process
The user is able to extract their own data at any point, so there is no requriement for any additional action at the end of the contract. If necessary we can assist with a data export and provide a file before removing access to the system.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile service differs as follows: ZsahForms configuration is done on the desktop version, and mobile app version allows for data collection. A subset of reports is available on the mobile version (full reports and dashboards available on desktop version).
Service interface
No
API
Yes
What users can and can't do using the API
All data (limited by customer and data collection) from ZsahForms are available via our API.

ZsahForms runs a RESTful API service which can respond with either JSON or XML content type, and configurations are automatically altered once ZsahForms changes are made at the data collection level.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
System administrators can manage user access to ensure only the right information is visible to the right people. Scopes allow restriction and control of features/data down to an individual user level.

Scaling

Independence of resources
ZsahForms was built with scale in mind, utilising the microservices architecture. Scalability within the banded subscription pricing models is easily achieved and can be extended by agreement if necessary.

Analytics

Service usage metrics
Yes
Metrics types
There are a wide variety of analytical data available on system usage and metrics, including:
- User level insert/update/delete/view audit trail
- System pinging, uptime
- Server usage statistics
- Node stats
- Service availability
- Cluster health
- Real-time notifications of downtime
- Application logging
- API audit log
Reporting types
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export their data via multiple means on the system - through reports in multiple formats (PDF, Excel, text file) as well as a line list (pipe delimited) using the line list report, for all fields built into the data collection (limited by the security model).
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Excel
  • Text
  • JSON
  • XML
  • HL7
  • EDI
Data import formats
  • CSV
  • Other
Other data import formats
  • Text
  • Excel
  • JSON
  • XML
  • HL7

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The zsahForms service guarantees 99.9% availability.

In the event that ZsahForms does not meet availability levels, service credits are provided.
Approach to resilience
Through the use of multiple technology layers, including data centres separated by a minimum of 60 miles. Service is based on a redundant cluster configuration so is always on.

Our hosting services are delivered from highly resilient and secure UK Data Centre facilities located in London and Manchester. We own everything else outright from the racks to switches, servers and storage. Our "gridz" platform is an enterprise cloud platform that we can lift and put anywhere into any data centre environment.

Resilience all depends on the clients requirements. Generally, there is redundant hardware such as servers, switches, clustering for hardware servers, automatic failover for VM's, High Availability, vMotion. Further details available on request.
Outage reporting
Outages are reported to customers via dashboard, email, phone and twitter.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Only authorised users can access management interfaces and support channels using strong passwords via SSL. Access details restricted and stored in an encrypted password application. Only authorised users have access to that application.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Exova BM Trada
ISO/IEC 27001 accreditation date
31/07/2017
What the ISO/IEC 27001 doesn’t cover
All relevant aspects of the service are covered.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
ZsahForms follows HMG requirements in having named appointees in the positions of Senior Information Risk Owner (SIRO), Departmental Security Officer (DSO) and Information Technology Security Officer (ITSO).

ZsahForms also requires that all customers have a named appointed Information Asset Owner (IAO) compliant with the UK government security policy framework. This person will be responsible for all data access requests prior to ZsahForms being contacted.

Nominated information risk assessment, management and other specialists may also be required dependant on the customer's deployment of our service although this is not normally required.

Zsah's security policies and processes are aligned with ISO/IEC 27001:2013 and zsah is also certified under the UK Government Cyber Essentials scheme.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All components are configured as per client's requirements and are monitored regularly. If changes are required, the client requests a change via a Change Request. Once reviewed and approved by Zsah change management, the changes are then implemented.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability and Penetration testing:
Patches are deployed as soon as a threat is identified. zsah works closely with the major industry vendors and third party organisations who send out regular alerts. We also have a regular patching schedule every 2 months.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We ensure that your business and daily operations run smoothly via support from our technical team. This means that we consistently monitor the network to ensure everything is running without any problems and should a problem arise then we can address it before users are affected.

Our monitoring is constant on a 24 hours, 7 days a week basis throughout the year. If issues arise the zsah support team are contactable at any time to resolve problems on the system.
Incident management type
Supplier-defined controls
Incident management approach
We have an incident management procedure which is aligned to ISO/IEC 27001: 2013. Pre-defined processes for common events depend on the type of incident, whether it is an incident or not. Events that are classified as incidents include malware infections, excessive spam, information system failures and denial of loss of service.

Users report to the Information Security Management representative and then an appropriate action is taken quickly after discussed with management.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£13,250 an instance
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@zsah.net. Tell them what format you need. It will help if you say what assistive technology you use.