Haplo Higher Education Research Management Suite

Haplo provides a research management system to universities and research institutes. Haplo is a modular product. PhD Manager supports Graduate School / Doctoral College / Postgraduate Researcher management. Ethics Monitor streamlines Research Ethics applications. Funding supports pre-award, post-award, and costing. Repository includes research impact, researcher web profiles, REF.


  • Doctoral College / Graduate School / Postgraduate Research Management
  • Research Ethics Approval Form and Workflow
  • Pre-award Funding Management and Post-award Funded Project Approval Workflow
  • Research Costing Tool
  • Repository
  • Academic Profiles
  • Integration with Institutional Infrastructure
  • Research Excellence Framework management
  • Customisable Workflow
  • Reporting


  • Single integrated portal for all research activity
  • High levels of user engagement
  • Strong audit trail of review and approval
  • Public showcase of research activity
  • Modular implementation allows selection of required features
  • Highly configurable to enable precise fit to the institution
  • Integration with existing systems for data feeds and authentication


£35000 per instance per year

Service documents


G-Cloud 11

Service ID

9 0 0 4 4 6 9 8 3 6 5 5 3 9 3



Jennifer Summers



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements Haplo can be accessed via any web enabled device.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times During core working hour:
* Critical issues are responded to within 1 hour (fix: continuous effort)
* High within 2 hours (fix: 1 business day)
* Medium within 4 hours (fix: 4 business days)
* Low within 6 hours (fix: by agreement.)

During non-core working hours:
* Critical issues are responded to within 2 hours (fix: continuous effort)
* High within 2 core service hours (fix: 1 business day)
* Medium within 4 core service hours (fix: 4 business days)
* Low within 6 core service hours (fix: by agreement.)
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide two support levels. Our standard support provides for 99.5% uptime. An enhanced support for 99.9% uptime is available.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Haplo products are configured for each client and integrated with institutional systems. The Haplo team work closely with each client to implement their Haplo solution.

1) Requirements gathering and specification process. Requirements information is shared via a secure online project room and reviewed at an on-site workshop with key stakeholders from the institution and the Haplo team.

2) Configuration and integration. Haplo is configured to reflect institutional terminology, organisational structure, regulations and processes. Haplo is integrated with institutional identity management and authentication systems, Student Record Systems (if using PhD Manager) and/or HR system and other institutional systems as required.

3) Testing and revision cycles. Haplo attend for a 0.5 day on-site training for key users prior to testing.

4) Deployment. Haplo work with IT colleagues to set up DNS, SSL certificate, identity management, SMTP relaying; ensuring data feeds are live and working as required; and assist with one-off data imports if required.

5) Training and user documentation. Training system is provided matching the institution's preferred configurations with suitably anonymised data.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction At the end of the contract, data is returned to the user as:

* An 'archive' of all data in a form that can be loaded into the open source version of the Haplo platform, available from haplo.org

* An export of all data in JSON format.

* Copies of all the files uploaded to the application.
End-of-contract process £250 per 50GB or part thereof for the export process, which includes the cost of storage devices. The user is responsible for secure courier fees.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The user interface provides the same functionality on mobile and desktop. Mobile has small affordances to ensure a good user experience on touch devices.
Service interface Yes
Description of service interface A web based interface which enables users to find information about research, submit applications, approve other applications, submit research outputs, and collaborate with other users. Privileged users have access to configuration and service management functionality.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Use of accessibility evaluation tools to ensure compatibility with assistive technology.
What users can and can't do using the API REST style APIs are provided to:
- Add or change data in the system
- Receive messages about changes and events
- Access reporting information

Batch file APIs are provided to:
- Manage users and their profiles as an automated feed
- Import information

A server-side JavaScript API is provided to implement additional APIs and custom functionality.

Initial creation of an application instance is not available through an API.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Haplo is tailored to meet the requirements of each institution. The following elements are configurable:

* terminology

* organisational structure

* data received and data held about each researcher

* which workflows are included and custom workflows

* text of online forms and approval routing workflows

* business logic and business rules

* reporting

* authentication methods

* branding

* public repository interface (entirely customisable to match the existing university website.)

Customisation is generally performed by Haplo, working closing with the institution, but training is available for the institution's developers to make customisations.


Independence of resources Each application instance has a resource limit which ensures that an application cannot apply a load which would affect other instances. When an application reaches the limit, requests are still serviced without error, but at a slower rate.


Service usage metrics Yes
Metrics types Metrics are available on system usage, users and storage.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Bulk export of data can be undertaken via an API.

End users (with appropriate permissions) can use the standard user interface to export data to excel (such as reports) or PDF (such as completed application forms.)

An archive process is available to export all data in a computer readable format at extra cost.
Data export formats Other
Other data export formats
  • JSON
  • XML
  • TSV
Data import formats Other
Other data import formats
  • JSON
  • XML
  • TSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network SSH with mutual authentication is used to transfer data.

Data is always encrypted in transit, even on the local private network.

Availability and resilience

Availability and resilience
Guaranteed availability We offer a 99.5% SLA (not including planned maintenance). Refunds are offered on a sliding scale as a % of monthly charges.
Approach to resilience Available on request.
Outage reporting Outages are reported by email alerts to subscribing users.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication Users accounts are automatically configured by a user feed. Users then may be authenticated by Shibboleth (UK Access Management Federation), the user's AD FS or other SAML2 federated identify management. Users external to the institution may be authenticated by username and password if required by institution policy. Legacy LDAPS support is available.
Access restrictions in management interfaces and support channels Users must be granted membership of privileged user groups before they can access management interfaces and our support services.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance Limited
ISO/IEC 27001 accreditation date 21/5/2018
What the ISO/IEC 27001 doesn’t cover Our ISO27001 certification covers the entire service.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Haplo follows a no-compromise approach to information security as detailed in our Information Security Policy.

The Technical Director has primary responsibility for information security.
The Systems Administration Team is responsible for the day-to-day safety and security of the hosted platform and the information it contains.

The Haplo team are trained to follow our information security processes during induction and during regular staff training and security updates.

The Senior Management team meet regularly to review company information security practices.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All infrastructure and platform software is managed inside source control, with the source control version ID used to track changes through their lifetime.

To release any change, an authorised user must create and cryptographically sign a package to deploy it into production.

The customised applications running on top of the infrastructure and platform are independently versions, and Haplo works with the user's change control process to deploy changes.

A formal code review process assesses all changes for potential security impact.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Processes within our ISO27001 ISMS assess potential threats to our services.

Information about potential threats is obtained by subscribing to supplier's security notifications or monitoring dependency updates. Security issues are evaluated, and then applied within 24 hours after testing after running a full test suite. An emergency process can be used to patch more quickly if the vulnerability requires faster action.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Full auditing is enabled on all servers, recording all command and access. Logs are shipped to an independent server with separate access controls on a remote network, and analysed for anomalies.

Potential compromises are investigated by preserving all logs and data, then analysing potentially affected systems. Response is immediate to any incident.
Incident management type Supplier-defined controls
Incident management approach Haplo's Incident Management Policy details pre-defined processes for how we respond to incidents. Haplo classifies issues relevant to Information Security in 3 categories with different pre-defined processes for each category, reflecting different levels of security implications.

Users should report incidents to our Support Helpdesk either by ticket or telephone. Incidents will also be reported by automatic monitoring systems. Clients are kept informed regularly during the resolution of an incident.

Upon resolution, Haplo generates a report of the causes of the incident, the scope of the breach, and the actions taken, which is shared with the client.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £35000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑