Haplo Higher Education Research Management Suite

Haplo provides a research management system to universities and research institutes. Haplo is a modular product. PhD Manager supports Graduate School / Doctoral College / Postgraduate Researcher management. Ethics Monitor streamlines Research Ethics applications. Funding supports pre-award, post-award, and costing. Repository includes research impact, researcher web profiles, REF.


  • Doctoral College / Graduate School / Postgraduate Research Management
  • Research Ethics Approval Form and Workflow
  • Pre-award Funding Management and Post-award Funded Project Approval Workflow
  • Research Costing Tool
  • Repository
  • Academic Profiles
  • Integration with Institutional Infrastructure
  • Research Excellence Framework management
  • Customisable Workflow
  • Reporting


  • Single integrated portal for all research activity
  • High levels of user engagement
  • Strong audit trail of review and approval
  • Public showcase of research activity
  • Modular implementation allows selection of required features
  • Highly configurable to enable precise fit to the institution
  • Integration with existing systems for data feeds and authentication


£35000 per instance per year

Service documents


G-Cloud 11

Service ID

9 0 0 4 4 6 9 8 3 6 5 5 3 9 3



Jennifer Summers



Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
Haplo can be accessed via any web enabled device.

User support

Email or online ticketing support
Email or online ticketing
Support response times
During core working hour:
* Critical issues are responded to within 1 hour (fix: continuous effort)
* High within 2 hours (fix: 1 business day)
* Medium within 4 hours (fix: 4 business days)
* Low within 6 hours (fix: by agreement.)

During non-core working hours:
* Critical issues are responded to within 2 hours (fix: continuous effort)
* High within 2 core service hours (fix: 1 business day)
* Medium within 4 core service hours (fix: 4 business days)
* Low within 6 core service hours (fix: by agreement.)
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We provide two support levels. Our standard support provides for 99.5% uptime. An enhanced support for 99.9% uptime is available.
Support available to third parties

Onboarding and offboarding

Getting started
Haplo products are configured for each client and integrated with institutional systems. The Haplo team work closely with each client to implement their Haplo solution.

1) Requirements gathering and specification process. Requirements information is shared via a secure online project room and reviewed at an on-site workshop with key stakeholders from the institution and the Haplo team.

2) Configuration and integration. Haplo is configured to reflect institutional terminology, organisational structure, regulations and processes. Haplo is integrated with institutional identity management and authentication systems, Student Record Systems (if using PhD Manager) and/or HR system and other institutional systems as required.

3) Testing and revision cycles. Haplo attend for a 0.5 day on-site training for key users prior to testing.

4) Deployment. Haplo work with IT colleagues to set up DNS, SSL certificate, identity management, SMTP relaying; ensuring data feeds are live and working as required; and assist with one-off data imports if required.

5) Training and user documentation. Training system is provided matching the institution's preferred configurations with suitably anonymised data.
Service documentation
Documentation formats
End-of-contract data extraction
At the end of the contract, data is returned to the user as:

* An 'archive' of all data in a form that can be loaded into the open source version of the Haplo platform, available from haplo.org

* An export of all data in JSON format.

* Copies of all the files uploaded to the application.
End-of-contract process
£250 per 50GB or part thereof for the export process, which includes the cost of storage devices. The user is responsible for secure courier fees.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The user interface provides the same functionality on mobile and desktop. Mobile has small affordances to ensure a good user experience on touch devices.
Service interface
Description of service interface
A web based interface which enables users to find information about research, submit applications, approve other applications, submit research outputs, and collaborate with other users. Privileged users have access to configuration and service management functionality.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Use of accessibility evaluation tools to ensure compatibility with assistive technology.
What users can and can't do using the API
REST style APIs are provided to:
- Add or change data in the system
- Receive messages about changes and events
- Access reporting information

Batch file APIs are provided to:
- Manage users and their profiles as an automated feed
- Import information

A server-side JavaScript API is provided to implement additional APIs and custom functionality.

Initial creation of an application instance is not available through an API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Haplo is tailored to meet the requirements of each institution. The following elements are configurable:

* terminology

* organisational structure

* data received and data held about each researcher

* which workflows are included and custom workflows

* text of online forms and approval routing workflows

* business logic and business rules

* reporting

* authentication methods

* branding

* public repository interface (entirely customisable to match the existing university website.)

Customisation is generally performed by Haplo, working closing with the institution, but training is available for the institution's developers to make customisations.


Independence of resources
Each application instance has a resource limit which ensures that an application cannot apply a load which would affect other instances. When an application reaches the limit, requests are still serviced without error, but at a slower rate.


Service usage metrics
Metrics types
Metrics are available on system usage, users and storage.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Bulk export of data can be undertaken via an API.

End users (with appropriate permissions) can use the standard user interface to export data to excel (such as reports) or PDF (such as completed application forms.)

An archive process is available to export all data in a computer readable format at extra cost.
Data export formats
Other data export formats
  • JSON
  • XML
  • TSV
Data import formats
Other data import formats
  • JSON
  • XML
  • TSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
SSH with mutual authentication is used to transfer data.

Data is always encrypted in transit, even on the local private network.

Availability and resilience

Guaranteed availability
We offer a 99.5% SLA (not including planned maintenance). Refunds are offered on a sliding scale as a % of monthly charges.
Approach to resilience
Available on request.
Outage reporting
Outages are reported by email alerts to subscribing users.

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
Users accounts are automatically configured by a user feed. Users then may be authenticated by Shibboleth (UK Access Management Federation), the user's AD FS or other SAML2 federated identify management. Users external to the institution may be authenticated by username and password if required by institution policy. Legacy LDAPS support is available.
Access restrictions in management interfaces and support channels
Users must be granted membership of privileged user groups before they can access management interfaces and our support services.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Lloyd's Register Quality Assurance Limited
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our ISO27001 certification covers the entire service.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Haplo follows a no-compromise approach to information security as detailed in our Information Security Policy.

The Technical Director has primary responsibility for information security.
The Systems Administration Team is responsible for the day-to-day safety and security of the hosted platform and the information it contains.

The Haplo team are trained to follow our information security processes during induction and during regular staff training and security updates.

The Senior Management team meet regularly to review company information security practices.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All infrastructure and platform software is managed inside source control, with the source control version ID used to track changes through their lifetime.

To release any change, an authorised user must create and cryptographically sign a package to deploy it into production.

The customised applications running on top of the infrastructure and platform are independently versions, and Haplo works with the user's change control process to deploy changes.

A formal code review process assesses all changes for potential security impact.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Processes within our ISO27001 ISMS assess potential threats to our services.

Information about potential threats is obtained by subscribing to supplier's security notifications or monitoring dependency updates. Security issues are evaluated, and then applied within 24 hours after testing after running a full test suite. An emergency process can be used to patch more quickly if the vulnerability requires faster action.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Full auditing is enabled on all servers, recording all command and access. Logs are shipped to an independent server with separate access controls on a remote network, and analysed for anomalies.

Potential compromises are investigated by preserving all logs and data, then analysing potentially affected systems. Response is immediate to any incident.
Incident management type
Supplier-defined controls
Incident management approach
Haplo's Incident Management Policy details pre-defined processes for how we respond to incidents. Haplo classifies issues relevant to Information Security in 3 categories with different pre-defined processes for each category, reflecting different levels of security implications.

Users should report incidents to our Support Helpdesk either by ticket or telephone. Incidents will also be reported by automatic monitoring systems. Clients are kept informed regularly during the resolution of an incident.

Upon resolution, Haplo generates a report of the causes of the incident, the scope of the breach, and the actions taken, which is shared with the client.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£35000 per instance per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑