DutySheet Ltd

DutySheet: Online Volunteer Management

DutySheet is the UK's leading volunteer management system. Accessible via any internet enabled device and with its user friendly design, DutySheet allows volunteers to log & manage their shifts, view upcoming events, communicate with colleagues and supervisors, keep their details up to date.

Features

  • Volunteer Management
  • Event Management
  • Communications via Email, Internal Messaging, SMS, Announcements, Event Feedback
  • Skills Database
  • Document Library
  • Expenses
  • Personal Development Plan (PDP)
  • Personal Development Review (PDR)
  • Working Time Regulation Compliance
  • Remote access

Benefits

  • Increased volunteer retention
  • Accurate reporting on volunteer activities
  • Streamlline volunteer management using proven workflows
  • Self service allows volunteers to keep details up to date
  • Plan and manage volunteer deployment
  • Central repository of all volunteer based data
  • Identify areas of improvement through inteligence
  • Central repository of all volunteer based data
  • Mobilise volunteers with ease and speed
  • Comprehensive support

Pricing

£23.92 to £35.07 per user per year

Service documents

Framework

G-Cloud 11

Service ID

9 0 1 6 9 7 5 7 0 8 9 8 5 7 2

Contact

DutySheet Ltd

Matthew Hayes

02035982836

Matt@dutysheet.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
N/A
System requirements
  • Internet connection
  • Web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
See SLA for info.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Access to our UK Telephone helpdesk. We back our 99.95 uptime guarantee with a robust SLA. Maximize your technology investment;
Support from DutySheet experts to ensure early success;
Wealth of knowledge from UK police forces;
DSSG - DutySheet Steering Group Access.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
User data is imported by DutySheet staff who then train all supervisors on the functionalities of the system.
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
When requested in writing, DutySheet can provide a full export of all user data in Excel format.
End-of-contract process
Customer system is disabled which blocks access to all users. Data is retained for 12 months unless customer requests otherwise.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Fully responsive mobile app.
Service interface
No
API
Yes
What users can and can't do using the API
The API is not accessible by end users of the system and is only used for mobile App and other external integration processes with DutySheet.
API documentation
Yes
API documentation formats
  • PDF
  • Other
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
Administrators for the organisation have access to tools that allow them to configure most of the settings of the system. They have access to their own help centre section which details how to configure the system.

Scaling

Independence of resources
Our DRS enabled VMWare infrastructure allows us to dynamically increase resources to our service if there is a large surge of activity. This is automatically handled by Vmware.

Analytics

Service usage metrics
Yes
Metrics types
Authorised users have access to real time usage statistics how many users have logged in to the system along with a live view of number of users currently logged in.
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
Sensitive data is encrypted at rest using AES 256 salted hashing.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
There are built in export tools.
Data export formats
Other
Other data export formats
Excel
Data import formats
Other
Other data import formats
Excel

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
We also follow ISO 27001: 2013 Annex A policies and controls 13 for communications security and 14 System Acquisition Development and Maintenance that address data in transit.

Availability and resilience

Guaranteed availability
Our Commitment:

We understand that any interruption to service is too much. So we've set the bar high because we believe that you should be able to depend on the service you need to run your volunteers. This is why we offer an SLA to organisations that guarantees 99.95% monthly uptime. If you’ve read software SLAs before, you’ll know that they can be pretty confusing. So we made ours simple and transparent.What happens if we fail to hit our target in any given month?

If we don’t meet our 99.95% monthly uptime guarantee, we’ll refund you 5x whatever you paid us for that period of downtime.

If our uptime falls to 99.94% in a given month, that results in about 26 minutes of Downtime. We’ll give you service credits equivalent to 5x your organisations cost for that period of time. Service Credit can’t be exchanged for cash (monetary compensation); it is added as a credit on your account and, as always, we use any credits you have first, before charging you.

Service credits are capped at a maximum of 30 days worth of paid service for your organisation.
Approach to resilience
DutySheet runs a MySQL cluster which uses synchronous replication through a two phase commit to guarantee that data is written to multiple nodes upon commitment. Database updates are synchronously replicated between the cluster members to protect against data loss and fast automatic fail over in the event of node failure.
Outage reporting
Publicly available status updates on website.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Management interfaces are tied to the company network and/or use two factor authentication.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials
  • Police Approved Secure Facilities (PASF)

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Police Approved Secure Facilities (PASF); --

We are working towards ISO 27001:2013 so follow all the security policies and controls based on our Statement of Applicability. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.
Information security policies and processes
We are working towards ISO 27001:2013 so follow all the security policies and controls based on our Statement of Applicability. The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also a senior leader. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our secure development, change management, testing and asset management polices are comprehensively documented as part of our ISO 27001:2013 information security management system including in line with Annex A 8 (assets) and 14 (secure development) of ISO 27002 .
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic. We respond with; blocking of source IP addresses, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences via SIRT. Real time monitoring takes place with immediate response for suspicious alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
DutySheet has a comprehensive internal information security incident management policy and its practices follow Annex A 16 for ISO 27001: 2013. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes are ready for EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£23.92 to £35.07 per user per year
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑