Idox Software Limited

Idox Cloud (Tascomi) Public Protection

Public Protection is entirely web-based software providing case management functionality for: Environmental Health, Trading Standards, Licensing, Housing Assistance, Service Requests.
Accessible in any location from any device for true mobile working. It provides: a citizen self-service Online Portal; a suite of RESTful APIs for integration with 3rd party systems.

Features

• Mobile Working
• Shared Services
• Cloud based
• Remote access
• Managed Service
• SaaS delivery model
• Real-time reporting
• Online services
• Agile development methodology
• Digital transformation

Benefits

• Digitally transform service provision
• Enable easy access to online citizen services
• Work on the move via any mobile device
• Achieve economies of scale across a Shared Service
• Managed Service with no support boundaries
• No requirement for 3rd party solutions
• No requirement for mobile working extensions
• ISO 27001 accredited Private Cloud for complete data security
• Constantly evolving solutions through Agile methodologies
• Predictable ICT costs with no hidden extras

£561.60 a user a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Framework

G-Cloud 12

Service ID

908846322965315

Contact

Lucy Holland
0333 011 1200
frameworks@idoxgroup.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No constraints.
• System requirements: Access to a modern web-browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: According to our published SLA (Service Definition) - available on demand. ; ; Our Service Desk is operational Monday to Friday during business hours although requests for support can be logged 24/7.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: According to our published SLA (Service Definition) - available on demand.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Our standard implementation package typically includes the following service days: ; Project Management (onsite / remote); ; Configuration Consultancy; ; Training and associated Documentation (onsite / remote);; Data Migration;; Development. ; ; Training will be delivered by one of our experienced trainers, at the Council’s premises - remote training is available if required. Users will be given instructor-led sessions followed up by specific training exercises. It is proposed that training is split by User Roles. ; ; We use the “Train the Trainer” approach – training key System Super-Users to deliver cascade training to their teams. We are open to assessing alternative training delivery options, if required (using the training day allocation). ; ; Training documentation provided to Council staff will be as follows: ; product user manuals; training exercises and questionnaires; customised training documentation acting as a workbook for trainees; online help area includes FAQs, videos, user manuals, release notes. ; ; The solution also has a full online product knowledgebase that can be viewed by any authorised user within the system at any time, including out of hours, through the embedded help widget – it is fully searchable.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: If a customer chooses to move to an alternative supplier and requires an extract of the data, We can provide this information in a standard format for a cost of £5,000. ; ; If the data is required in a different format or there is a bespoke requirement with regards to the data extract then effort to meet such requirements will need to be estimated and the work costed accordingly.
• End-of-contract process: There is an additional cost at the end of the contract as follows: ; ; If a customer chooses to move to an alternative supplier and requires an extract of the data, we can provide this information in a standard format for a cost of £5,000. ; ; If the data is required in a different format or there is a bespoke requirement with regards to the data extract then effort to meet such requirements will need to be estimated and the work costed accordingly.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The software is mobile by default and built using responsive technology. This enables users to enjoy the same experience regardless of the device in use. We also provide role based mobile apps if required for inspections.
• Service interface: Yes
• Description of service interface: Web-browser.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Details of testing available on demand. As the solution is fully browser based it will allow the use of assistive technology. The public facing elements of the proposed solution are WC3 compliant adhering to WCAG 2.1 AA Level.
• API: Yes
• What users can and can't do using the API: Our solutions are provided with a full suite of RESTful Application Programming Interfaces (APIs) as part of the support and maintenance subscription agreement, enabling straight-forward integration with 3rd party systems. WE usually carry out these integrations (chargeable) in such a manner that the integration is minimally noticeable to the system user at a technical level, with the integration adopting consistent system workflows and UX features where applicable. Tascomi has 15 years of experience in integrating with Local Government infrastructure through the utilisation of the API described. ; ; APIs are intended to help make the interaction within evolving ICT environments more efficient and user-friendly and will ensure that the Council will remain compatible with the current and future integration requirements associated with the proposed solution - enabling the straightforward push and pull of data to our systems.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The solution is highly configurable – it allows changes to business processes without the need for supplier input – System Administrators or users with the correct permissions can configure many elements of the solution via the Administration module including: Document templates and standard phrases; Communication codes; Enforcement types, applications types, inspection types; GDPR rules; Fees; Workflows and caseload management dashboards; Reports – statutory, user-defined, performance management, data imports and exports; Users accounts and permissions; Online portal services and public registers.

Scaling

• Independence of resources: We are significantly conscious of our management of growth, and are committed to ensuring that our quality of service does not decrease as our customer base expands. To this end, we ensure we have adequate resources in place to deliver on the contracts that we secure.

Analytics

• Service usage metrics: Yes
• Metrics types: Service metrics are detailed within the Service Level Agreement. Details available on demand.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Details available on demand.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99% during working hours.
• Approach to resilience: All data is held within UK data centres. We make use of our own private cloud infrastructure to ensure the data is held and processed in a known location, and is not part of a public cloud or virtual cloud service outside our control. ; ; To provide resilience and availability, we have a secondary data centre with all systems and customer data being continuously replicated. In addition to this, we have nightly snapshots of the database layer, and weekly snapshots of the documents layer to a tertiary location.
• Outage reporting: All communication in the event of an availability incident will be to the customer's nominated contacts via our Service Desk – updates will be communicated via the customer portal, email or phone depending on the priority level of the incident.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: System users are authenticated using a username and password. In addition to this, two factor authentication can be enabled using SMS, with a whitelist of allowed IP addresses so access can be further restricted to trusted networks (this is optional). ; ; Passwords are one way hashed using a randomly generated salt, and additional complexity rules may be implemented upon request. ; ; Logins are session based, and inactivity will result in the session being terminated, forcing the user to re-authenticate. ; ; We also implement a multi-tiered privilege based user management system to limit access to features such as administration.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: 18/12/2019
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have an ISO27001 certified Information Security Management System that covers all business functions including but not limited to, information systems, networks, physical environment, incident/threat management, project & contract management and personnel management. ; ; Information security awareness training is conducted to ensure policies are communicated and ongoing annual internal reviews and auditing is conducted to ensure processes are followed. ; ; The system and controls are also externally verified an certified annually as part of the ISO 27001 certification process. ; ; Risks raised through internal and external audits are reviewed at management meetings by the information security manager, the appropriate head of business and a board representative.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes are managed and audited under our ISO policy. All servers have continual monitoring/reporting services installed. Critical logs/files are monitored to protect against unauthorised access, and alerts sent in the event of changes. Our firewalls employ an adaptive security appliance to automatically detect and act against potential threats such as syn attacks. We employ a strong level of access control, using industry standard methods, regularly reviewing all accounts to ensure validity. Direct access to the underlying private cloud infrastructure is tightly controlled and regularly reviewed. All connections are monitored. Multiple layers of security are required to gain access.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: To help mitigate against vulnerabilities, our servers are configured to automatically install critical security patches daily. Any lesser vulnerabilities will be reviewed on a case by case basis, as solutions become available, and applied in a timely manner in accordance with our ISO and Cyber Essentials commitments.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: All servers have continual monitoring and reporting services installed. Critical logs and files are monitored to protect against unauthorised access, and alerts sent in the event of changes (e.g. a new user is added to a server). Our firewalls employ an adaptive security appliance to automatically detect and act against potential threats such as syn attacks. We also employ a strong level of access control, using industry standard methods, and regularly review all accounts to ensure validity.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Security incident reporting process summary provided below: ; Incidents or suspected incidents are raised to internal service desk and reviewed by the Information Security Manager. They are allocated a risk reference, entered into the information security risk log and tracked until closure. In the case of major incidents a major incident report will be produced.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £561.60 a user a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF