Idox Software Limited

Idox Cloud (Tascomi) Public Protection

Public Protection is entirely web-based software providing case management functionality for: Environmental Health, Trading Standards, Licensing, Housing Assistance, Service Requests.
Accessible in any location from any device for true mobile working. It provides: a citizen self-service Online Portal; a suite of RESTful APIs for integration with 3rd party systems.

Features

  • Mobile Working
  • Shared Services
  • Cloud based
  • Remote access
  • Managed Service
  • SaaS delivery model
  • Real-time reporting
  • Online services
  • Agile development methodology
  • Digital transformation

Benefits

  • Digitally transform service provision
  • Enable easy access to online citizen services
  • Work on the move via any mobile device
  • Achieve economies of scale across a Shared Service
  • Managed Service with no support boundaries
  • No requirement for 3rd party solutions
  • No requirement for mobile working extensions
  • ISO 27001 accredited Private Cloud for complete data security
  • Constantly evolving solutions through Agile methodologies
  • Predictable ICT costs with no hidden extras

Pricing

£561.60 a user a year

Service documents

Framework

G-Cloud 12

Service ID

9 0 8 8 4 6 3 2 2 9 6 5 3 1 5

Contact

Idox Software Limited Lucy Holland
Telephone: 0333 011 1200
Email: frameworks@idoxgroup.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
No constraints.
System requirements
Access to a modern web-browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
According to our published SLA (Service Definition) - available on demand.

Our Service Desk is operational Monday to Friday during business hours although requests for support can be logged 24/7.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
According to our published SLA (Service Definition) - available on demand.
Support available to third parties
No

Onboarding and offboarding

Getting started
Our standard implementation package typically includes the following service days:
Project Management (onsite / remote);
Configuration Consultancy;
Training and associated Documentation (onsite / remote);
Data Migration;
Development.

Training will be delivered by one of our experienced trainers, at the Council’s premises - remote training is available if required. Users will be given instructor-led sessions followed up by specific training exercises. It is proposed that training is split by User Roles.

We use the “Train the Trainer” approach – training key System Super-Users to deliver cascade training to their teams. We are open to assessing alternative training delivery options, if required (using the training day allocation).

Training documentation provided to Council staff will be as follows:
product user manuals; training exercises and questionnaires; customised training documentation acting as a workbook for trainees; online help area includes FAQs, videos, user manuals, release notes.

The solution also has a full online product knowledgebase that can be viewed by any authorised user within the system at any time, including out of hours, through the embedded help widget – it is fully searchable.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
If a customer chooses to move to an alternative supplier and requires an extract of the data, We can provide this information in a standard format for a cost of £5,000.

If the data is required in a different format or there is a bespoke requirement with regards to the data extract then effort to meet such requirements will need to be estimated and the work costed accordingly.
End-of-contract process
There is an additional cost at the end of the contract as follows:

If a customer chooses to move to an alternative supplier and requires an extract of the data, we can provide this information in a standard format for a cost of £5,000.

If the data is required in a different format or there is a bespoke requirement with regards to the data extract then effort to meet such requirements will need to be estimated and the work costed accordingly.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The software is mobile by default and built using responsive technology. This enables users to enjoy the same experience regardless of the device in use. We also provide role based mobile apps if required for inspections.
Service interface
Yes
Description of service interface
Web-browser.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Details of testing available on demand. As the solution is fully browser based it will allow the use of assistive technology. The public facing elements of the proposed solution are WC3 compliant adhering to WCAG 2.1 AA Level.
API
Yes
What users can and can't do using the API
Our solutions are provided with a full suite of RESTful Application Programming Interfaces (APIs) as part of the support and maintenance subscription agreement, enabling straight-forward integration with 3rd party systems. WE usually carry out these integrations (chargeable) in such a manner that the integration is minimally noticeable to the system user at a technical level, with the integration adopting consistent system workflows and UX features where applicable. Tascomi has 15 years of experience in integrating with Local Government infrastructure through the utilisation of the API described.

APIs are intended to help make the interaction within evolving ICT environments more efficient and user-friendly and will ensure that the Council will remain compatible with the current and future integration requirements associated with the proposed solution - enabling the straightforward push and pull of data to our systems.
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The solution is highly configurable – it allows changes to business processes without the need for supplier input – System Administrators or users with the correct permissions can configure many elements of the solution via the Administration module including: Document templates and standard phrases; Communication codes; Enforcement types, applications types, inspection types; GDPR rules; Fees; Workflows and caseload management dashboards; Reports – statutory, user-defined, performance management, data imports and exports; Users accounts and permissions; Online portal services and public registers.

Scaling

Independence of resources
We are significantly conscious of our management of growth, and are committed to ensuring that our quality of service does not decrease as our customer base expands. To this end, we ensure we have adequate resources in place to deliver on the contracts that we secure.

Analytics

Service usage metrics
Yes
Metrics types
Service metrics are detailed within the Service Level Agreement. Details available on demand.
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Details available on demand.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99% during working hours.
Approach to resilience
All data is held within UK data centres. We make use of our own private cloud infrastructure to ensure the data is held and processed in a known location, and is not part of a public cloud or virtual cloud service outside our control.

To provide resilience and availability, we have a secondary data centre with all systems and customer data being continuously replicated. In addition to this, we have nightly snapshots of the database layer, and weekly snapshots of the documents layer to a tertiary location.
Outage reporting
All communication in the event of an availability incident will be to the customer's nominated contacts via our Service Desk – updates will be communicated via the customer portal, email or phone depending on the priority level of the incident.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
System users are authenticated using a username and password. In addition to this, two factor authentication can be enabled using SMS, with a whitelist of allowed IP addresses so access can be further restricted to trusted networks (this is optional).

Passwords are one way hashed using a randomly generated salt, and additional complexity rules may be implemented upon request.

Logins are session based, and inactivity will result in the session being terminated, forcing the user to re-authenticate.

We also implement a multi-tiered privilege based user management system to limit access to features such as administration.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
QMS International
ISO/IEC 27001 accreditation date
18/12/2019
What the ISO/IEC 27001 doesn’t cover
N/a
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have an ISO27001 certified Information Security Management System that covers all business functions including but not limited to, information systems, networks, physical environment, incident/threat management, project & contract management and personnel management.

Information security awareness training is conducted to ensure policies are communicated and ongoing annual internal reviews and auditing is conducted to ensure processes are followed.

The system and controls are also externally verified an certified annually as part of the ISO 27001 certification process.

Risks raised through internal and external audits are reviewed at management meetings by the information security manager, the appropriate head of business and a board representative.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All changes are managed and audited under our ISO policy. All servers have continual monitoring/reporting services installed. Critical logs/files are monitored to protect against unauthorised access, and alerts sent in the event of changes. Our firewalls employ an adaptive security appliance to automatically detect and act against potential threats such as syn attacks. We employ a strong level of access control, using industry standard methods, regularly reviewing all accounts to ensure validity. Direct access to the underlying private cloud infrastructure is tightly controlled and regularly reviewed. All connections are monitored. Multiple layers of security are required to gain access.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
To help mitigate against vulnerabilities, our servers are configured to automatically install critical security patches daily. Any lesser vulnerabilities will be reviewed on a case by case basis, as solutions become available, and applied in a timely manner in accordance with our ISO and Cyber Essentials commitments.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
All servers have continual monitoring and reporting services installed. Critical logs and files are monitored to protect against unauthorised access, and alerts sent in the event of changes (e.g. a new user is added to a server). Our firewalls employ an adaptive security appliance to automatically detect and act against potential threats such as syn attacks. We also employ a strong level of access control, using industry standard methods, and regularly review all accounts to ensure validity.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Security incident reporting process summary provided below:
Incidents or suspected incidents are raised to internal service desk and reviewed by the Information Security Manager. They are allocated a risk reference, entered into the information security risk log and tracked until closure. In the case of major incidents a major incident report will be produced.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£561.60 a user a year
Discount for educational organisations
No
Free trial available
No

Service documents