Civica CESVotes
CES’ unrivalled expertise in hosted online nominations and voting offer these benefits:
Cost and time savings, help the environment by reducing need for paper-based voting.
Responsive engagement with stakeholders in real time, using customisable sites and user journeys. Easy, secure access through CES email.
Voting accuracy, minimising risk, maximising confidence.
Features
- Mobile-optimised online voting, secure two-code login, auto-populated through CES link
- Hosted, mobile optimised online nominations platform
- Email and print voting document distribution
- Online, postal, telephone and SMS response methods supported
- Video statements, animated explainers, Q&A, multi-lingual, user reporting, customisable interface
- Online service usage metrics and analysis
- Link into customer social media channels
- Online support tools for end-user
- Secure data transfer, accredited IT processes with load tested capacity.
- No additional software necessary
Benefits
- Save money using online channels
- Save time using CES fully-managed service as leading UK-elections provider
- Independent scrutiny and verification including report of voting
- Drive voter turnout
- Boost voter engagement and participation
- Maximise communications reach
- Quickly review and analyse daily voter turnout
- User friendly interface
- Mobile optimised, future proof, sustainable software platform
- ISO27001, GDPR compliant
Pricing
£5,750 a unit
Service documents
Request an accessible format
Framework
G-Cloud 12
Service ID
9 2 8 8 1 7 9 5 0 5 8 6 3 0 5
Contact
Civica UK Limited
Civica UK Limited
Telephone: +44 (0) 3333 214 914
Email: g-cloud@civica.co.uk
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- None
- System requirements
- Latest browsers supported (Chrome, Safari, Internet Explorer, Firefox & Edge)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
CES responds to service requests (M-F, 9- 5) dependent on the type of service issue, to ensure we prioritise the most critical need:
Down time: 5 hours
Software failure: 5 hours
Problem not affecting key functionality: 5 hours
Query: Next working day - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
-
CES provide a fully managed service meaning that account, technical and project support to the customer at no extra cost from Monday to Friday, 9am - 5pm.
CES provide end-user support via our dedicated Customer Services team, via email and telephone from Monday to Friday, 9am to 5pm.
Costs for support outside these hours can be provided upon request., as they are assessed on a case by case basis. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
CES provides the user with an easy start to using the service. The process is laid out ahead of the start of works, and the dedicated project manager is on hand for each step in the this process:
1) Project initiation meeting - to gather project information and expected outcomes
2)Project set up - ensuring the information is transposed on to our working systems
3)Data and copy work - turning your copy into the voting websites and creating security codes
4)Quality testing - your project manager undertakes checks to ensure your site is as expected
5)User sign off
6)Voting codes dispatched and voting begins
For the end-user the process is quick and simple:
1)Single use security codes are despatched to each member of the voting data set via email (other methods available).
2)The user clicks the link within the email which contains a GUID link. This pre populates the security code field.
3)Once the user is logged on to the site, there are user guides and video training tools available for their use, this is in addition to the CES Customer Services support team available by telephone is required. - Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- There is no data to extract at the end of the contract as the only data we hold is voting data which we can pass back to the customer at the end of each election/ballot (upon request). If the customer does not wish to receive the data back, we will securely destroy the data, by either clear-down on the server or certificated destruction of paper within the CES' data retention policy or as agreed with the customer.
- End-of-contract process
-
At the end of the contract, there are three distinct processes:
1)Project Wrap Up
The project manager will hold a wrap up meeting with the customer to gain feedback on their experience of the service. This then feeds back into future projects with the client, and forms the basis for change analysis in the wider service to ensure we are always meeting our user's needs.
2)Project Invoicing
The project manager prepares a billing report for the invoicing team. This contains the original quoted items, plus any extra items ordered during the project.
3)Data Deletion
As per the customers instruction, or on CES standard timescales (whichever is the customers preference) the data for the project is cleared down from the CES server, and any paper based records are securely destroyed.
There are no extra costs associated with the any of these steps. If data destruction certification is required, costs can be provided upon request.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 7
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari 9+
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- In order to maximise user engagement CES voting software is optimised for mobile use with no loss of functionality.
- Service interface
- Yes
- Description of service interface
- The service interface a HTML Web based interface that is compatible with all modern browsers for both administration and end users.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- All testing has been carried out by an independent audit association and we have taken their recommendations to enhance our products accessibility. CES use DACS - https://digitalaccessibilitycentre.org/index.php/user-testing
- API
- Yes
- What users can and can't do using the API
- Our API is based on Oauth2.0 authentication and only available to organisations who have requested access. Through our API organisations can review details relating to their elections process such as candidate information and cast votes on our the platform from their end users. This API is typically used by organisations who want to embed the voting process within their current platforms. The electorate can check their vote has been cast and recorded correctly by visiting our platform.
- API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
CES want to ensure that our products maximise the engagement and reach of your communications. We offer a fully customisable suite of products to suit needs of your organisation.
The following can be customised:
• Text fonts, sizes and languages
• Page layouts and framing
• Pictures, images (i.e. logos) videos and animated features
• Copy-using suggested wording or as provided by you
The process for customisation is quick and simple:
1)You are provided with a template map which sets out exactly what you need to provide for your site, alongside a test site link so that you can see a CES branded example site as a reference.
2) Once we receive your additional content and copy, CES digital team will build and test your site.
3) Once built you will be provided with a staging link and test codes to review your site.
4) Any changes needed are made prior to your sign off.
All customisation is undertaken in-house using our design and artwork team. We are also able to work with external design houses if you retain one as part of your organisation.
Once sites are live end-users can customise their experience by changing font sizes and contrast.
Scaling
- Independence of resources
- We have a robust and scalable infrastructure that supports high volumes of users and our products and services are extensively monitored to proactively support the scaling of the system when required. The use of load balancing architecture, regular load testing and optimising of the system to manage the normal concurrent user activity. We also have the ability to quickly scale and setup isolated working environments for “special” projects where electorate size is significant and high response rates are expected so that normal operations are not affected.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
CES offers a turnout dashboard which confirms:
- Profiling information – breakdown of turnout by department
- Real time number that have voted
- Breakdown by browsers and device type
- Report the user survey feedback
For an additional charge we can add further analysis categories, dashboards and reporting formats. - Reporting types
- Real-time dashboards
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2012
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Other
- Other data at rest protection approach
- In accordance with the requirements of the Data Protection Act, data will be held in a secure environment, with access restricted to authorised personnel. Data will be encrypted when at rest using Microsoft TDE, and only used for the purpose of the project. We retain data for as long as contracted with Monthly routines to remove data outside of it's retention period.
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
-
• CES facilitates data transfer through a dedicated SharePoint site which can accessed by all necessary parties. Entry to the SharePoint site is controlled by limiting access to named persons, and password protection.
• As standard CES support 256-bit encryption as requested.
• A complex password of 12-15 characters is advised. The password will be communicated via a different channel.
• All our data transfer processes comply with ISO 27001 standards / GDPR legislation. - Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- The standard core hours are 9am-5pm, Monday to Friday (excluding UK Bank holidays). Access to the service (remote access to data centre, domain names, network connections, IP addresses, hosted software and equipment) during core hours will have an uptime availability of 99.99%.
- Approach to resilience
- CES take the security of its customer's data very seriously, and robust measures are in place to protect the data centre. Further details are available upon request.
- Outage reporting
- We have both external and internal monitoring of systems. These systems alert our technical staff by both email and SMS. We also have live monitoring on large screens within our Support teams to highlight any services that are unavailable or have issues may affect performance.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Other
- Other user authentication
-
Emails containing instructions for voting are sent to users on an agreed date. A unique, single use security code is embedded in GUID link. Security codes are pre-populated, removing the need to copy and paste codes, or switch between screens.
Requests to replace missing, or misplaced voting information can be made by contacting CES via email or telephone. Codes can be automatically reissued if the email address is within the provided data, by using ‘Where’s my Security Code?’. CES are able to issue reminder emails to users who have not yet voted to boost turnout. - Access restrictions in management interfaces and support channels
- Management interfaces are restricted to a small number of personnel and are protected through username and passwords. The majority of our service is a Managed Service where we provide all of the installation and support services related to the elections. Each customer will have access to a Client Advisor who handles all support queries and will only act on behalf of known, authorised individuals as set out in our implementation documentation.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users receive audit information on a regular basis
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- ISOQAR
- ISO/IEC 27001 accreditation date
- 05/09/2019
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
-
- Cyber Essentials
- ISO27001
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- In order to provide a wide range of services to public and private sector organisations, Civica maintains an active information security programme. This programme requires regular internal and external audit inspection of both physical and logical data protection structures. The policies and procedures are aligned to ISO 27001 and Cyber Essentials certifications. The reporting Escalating and Structure begins with the Infrastructure Manager, through the Technical Director and onto the Executive Director. We also have a compliance team that independently and regularly audit our process and procedures to ensure they are followed.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- Our Change Management process ensures that all changes are considered, planned, communicated, appropriate and authorised with a clear audit trail of all changes along with roll-back plans if the change should fail for any reason. Our change process documentation has clear sections where we consider the impact on both security and availability of our systems and services to ensure the minimum risk of any changes to our infrastructure and services. Our Security Software Development Lifecycle ensures changes to software are secure by design.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Civica has vulnerability management processes in place for ISO27001. These processes are externally audited on an annual basis to ensure continued compliance.
For external vulnerability scanning, Civica employs the services of an external ‘CHECK’ approved provider to perform an annual penetration test against the external management IP interface. Supporting this, Civica is also certified to the CESG approved Cyber Essentials scheme. For high value financial hosted system, Civica also maintains a PCI-DSS v3.1 certification. In scope systems are subject to month internal and external vulnerability scans as well as a full penetration test twice a year. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Civica's proactive approach to information security involves a process of continual monitoring/review. As part of a documented risk-assessment methodology to identify/manage information security risks a dedicated-security-team update the risk-register monthly. Civica has a network-monitoring solution in-place and a full antivirus/anti-malware solution. These technologies check the hosted services for errors/infections/unexpected network traffic and are support by Cisco IPS/IDS at the perimeter layer. This monitoring service provides defence in-depth, against compromise by detecting infections/suspicious networking activity within the environment. In addition our 3rd-Party Managed SIEM system systems captures all event-logs from our active equipment to monitor any suspicious activity on our networks.
- Incident management type
- Supplier-defined controls
- Incident management approach
-
Civica's Incident Management process (PRM07) under ISO20000 standards details both the Incident/Service Request Management processes.
The Civica Service Desk manages Service Requests/Incidents/Requests for Change (RFCs) which are logged by e-mail/telephone/web-portal.
Monthly customer reports detail incident information
Information Security Incidents are reported to the CES Tech-Support-Team Service Desk in accordance with ISO27001.
• Security-related events are investigated.
• Civica's Compliance Team ensures that the incident is recorded on the Incident log.
• Incidents are escalated in-line with GDPR.
• If an incident has occurred, it is raised in the weekly Operations Committee meeting and reviewed at quarterly ISMS management meeting.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £5,750 a unit
- Discount for educational organisations
- No
- Free trial available
- No