Civica UK Limited

Civica CESVotes

CES’ unrivalled expertise in hosted online nominations and voting offer these benefits:
Cost and time savings, help the environment by reducing need for paper-based voting.
Responsive engagement with stakeholders in real time, using customisable sites and user journeys. Easy, secure access through CES email.
Voting accuracy, minimising risk, maximising confidence.

Features

  • Mobile-optimised online voting, secure two-code login, auto-populated through CES link
  • Hosted, mobile optimised online nominations platform
  • Email and print voting document distribution
  • Online, postal, telephone and SMS response methods supported
  • Video statements, animated explainers, Q&A, multi-lingual, user reporting, customisable interface
  • Online service usage metrics and analysis
  • Link into customer social media channels
  • Online support tools for end-user
  • Secure data transfer, accredited IT processes with load tested capacity.
  • No additional software necessary

Benefits

  • Save money using online channels
  • Save time using CES fully-managed service as leading UK-elections provider
  • Independent scrutiny and verification including report of voting
  • Drive voter turnout
  • Boost voter engagement and participation
  • Maximise communications reach
  • Quickly review and analyse daily voter turnout
  • User friendly interface
  • Mobile optimised, future proof, sustainable software platform
  • ISO27001, GDPR compliant

Pricing

£5,750 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@civica.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 2 8 8 1 7 9 5 0 5 8 6 3 0 5

Contact

Civica UK Limited Civica UK Limited
Telephone: +44 (0) 3333 214 914
Email: g-cloud@civica.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
None
System requirements
Latest browsers supported (Chrome, Safari, Internet Explorer, Firefox & Edge)

User support

Email or online ticketing support
Email or online ticketing
Support response times
CES responds to service requests (M-F, 9- 5) dependent on the type of service issue, to ensure we prioritise the most critical need:
Down time: 5 hours
Software failure: 5 hours
Problem not affecting key functionality: 5 hours
Query: Next working day
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
CES provide a fully managed service meaning that account, technical and project support to the customer at no extra cost from Monday to Friday, 9am - 5pm.

CES provide end-user support via our dedicated Customer Services team, via email and telephone from Monday to Friday, 9am to 5pm.

Costs for support outside these hours can be provided upon request., as they are assessed on a case by case basis.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
CES provides the user with an easy start to using the service. The process is laid out ahead of the start of works, and the dedicated project manager is on hand for each step in the this process:
1) Project initiation meeting - to gather project information and expected outcomes
2)Project set up - ensuring the information is transposed on to our working systems
3)Data and copy work - turning your copy into the voting websites and creating security codes
4)Quality testing - your project manager undertakes checks to ensure your site is as expected
5)User sign off
6)Voting codes dispatched and voting begins

For the end-user the process is quick and simple:
1)Single use security codes are despatched to each member of the voting data set via email (other methods available).
2)The user clicks the link within the email which contains a GUID link. This pre populates the security code field.
3)Once the user is logged on to the site, there are user guides and video training tools available for their use, this is in addition to the CES Customer Services support team available by telephone is required.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
There is no data to extract at the end of the contract as the only data we hold is voting data which we can pass back to the customer at the end of each election/ballot (upon request). If the customer does not wish to receive the data back, we will securely destroy the data, by either clear-down on the server or certificated destruction of paper within the CES' data retention policy or as agreed with the customer.
End-of-contract process
At the end of the contract, there are three distinct processes:

1)Project Wrap Up
The project manager will hold a wrap up meeting with the customer to gain feedback on their experience of the service. This then feeds back into future projects with the client, and forms the basis for change analysis in the wider service to ensure we are always meeting our user's needs.

2)Project Invoicing
The project manager prepares a billing report for the invoicing team. This contains the original quoted items, plus any extra items ordered during the project.

3)Data Deletion
As per the customers instruction, or on CES standard timescales (whichever is the customers preference) the data for the project is cleared down from the CES server, and any paper based records are securely destroyed.

There are no extra costs associated with the any of these steps. If data destruction certification is required, costs can be provided upon request.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
In order to maximise user engagement CES voting software is optimised for mobile use with no loss of functionality.
Service interface
Yes
Description of service interface
The service interface a HTML Web based interface that is compatible with all modern browsers for both administration and end users.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
All testing has been carried out by an independent audit association and we have taken their recommendations to enhance our products accessibility. CES use DACS - https://digitalaccessibilitycentre.org/index.php/user-testing
API
Yes
What users can and can't do using the API
Our API is based on Oauth2.0 authentication and only available to organisations who have requested access. Through our API organisations can review details relating to their elections process such as candidate information and cast votes on our the platform from their end users. This API is typically used by organisations who want to embed the voting process within their current platforms. The electorate can check their vote has been cast and recorded correctly by visiting our platform.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
CES want to ensure that our products maximise the engagement and reach of your communications. We offer a fully customisable suite of products to suit needs of your organisation.
The following can be customised:

• Text fonts, sizes and languages
• Page layouts and framing
• Pictures, images (i.e. logos) videos and animated features
• Copy-using suggested wording or as provided by you

The process for customisation is quick and simple:
1)You are provided with a template map which sets out exactly what you need to provide for your site, alongside a test site link so that you can see a CES branded example site as a reference.
2) Once we receive your additional content and copy, CES digital team will build and test your site.
3) Once built you will be provided with a staging link and test codes to review your site.
4) Any changes needed are made prior to your sign off.

All customisation is undertaken in-house using our design and artwork team. We are also able to work with external design houses if you retain one as part of your organisation.

Once sites are live end-users can customise their experience by changing font sizes and contrast.

Scaling

Independence of resources
We have a robust and scalable infrastructure that supports high volumes of users and our products and services are extensively monitored to proactively support the scaling of the system when required. The use of load balancing architecture, regular load testing and optimising of the system to manage the normal concurrent user activity. We also have the ability to quickly scale and setup isolated working environments for “special” projects where electorate size is significant and high response rates are expected so that normal operations are not affected.

Analytics

Service usage metrics
Yes
Metrics types
CES offers a turnout dashboard which confirms:
- Profiling information – breakdown of turnout by department
- Real time number that have voted
- Breakdown by browsers and device type
- Report the user survey feedback

For an additional charge we can add further analysis categories, dashboards and reporting formats.
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Other
Other data at rest protection approach
In accordance with the requirements of the Data Protection Act, data will be held in a secure environment, with access restricted to authorised personnel. Data will be encrypted when at rest using Microsoft TDE, and only used for the purpose of the project. We retain data for as long as contracted with Monthly routines to remove data outside of it's retention period.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
• CES facilitates data transfer through a dedicated SharePoint site which can accessed by all necessary parties. Entry to the SharePoint site is controlled by limiting access to named persons, and password protection.
• As standard CES support 256-bit encryption as requested.
• A complex password of 12-15 characters is advised. The password will be communicated via a different channel.
• All our data transfer processes comply with ISO 27001 standards / GDPR legislation.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The standard core hours are 9am-5pm, Monday to Friday (excluding UK Bank holidays). Access to the service (remote access to data centre, domain names, network connections, IP addresses, hosted software and equipment) during core hours will have an uptime availability of 99.99%.
Approach to resilience
CES take the security of its customer's data very seriously, and robust measures are in place to protect the data centre. Further details are available upon request.
Outage reporting
We have both external and internal monitoring of systems. These systems alert our technical staff by both email and SMS. We also have live monitoring on large screens within our Support teams to highlight any services that are unavailable or have issues may affect performance.

Identity and authentication

User authentication needed
Yes
User authentication
Other
Other user authentication
Emails containing instructions for voting are sent to users on an agreed date. A unique, single use security code is embedded in GUID link. Security codes are pre-populated, removing the need to copy and paste codes, or switch between screens.

Requests to replace missing, or misplaced voting information can be made by contacting CES via email or telephone. Codes can be automatically reissued if the email address is within the provided data, by using ‘Where’s my Security Code?’. CES are able to issue reminder emails to users who have not yet voted to boost turnout.
Access restrictions in management interfaces and support channels
Management interfaces are restricted to a small number of personnel and are protected through username and passwords. The majority of our service is a Managed Service where we provide all of the installation and support services related to the elections. Each customer will have access to a Client Advisor who handles all support queries and will only act on behalf of known, authorised individuals as set out in our implementation documentation.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
ISOQAR
ISO/IEC 27001 accreditation date
05/09/2019
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials
  • ISO27001

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
In order to provide a wide range of services to public and private sector organisations, Civica maintains an active information security programme. This programme requires regular internal and external audit inspection of both physical and logical data protection structures. The policies and procedures are aligned to ISO 27001 and Cyber Essentials certifications. The reporting Escalating and Structure begins with the Infrastructure Manager, through the Technical Director and onto the Executive Director. We also have a compliance team that independently and regularly audit our process and procedures to ensure they are followed.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our Change Management process ensures that all changes are considered, planned, communicated, appropriate and authorised with a clear audit trail of all changes along with roll-back plans if the change should fail for any reason. Our change process documentation has clear sections where we consider the impact on both security and availability of our systems and services to ensure the minimum risk of any changes to our infrastructure and services. Our Security Software Development Lifecycle ensures changes to software are secure by design.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Civica has vulnerability management processes in place for ISO27001. These processes are externally audited on an annual basis to ensure continued compliance.
For external vulnerability scanning, Civica employs the services of an external ‘CHECK’ approved provider to perform an annual penetration test against the external management IP interface. Supporting this, Civica is also certified to the CESG approved Cyber Essentials scheme. For high value financial hosted system, Civica also maintains a PCI-DSS v3.1 certification. In scope systems are subject to month internal and external vulnerability scans as well as a full penetration test twice a year.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Civica's proactive approach to information security involves a process of continual monitoring/review. As part of a documented risk-assessment methodology to identify/manage information security risks a dedicated-security-team update the risk-register monthly. Civica has a network-monitoring solution in-place and a full antivirus/anti-malware solution. These technologies check the hosted services for errors/infections/unexpected network traffic and are support by Cisco IPS/IDS at the perimeter layer. This monitoring service provides defence in-depth, against compromise by detecting infections/suspicious networking activity within the environment.  In addition our 3rd-Party Managed SIEM system systems captures all event-logs from our active equipment to monitor any suspicious activity on our networks.
Incident management type
Supplier-defined controls
Incident management approach
Civica's Incident Management process (PRM07) under ISO20000 standards details both the Incident/Service Request Management processes.
The Civica Service Desk manages Service Requests/Incidents/Requests for Change (RFCs) which are logged by e-mail/telephone/web-portal.
Monthly customer reports detail incident information

Information Security Incidents are reported to the CES Tech-Support-Team Service Desk in accordance with ISO27001.
• Security-related events are investigated.
• Civica's Compliance Team ensures that the incident is recorded on the Incident log.
• Incidents are escalated in-line with GDPR.
• If an incident has occurred, it is raised in the weekly Operations Committee meeting and reviewed at quarterly ISMS management meeting.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5,750 a unit
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@civica.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.