Tractivity Ltd

Tractivity Stakeholder Management & Consultation Software (CRM/SRMS)

Tractivity is a cloud-based, UK stakeholder engagement tool, providing functionality to manage and engage with all stakeholders through a single system. Whilst maintaining GDPR compliance, Tractivity facilitates the management of every aspect of your engagement process by securely logging communications with built-in tools such as surveys, newsletters and issue management.

Features

  • Record and track all stakeholders and engagements
  • Case management, analysis and reporting
  • Consultation reporting of qualitative and quantitative data
  • Fully customisable and easy to use
  • Built-In survey and newsletter tools
  • Event management
  • Drag and drop custom report facilities
  • Full GDPR Compliance

Benefits

  • Save time and money
  • View all stakeholder interactions across a project, consultation, organisation
  • Effective management of feedback and issues raised
  • Publish branded newsletters and event invitations
  • Custom build surveys and track all responses
  • Real-time reporting
  • Dedicated account manager
  • UK based software

Pricing

£10,000 to £50,000 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.rutter@tractivity.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 3 2 7 7 6 2 5 6 7 3 0 5 1 7

Contact

Tractivity Ltd Mark Rutter
Telephone: 01629815916
Email: mark.rutter@tractivity.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Planned maintenance and emergency maintenance windows are defined within the service contract. Application Service Levels are dependent on client contract.
System requirements
  • Browsers: Chrome, IE10+, Firefox, Edge, Safari
  • Windows 7+

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support offered during normal business hours, the support ticketing system is available online 24/7/365
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AAA
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AAA
Web chat accessibility testing
None
Onsite support
Yes, at extra cost
Support levels
Tractivity licensing comes with standard support services that can be accessed via telephone, web or email services between Monday to Friday, during normal UK business hours (09:00- 17.30pm GMT (GMT+1)).

A dedicated account manager will be assigned as part of the on-boarding process and they will maintain regular contact with the client. Monthly online refresher training sessions are also available should these be required.

Further onsite support and training may attract an additional charge.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Tractivity provides onsite training to all UK based clients as part of the standard on-boarding process. User documentation is provided for all training sessions. Further on-site follow up and online training sessions can be arranged with the client's dedicated account manager.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Powerpoint
  • Word
End-of-contract data extraction
All data can be extracted from Tractivity by using the reporting facilities in a range of formats such as MS Excel, CSV and XML. Tractivity can also securely provide an encrypted SQL Server (.BAK) file when the contract expires as part of the secure data deletion and service shutdown process.
End-of-contract process
An encrypted SQL Server (.BAK) file is transferred onto an encrypted storage device and sent to the main contact via recorded Royal Mail or courier delivery as defined within the contract.

Upon written confirmation of receipt and decryption of the data the database and backups are subjected to the secure data destruction procedure. Documentation that all the client data has been securely deleted can be provided upon request.

Bespoke data requests can be facilitated and this service will attract an additional charge which will be agreed beforehand with the dedicated account manager.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Tractivity provides a streamlined and dynamic version for Smart phones and tablets
Service interface
Yes
Description of service interface
The API gives clients the ability to add Buildings, Organisations, Contacts, Enquiries and Activities into Tractivity, including the ability to run duplication checks on all record types. Providing complete flexibility, clients can input data into all of the available data fields within Tractivity. Common uses for the API include – Enquiry Forms, Newsletter Sign Up Forms or Registration of Interest Forms.

The API uses industry standard security settings to ensure that all transmitted data is done securely and that all connections are legitimate.
Accessibility standards
WCAG 2.1 A
Accessibility testing
None
API
Yes
What users can and can't do using the API
The API gives clients the ability to add Buildings, Organisations, Contacts, Enquiries and Activities into Tractivity, including the ability to run duplication checks on all record types. Providing complete flexibility, clients can input data into all of the available data fields within Tractivity. Common uses for the API include – Enquiry Forms, Newsletter Sign Up Forms or Registration of Interest Forms.

There is full online documentation about how to implement the API. Contact the Tractivity support desk for further information or customisation.

The API uses industry standard security settings to ensure that all transmitted data is done securely and that all connections are legitimate.
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Most of the settings in the software are customisable - data fields, data options and mandatory data field settings can be all controlled (per project) by nominated Administrator level person(s) only.

Scaling

Independence of resources
We use dedicated virtualised servers configured as a private cloud (all held within the UK facilitated through VMWare and vSphere TIER 4 data centre) that are shared with other Tractivity users only, all traffic is segmented and VLANed through a dedicated 1Tb facilitated through 4 diverse independent BGP TIER 1 data carriers. Disk, memory, cpu, server performance and network traffic is monitored 24/7 through our dedicated monitoring services which feeds into our automated escalation service. Client performance issues are monitored as a more granular service by individual client basis.

Analytics

Service usage metrics
Yes
Metrics types
User level service metrics and Project level service metrics
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be exported using our reporting system. All data can be exported in a range of formats including as MS Excel, Word, CSV, PDF, XML or RTF.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XML
  • MS Excel
  • MS Word
Data import formats
  • CSV
  • Other
Other data import formats
MS Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Our datacentre provider guarantee availability:
99.99% at the application level
99.99% at the infrastructure level

If we do not meet the guaranteed levels of availability we negotiate an acceptable outcome in terms of compensation for lost time with individual clients who are directly affected (when required).
Approach to resilience
Datacentres are ISO27001 and PCI DSS compliant and provide TIER 4 (N+N) redundancy for power, supporting services and air conditioning.
At the network level active/passive failover of all connectivity networks. through > 4 diverse BGP TIER 1 data carriers.
IDS /IPS services at primary firewall perimeters
At the application:
- daily digital backups of data stored off-site
- regularly integrity tests of backup data conducted as part of backup process
- active monitoring from diverse location with 24/7 response service
- 24/7 monitoring by security team
- snapshots servers transferred daily to off-site failover
- warm/cold standby servers off site
Outage reporting
Email alerts can be made available to clients upon request.

Internal 24/7 monitoring with alerts and escalation procedure delivered by email and SMS to Systems Administrators

Internal outage escalation and reporting procedure

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Management interfaces are restricted by role access. These restrictions are limited to Administrator level users.

Support channels are generally available to all users through our dedicated UK online facilities.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • The datacentre has ISO27001, ISO28000 and PCI DSS certification
  • Cyber Essentials
  • ISO27001 & ISO28000 (October 2020)
  • Cyber Essentials Plus (July 2020)

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Payment Card Industry (PCI DSS) and cyber essentials
Information security policies and processes
We follow the ISO27001 and adhere to PCI DSS recommended standards.
Our Information Security Policy includes awareness, training, monitoring and review. The Information Security Policy document is reviewed annually and disseminated to staff for them to review and confirm annually. Along with supporting documents which include BCP / DR, Data Protection / GDPR, Development Standards, Breach, Secure Data Deletion and Destruction, Firewall and Change Control policies.
All information security policies and process are monitored by our Technical Director and DPO who reports directly to the Board.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We adhere to the ISO27001 change management process standards. Services are tracked through software development policy. The company follows formal policies for backup, anti-mailware, physical security, information security, data handling and change process that complies with the PCI DSS recommended standards. Service Impact and Change Notifications is controlled through email alerts to clients and dates altered by negotiation with the dedicated account manager.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management policy in place.
Operating system patching performed monthly according to the manufacturers recommendations. Emergency patching of critical threats are evaluated by the Technical Director and deployed accordingly, the process is handled through emergency change control procedure.
At least daily threat notifications come from source vendors and recognised security sources which included but is not limited to Microsoft, Sophos, GDS Security, Prism Infosec, Webroot, ICO, PCI DSS council and NCSC.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Regular Windows server and firewall log file review in line with PCI DSS recommendations.
Log file review using heuristic tool.
Perimeter IDS/IPS monitoring.
Identified incidents managed through formal incident response plan according to PCI DSS recommendations.
Priority and resolution speed is dependent upon the incident severity.
Incident management type
Supplier-defined controls
Incident management approach
A formal documented incident and breach management process is in place and adheres to PCI DSS guidance and recommendations and follows IS027001 standards. It also forms part of the documented Information Security Policy which is reviewed and issued to all staff annually.
Users can report incidents via email, helpdesk ticketing system and telephone (when they will be asked to raise a support ticket for tracking purposes).
Incident reports are made available through Tractivity website and a more detailed incident report can be made available to the client by contacting their dedicated account manager.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£10,000 to £50,000 a licence a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Access to a full version of the software along with limited support services. Certain features such as emailing and reporting will be restricted.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.rutter@tractivity.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.