Capita Business Services Limited

One Digital Forms and Contact Manager

An intuitive and flexible forms solution, enabling the digital capture and processing of data. Creating highly configurable web forms, including powerful workflow, that engage customers in an integrated end-to-end process. The integrated Contact Management solution provides a single view of customer engagement, allowing users to assist customers with digital processes.

Features

  • A highly flexible, rapid form creation and workflow configuration tool.
  • Contact management with document upload and viewer for uploaded attachments.
  • Automated document production and messaging services (SMS, email, etc).
  • Sophisticated workflow, enabling task automation and configuration of business logic.
  • Handles multi-party processes where multiple authorisations are required.
  • Seeding of answers between forms providing pre-population of data.
  • Flexible Job Scheduler for automated processing.
  • Single view contact management with an assisted digital function.
  • Management information, dashboards and reporting.
  • Full integration to Capita’s One Digital Portal solution (sold separately).

Benefits

  • Reduce operating cost–powerful automation and configuration of workflow processes.
  • Quick return on investment–rapid, simple form and process creation.
  • Highly secure–penetration tested and designed to secure data appropriately.
  • Highly flexible platform design–any sector, any business, any department.
  • Deliver with agility–simply create, build and adjust forms/ workflow.
  • Reduced infrastructure costs–fully hosted solution, with upgrades and patching.
  • Improve customer experience–forms pre-populated; video and webchat capability
  • Create single views of digital engagement with integrated contact management.
  • Increase take-up; workflow creates accounts in One Digital Portal.
  • Increase accessibility–mobile responsive and device agnostic–HTML5/Bootstrap framework.

Pricing

£5,067 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at engagewithus@capita.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 6 8 2 9 3 2 1 8 1 3 2 4 7 7

Contact

Capita Business Services Limited Capita Business Services Ltd
Telephone: 08702407341
Email: engagewithus@capita.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
The service provides an end-to-end digital platform, enabling organisations to deliver exceptional customer service. One Digital Enterprise incorporates both the One Digital Portal and One Digital Forms and Contact Manager solutions. These individual components are all available via G-Cloud.
Cloud deployment model
Public cloud
Service constraints
One Digital Forms (public-facing) shall provide at least 99.5% availability during scheduled operating hours, defined as 24 hours a day, 365 days a year, excluding scheduled downtime. One Digital Contact Manager (internal-facing) shall provide at least 99.0% availability during supported office hours, defined as 08:00 – 18:00 Monday to Friday, excluding English public holidays and scheduled downtime.

Scheduled downtime covers tasks including, but not limited to, new releases (software upgrades) and server patching. In cases of unscheduled downtime for emergency changes, we will endeavour but cannot guarantee to complete work outside normal office hours (09:00 – 17:30 Monday to Friday).
System requirements
N/A

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times apply Monday – Friday, 08:00 – 18:00.

High Severity: day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one working hour and, whenever possible, provide a solution/ advise how quickly a solution will be available.

Medium Severity: day-to-day work can be continued but there is still a requirement for a speedy resolution. We aim to respond within four working hours.

Low Severity: day-to-day work can be continued but the problem is minor. We aim to respond within two working days.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Help Desk requests are logged on a call tracking system and dealt with in priority and severity order. The Help Desk is operated Monday–Friday, 08:00–18:00.

Requests are logged online, with online/ email/ telephone follow-up.

24/7 Platform Availability Monitoring and fix of ‘site down’ P1 incidents.

High Severity: day-to-day work cannot be continued or assistance needed to meet business-critical deadlines. We aim to respond within one hour. Resolution: continuous monitoring and customer updating until the fault is resolved, which we aim to be within four hours.

Medium Severity: day-to-day work can be continued but there’s a requirement for speedy resolution. We aim to respond within four working hours. Resolution: whenever possible, a solution will be given or we will advise how quickly a solution will be available, within eight hours.

Low Severity: day-to-day work can be continued and the problem is minor. We aim to respond within two working days. Resolution: whenever possible, a solution will be given or we will advise how quickly a solution will be available, within five working days.

A Technical Account Manager is available via standard escalation procedures within our Service Charter.

The standard level of support is included with the monthly service charge.
Support available to third parties
No

Onboarding and offboarding

Getting started
Onboarding to One Digital Forms and Contact Manager can be a very swift process and delivered within any reasonable timescale, varying accordingly to project dependencies and deliverables. Once requirements have been analysed and configuration of the required forms and workflow has been completed, on-site training will be delivered, supported by a comprehensive set of user documentation. This documentation is updated in line with each release of the software and is provided in PDF format. All user acceptance testing (UAT) will be carried out in the One Digital pre-production environment. Completing UAT will be undertaken by customer employees while feeding back any reported issues and having a regular dialogue with our teams to prioritise such issues and plan for resolutions. The UAT stage will include a nominated contact within Capita for reporting any such issues. Once the UAT stage has been completed within the pre-production environment and the solution has been signed off, deployment to the production environment will commence, along with Go Live activities.
To support the onboarding process, Capita can provide a range of services, including Project Management, Business Analysis, Technical Consultancy and Business/ Training Consultancy.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
The data extraction format may be via standard methods such as CSV, SQL database extract or XML. At the end of the Contract, Capita and the buyer will determine the most appropriate method of data extraction depending upon the buyer’s specific requirements and availability.
End-of-contract process
At the end of the Contract, Capita and the buyer will determine the most appropriate method of data extraction depending upon the buyer’s specific requirements and availability. This process will be fully scoped and project managed with Capita’s technical employees. Any cost associated with end of Contract activity will be provided as scoped.

All customer data is managed in clearly segregated data stores. Upon withdrawal from our cloud service, all data will be securely deleted from our infrastructure. This includes all secondary data sources, such as backups.

The deletion is enforced by the Microsoft Azure Cloud Platform. Microsoft implements security controls which ensure no unauthorised access to deleted data and, ultimately, secure wiping or physical destruction of the storage hardware when it is de-commissioned from service.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
One Digital Forms provides a fully mobile-responsive user interface which renders appropriately to the screen size of the device being used. The solution can be utilised on a mobile device just as it would on a desktop. We recognise that mobile browsing is now becoming the dominant method for accessing the web and our platform supports this fully. No special configuration or styling is required. HTML5 and the Bootstrap framework are utilised to enable this device-agnostic user interface.

One Digital Contact Manager is a back office solution and therefore not seen as being required to be responsive on mobile devices.
Service interface
Yes
Description of service interface
The service interface is browser-based. One Digital Forms are fully configurable and customisable. Form themes can be designed and applied, so that each form displays a similar ‘look and feel’ to the main website. This includes headers and footers, with the option to apply a target URL to header images. The One Digital Contact Manager is a back office solution and therefore not seen as being required to be customisable in the same way as the public-facing One Digital Forms and One Digital Portal. It does, however, include many functions which are controlled through a comprehensive set of user-based permissions.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Accessibility is considered at every stage of design and development of the One Digital platform. Our solution meets the current requirements of the WCAG 2.0 guidance to AA standard and we regularly test all the One Digital components to ensure this standard is maintained as new features are added to the solution. We believe our platform is accessible to those with differing needs and it supports assistive technologies, such as screen readers used by those with sight problems.

One Digital meets the requirements for compliance to the following standards:
- WCAG 2.0 guidance to AA standard
- British Standard 8878:2010 – Web Accessibility – Code of Practice
- ISO 9241 Ergonomics of Human-System Interaction.
API
Yes
What users can and can't do using the API
Web services available as part of the One Digital platform are, where appropriate, embedded within One Digital Forms, utilising the powerful workflow component. They are utilised to either retrieve information from back office One Digital systems, to assist the citizen in completing their application or to update the back office systems on successful submission of a form.

These web services can be provided in isolation and integrated with alternative, third party solutions.

Further information on the content of the API and how it is implemented is available on request.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Branding and styling the One Digital platform does not require any development expertise at all. Form themes can be created and configured, allowing customisation of the colour scheme (buttons, text colour, font size, etc) and logos.

Users with the appropriate permissions can create and then customise the forms to meet their local requirements. This includes adding or amending introductory text and form hints, updating existing questions, adding new questions and updating qualifying criteria. Where relevant, all such updates are made within the boundaries necessary for a successful submission and for back office integration.

All form customisation is undertaken within the username and password protected One Digital System Administration Module.

Scaling

Independence of resources
We enforce segregation and prevent cross contamination using multiple layers of network segregation, including a dedicated subnet per customer, secure namespaces and encrypted overlay VXLAN-based virtual networks per customer. This means that other instances cannot have a negative impact on each other.

The solution has automatic elastic scalability built in – it scales resources responding to unforeseen spikes of usage to protect the customer user experience. Additionally, Capita will work with customers to predict and plan for known events that will require extra resources or capacity.

Analytics

Service usage metrics
Yes
Metrics types
Analytics are provided in the form of a Reporting Module, accessible to non-technical users. These reports detail platform usage in terms of registered users and linked services or transactions completed. Reports on the successful completion and drop-out rates of forms are also provided.

Third party software, such as Google Analytics and GovMetric can also easily be incorporated into the solution to provide details on user interactions and where users of the digital channel are focusing their time.

Additionally, a monthly report will be provided detailing the status of the system against availability targets.
Reporting types
Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
All customer data within the Secure Capita One Cloud is isolated and encrypted at rest through 256-bit AES encryption. Symmetric encryption using a multiple key hierarchy is used to encrypt and decrypt this data.

Access to customer data is restricted based on business need and by role-based access control, multifactor authentication and minimising standing access to data. Data encryption keys are created and controlled by Capita.

Microsoft cannot access customer data. Microsoft Azure is the hosting service which provides the underlying highly resilient and secure data centres, physical hardware, networks and services that underpin the Secure Capita One Cloud.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Within the System Administrator Module, extracts of data are available mainly in CSV or XML format. As part of the implementation for a customer any data extract requirements are identified and the relevant routines developed. We also provide reporting using MS SSRS, both predefined and ad hoc. This allows the export of data in CSV, XML, PDF, MS Word and MS Excel formats.

The Contact Manager includes a Data Extract function, which can be run to generate an XML file containing full details of any contact record.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
  • MS Word
  • MS Excel
Data import formats
Other
Other data import formats
MS Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
All data in transit between the Customer and the Secure Capita One Cloud is secured and encrypted. Data in transit to/from our SaaS is secured by the following methods:
•Website traffic accessed via a browser is HTTPS only, encrypted and secured with SHA-2 x 509 certificates.
•Rich client application access via HTTPS and secure RDP encrypted to 128-bit.
•Restricted features for specific back office employees/ roles can be secured to be only accessible via an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
•Secure integrations facilitated by an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
The hosting platforms are designed to be compliant with the UK Government Cloud Security Principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA-256-bit encryption. All backup data and secure keys backed up between the two Microsoft UK regions are secured and encrypted in transit.

Availability and resilience

Guaranteed availability
Capita's SaaS is built to run 24/7 but is optimised for high availability and performance during core hours.

For public-facing portals, the service shall provide at least 99.5% availability 24 hours a day, 7 days per week, 365 days per year, excluding scheduled maintenance.

For the internal-facing application, the service shall provide at least 99.5% availability during supported office hours, which is defined as 08:00 – 18:00, Monday – Friday, excluding English public holidays and scheduled maintenance.

The scheduled maintenance will cover tasks including, but not limited to:
• New releases (software upgrades) and server patching. Not all maintenance will require downtime.
• In addition to any scheduled maintenance, there will be occasions where Capita is required to initiate unscheduled downtime for emergency changes. In exceptional cases when emergency changes are required, we will endeavour but cannot guarantee to complete this work outside of the core normal office hours.
• Monthly schedules of planned downtime published in advance.

The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
Approach to resilience
Capita’s SaaS is made up of a set of virtualised, containerised components that rely on specific Infrastructure as a Service and Platform as a Service features of Microsoft Azure, configured and optimised to make up the Secure Capita One Cloud. The Secure Capita One Cloud only uses resources that are a commodity, highly available and easy to bring up, scale and configure on-demand.

Each dedicated customer instance will live within the Secure Capita One Cloud within one of the two UK Microsoft Azure regions (UK South and UK West). Within each region we are using highly available and highly resilient services with no single points of failure. Microsoft Azure Tier 3 data centres are highly resilient and secure.
•Automated backups of all databases, data and configuration to support RPO and RTO targets.
•Backups are written to disk immediately within region.
•Backups are automatically copied to the second region to protect from region-wide issues.
•Unique security keys for each customer are written into both regions to protect from region-wide issues.
•Data Recovery processes tested regularly.
•Complete Disaster Recovery testing performed regularly.
•Application components are built from golden images and can be spun up easily.

More information available on request.
Outage reporting
The solution is a SaaS-based offering and, as such, the monitoring of system availability, resource utilisation, etc, are performed as part of the managed service by Capita. These real-time processes are not normally made available to the end user. All incident management type events and activities are recorded within our CRM and accessed via the customer portal.

Identity and authentication

User authentication needed
Yes
User authentication
  • Username or password
  • Other
Other user authentication
Access to the One Digital Contact Manager is by username and password.

Where One Digital Forms are accessed via users registered on the One Digital Portal or authenticated against services available on the portal, access can be provided by two-factor authentication (portal), username and password (portal), online authorisation (authenticated services) or PIN (authenticated services). Please see our entry on G-Cloud for the One Digital Portal for further details.
Access restrictions in management interfaces and support channels
Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.

Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Help Desk are encouraged to register on the support portal. If customers contact us by telephone or email, their details are matched to an existing registration.

The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication
The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees. We have reduced risk by giving no data access via cloud service management. All access is audited and only granted on a need basis.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Assessment Bureau.
ISO/IEC 27001 accreditation date
05/12/2018
What the ISO/IEC 27001 doesn’t cover
Our ISO 27001 Certification Scope only covers the hosted environment as offered on G-Cloud.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Security Essentials.

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
Our cloud service provider complies with many standards, including CSA CCM v3.0, ISO/ IEC 27018, ISO/ IEC27001, UK Cyber Essentials PLUS.

Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls. Capita has UK Cyber Essentials certification.

Further details are available upon request.
Information security policies and processes
As part of Capita Business Services, we work to policies and standards that are aligned with ISO 27001, these are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when employees complete their annual training they agree to comply with both Group and Business Unit Level policies.

Information Security employees as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.

Information Security is dealt with at all levels of the business including at the Business Unit, Divisional Unit and Capita Group.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
As part of the ISO 27001 Accredited ISMS, we have a defined and documented change control process. At the core of this change control process is an assessment on all areas of the system, including security. If the risk to security is deemed to be high, it is assessed by Information Security. All change requests are stored on a CRM system and as part of our ISO 27001 audit schedule are randomly checked to ensure accurate record-keeping is maintained and the process followed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We employ a market-leading AVS tool that is scheduled to run regularly. These results are then fed into the ongoing threat assessment and management program. Patching is completed on a scheduled basis and any failures are identified by the AVS and raised. Out of cycle patches are risk assessed and scheduled, if required they could be in place within less than 24 hours. Capita subscribes to multiple information sources for threats including CISP and ISF. In addition, Information Security regularly reviews other public and private websites for threat information.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The platform uses a system that was designed to comply with GPG13. Events are categorised and events that have been flagged for review are reviewed daily. In addition, the information is stored with controlled access for investigations.
Incident management type
Supplier-defined controls
Incident management approach
We have a defined, approved and tested Incident Management process forming part of our ISO 27001 accredited ISMS. The process has a list of example incidents that are designed to cover a wide range of scenarios. All employees are made aware of the incident reporting process and randomly tested for effectiveness.

Incident reports will be passed to relevant customers if there has been an impact to their environment or data.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5,067 an instance a month
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at engagewithus@capita.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.