Rhubarb Business Services Limited

NHS Friends and Family Test (FFT) Survey

RHUBAS is a patient satisfaction and experience solution enabling Trusts to deliver enhanced NHS Friends and Family Test (FFT) surveys. By providing omnichannel, multi-language survey solutions with enhanced unique real-time dashboard technology and MI reporting, we put the patients and the Trust at the centre of everything we do.


  • Omnichannel, SMS, iVM, iVR, Web, Telephone, Postal, F2F, Email, Digital
  • Fully automated
  • Real-time reporting/results including KPI measurement
  • Customised reporting and ward/service/patient facing dashboards
  • Multi-language surveys
  • Easy to use, clean UI
  • UK cloud based
  • Collection of patient sentiment and bespoke categorisation criteria
  • Integration of other data sources
  • Inhouse product and software development team


  • Increased patient engagement
  • Reduced internal management costs
  • Live data for proactive decision making for ward/patient services
  • UK only data centres accredited to ISO 27001
  • Colleague engagement through enhanced UI design
  • Inclusiveness through multi-language
  • Focused on what's important for your Trust, patients and services
  • Voice of customer feedback
  • KPI measurement
  • Clean UI; simple, easy to use and understand


£0.0385 per transaction

  • Free trial available

Service documents

G-Cloud 9


Rhubarb Business Services Limited

Paul Tidey



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements
  • Internet connection through a PC or mobile, tablet device
  • PC, mobile or tablet device running a supported browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Monday - Friday 09:00 - 18:00
P1: Response within 30 minutes
P2: Response within 60 minutes
P3: Response within 120 minutes
P4: Response within 3 business days

Out of hours
P1: Response within 60 minutes
P2: Response within 120 minutes
P3: Response next business day
P4: Response within 3-5 business days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels Complimentary support is provided free of charge to all Trusts via email or telephone.

Onsite training/knowledge share is chargeable on a daily rate plus VAT, subsistence and expenses.

All customers have dedicated access to their account manager and product support team.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a) onsite training and user documentation; b) full support during go-live and then ongoing support through our service desk
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data extraction will be available a) via API or b) an agreed data template
End-of-contract process Raw data download is included in the price of the contract; all other services will be chargeable as this will be classed as 'bespoke' requirements

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Users will see a variation in the UI for mobile from that of our desktop design.
Accessibility standards None or don’t know
Description of accessibility Users with accessibility requirements can currently view dashboards. Our solution will meet WCAG 2.0 AA standards by the end Q4 2017.
Accessibility testing This will be part of our release in Q4 2017
What users can and can't do using the API The secure Web API is used to send and retreive data from RHUBAS. Functionality includes a) schedule surveys or post survey data; b) get data/results and analysis and c) listen to customer feedback. Our API is very flexible to achieve customer requirements
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation A) Survey workflows; b) reporting/dashboard displays; c) alerts/notifications


Independence of resources Cloud-based resources which are highly scalable, resilient and system usage is regularly monitored and capacity will be increased as required


Service usage metrics Yes
Metrics types As part of our security standards and practices, RHUBAS has a full audit trail which can be used to provide service usage including a) user activity; b) user login activity; c) system latency and d) data volumes.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach MI/Reporting functionality is provided in RHUBAS and can be customised for unique requirements
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • Json

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Private VPN network from local office to cloud provider; access restricted by IP address, username and password

Availability and resilience

Availability and resilience
Guaranteed availability RHUBAS uptime SLA is 99.5%
Failure to meet 99.5% will result in users being offered a service credit.
Approach to resilience This information is available on request.

Our cloud provider has 8 UK based data centres which are owned and managed by the provider. ISO 9001 & ISO 27001 certified. Each UK data centre is built using industry-leading infrastructure, is N+ in design and is safe, secure and staffed 24 x 7.
Outage reporting We automatically alert users of our service to any outage by email. Users also have access to our service desk ticketing system to raise any incidents/service requests

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Users are assigned configurable roles and permissions to limit or allow access to functionality within the solution.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • ISO 9001:2015 Quality Management - BSI Issued (FS648365)
  • ISO 27001:2013 Information Security Management - Currently working towards certification
  • Cyber Essentials - Currently working towards
  • ISO 27001:2013 - iomart - Cloud hosting services provider
  • Various security accreditations - iomart - Cloud hosting services provider

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards Other
Other security governance standards Rhubarb Business Services is certified to ISO9001:2015 standards and we have plans to be certified to ISO27001 in due course.

RHUBAS is hosted in data centres which are UK based and certified to ISO9001 and ISO27001
Information security policies and processes - Unique username and password; with the option of 2-factor authentication
- Password hashing and salt value
- Account expiry and deactivation
- Account lockout
- IP address and users tracking
- SSL secure connection
- Support modern browsers
- Patches/updates are automatically applied to servers
- Limited access to cloud-based servers including lockdown on IP address

Policies, procedures, workflows and work instructions are managed as part of our ISO9001:2015 Quality Management Standards

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach New features, bugs, enhancements and change requests are recorded and tracked in an issue and project tracking software tool. We implement an agile sofware development lifecycle (SDLC) within a scrum environment. We follow industry standards around security and data protection to measure risk and impact; assessing each request on an individual basis for potential security concerns.
Vulnerability management type Supplier-defined controls
Vulnerability management approach - Servers are automatically updated when a patch is available
- Monthly release cycle
- Emergency releases as required
- Active news feeds and alerts
- Cloud services network monitoring, news feeds and alerts
Protective monitoring type Supplier-defined controls
Protective monitoring approach - Full audit logs of system activity including IP address capture
- Logs are analysed at regular individuals and appropriate action taken (if required)
- Respond immediately when incidents are identified
- Monitor server activity on a regular basis
Incident management type Supplier-defined controls
Incident management approach Users report incidents via our service desk and these are logged, prioritised, tracked and actioned as required. RCAs are produced for an outage and any corrective actions are tracked within our ISO 9001:2015 QMS.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.0385 per transaction
Discount for educational organisations No
Free trial available Yes
Description of free trial Included
- 2 question SMS/Online survey; maximum of 500 surveys
- Example dashboard(s)
- Valid for 1 month

Isn't included
- Detailed reporting
- Customisation
- Omnichannel


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑