Rhubarb Business Services Limited

Friends & Family Test (FFT); Patient Experience, Satisfaction and Feedback Survey Platform

Everyone has a voice. Our multi-channel (email, SMS, online, telephone, tablet, kiosk and paper) customer and engagement platform helps to engage and connect patients, customers and service users. Offering multi-language FFT, patient experience, satisfaction and feedback surveys with enhanced real-time dashboards and sentiment analysis.


  • Real-time results, feedback, insight and sentiment analysis
  • Multi-channel; email, SMS, iVM, Online, Telephone, Postal, F2F & Tablet/Kiosk
  • Real-time red flags for safety issues
  • Customise dashboards, reports, colours, fonts and more
  • Create surveys in multiple languages - supports all languages
  • Staff engagement with a simple and easy to use UI
  • Service accessible via all modern browsers


  • Personalisation to support increased participation
  • ROI through significant resource savings through automated processes
  • Live data for proactive decision making for ward/patient services
  • Unlimited and £FOC to send survey invites by email
  • Unlimited responses/completes £FOC
  • Focused on what's important for the Trust, patients and services
  • Data stored in UK locations which are ISO 27001 certified
  • All data is encrypted during transit and at rest
  • UK-based support via telephone, email and support ticket portal
  • Quarterly penetration tests carried out


£8995 per licence per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

9 9 2 5 8 8 1 4 2 9 4 2 5 2 3


Rhubarb Business Services Limited

Paul Tidey



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints None
System requirements
  • Internet connection through a PC or mobile, tablet device
  • PC, mobile or tablet device running a supported browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times P1 - 1 business hour
P2 - 2 business hours
P3 - 4 business hours
P4 - Next business day
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Access is available from our website
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels Complimentary support is available through chat, email, phone and support portal. For strategic accounts, direct access is provided to account management, product management and customer experience colleagues.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a) onsite training and user documentation; b) full support during go-live and then ongoing support through our support team.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Microsoft Word
  • Microsoft Excel
End-of-contract data extraction Data extraction will be available a) via API or b) an agreed data template
End-of-contract process Raw data download is included in the price of the contract; all other services will be chargeable as this will be classed as 'bespoke' requirements

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Users will see a variation in the UI for mobile from that of our desktop design.
Service interface No
What users can and can't do using the API The secure Web API is used to send and retrieve data from RHUBAS. Functionality includes a) schedule surveys or post survey data; b) get data/results and analysis and c) listen to customer feedback. Our API is very flexible to achieve customer requirements
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation A) Survey workflows; b) reporting/dashboard displays; c) alerts/notifications


Independence of resources Cloud-based resources which are highly scalable, resilient and system usage is regularly monitored and capacity will be increased as required


Service usage metrics Yes
Metrics types As part of our security standards and practices, RHUBAS has a full audit trail which can be used to provide service usage including a) user activity; b) user login activity; c) system latency and d) data volumes.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach MI/Reporting functionality is provided in our platform and can be customised for unique requirements
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • Json

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Private VPN network from local office to cloud provider; access restricted by IP address, username and password

Availability and resilience

Availability and resilience
Guaranteed availability Uptime SLA is 99.5%
Failure to meet 99.5% will result in users being offered a service credit.
Approach to resilience This information is available on request.

Our cloud provider has 8 UK based data centres which are owned and managed by the provider. ISO 9001 & ISO 27001 certified. Each UK data centre is built using industry-leading infrastructure, is N+ in design and is safe, secure and staffed 24 x 7.
Outage reporting We automatically alert users of our service to any outage by email. Users also have access to our ticketing portal to raise any incidents/service requests

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Users are assigned configurable roles and permissions to limit or allow access to functionality within the solution.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 9001:2015 Quality Management - BSI Issued (FS648365)
  • ISO 27001:2013 Information Security Management - Currently working towards certification
  • Cyber Essentials - Currently working towards
  • ISO 27001:2013 - iomart - Cloud hosting services provider
  • Various security accreditations - iomart - Cloud hosting services provider

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Rhubarb Business Services is certified to ISO9001:2015 standards; in the progress of gaining ISO27001 certification for Rhubarb.

Our platform is hosted in data centres which are UK based and certified to ISO9001 and ISO27001
Information security policies and processes - Unique username and password; with 2-factor authentication
- Password hashing and salt value
- Account expiry and deactivation
- Account lockout
- IP address and users tracking
- SSL secure connection
- Support modern browsers
- Patches/updates are automatically applied to servers
- Limited access to cloud-based servers including lockdown on IP address

Policies, procedures, workflows and work instructions are managed as part of our ISO9001:2015 Quality Management Standards

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach New features, bugs, enhancements and change requests are recorded and tracked in an issue and project tracking software tool. We implement an agile sofware development lifecycle (SDLC) within a scrum environment. We follow industry standards around security and data protection to measure risk and impact; assessing each request on an individual basis for potential security concerns.
Vulnerability management type Supplier-defined controls
Vulnerability management approach - Servers are automatically updated when a patch is available
- Monthly release cycle
- Emergency releases as required
- Active news feeds and alerts
- Cloud services network monitoring, news feeds and alerts
Protective monitoring type Supplier-defined controls
Protective monitoring approach - Full audit logs of system activity including IP address capture
- Logs are analysed at regular individuals and appropriate action taken (if required)
- Respond immediately when incidents are identified
- Monitor server activity on a regular basis
Incident management type Supplier-defined controls
Incident management approach Users report incidents via our support portal or support desk and these are logged, prioritised, tracked and actioned as required. RCAs are produced for an outage and any corrective actions are tracked within our ISO 9001:2015 QMS.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £8995 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Access to a demo area is available for 30 days

Service documents

Return to top ↑