Link Maker

Letter Swap – Platform for post adoption contact support and management

A platform for modernising post adoption contact. Allowing contact arrangements to be created flexibility to suit all circumstances, adjusting the level of involvement from the organisation on a case by case basis, with direct access for families. Including record keeping, Letter Swap allows organisations to support, monitor and report.

Features

• Replicate existing contact agreements, specifying the frequency of communication required.
• Monitor and report on contact, review communication, perform ‘Agency checks’.
• Exchange messages, documents, images, voice messages and videos.
• Encryption, communication is encrypted so only available to the recipients.
• Direct application access for Adoptive family and Birth family members.
• Automatic system reminders via email/text when communication is due/overdue
• Todo dashboard, listing all actions required by the Organisations.
• Case notes, for recording internal case activity for Organisations.
• 9-5 telephone and online user-support.
• ISO 27001 accreditation, meeting the UK Government’s ‘Cloud security principles'

Benefits

• Control, flexibly creating letter boxes to reflect different contact agreements
• Removing admin burden for teams.
• Engagement from families with added transparency and flexibility (
• Flexibility, making contact less intense and more meaningful.
• More organised, all contact exchanges are kept in one place.
• Security, removing potential for information to reach the wrong hands
• Better communication, automatic notifications of activity
• Recording, tracking and monitoring of internal activities
• Ongong development is shaped by feedback and suggestions from users.
• Meet all security, support, hosting and development needs.

£0.00 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at accounts@linkmaker.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

104753800590948

Contact

Linda Hill
0843 886 0040
accounts@linkmaker.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Community cloud
• Service constraints: Planned system upgrades will result in a service outage.
• System requirements:
  • Internet access
  • Internet browsers listed below

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: For licenced users during 'phone support' hours notification that a support issue has been raised should be received within 2 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Link Maker Systems (LMS) do not have support levels as we provide support to all users as follows: ; ; There is user access to the LMS support desk which covers all areas of support including licencing issues, bugs/errors, technical help, enhancement requests and advice. They can be contacted via; ; ; • Telephone on 0843 886 0040; • The contact form on the web site; • Email support@letterswap.co.uk ; ; SLA's are set for licenced users.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Organisation users just need to register on the site and create login information. Additional help/advice can be obtained from the support desk, user guides or video tutorials available online. ; Additional training or onsite courses can be tailored for an individual organisation for an additional fee and can be requested through the support desk.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Video tutorials
• End-of-contract data extraction: Users can export individual letterbox exchanges via PDF download.
• End-of-contract process: Case data for Letter Swap is deleted at the request of the relevant individual’s Organisation. Case data is deleted 3 months after the customers Licence has expired. Such data is marked for deletion, and no longer available in the application for organisations. Registered users of Letter Swap who have access to communication data within that case will be notified via email and have 14 days to download any information. Fourteen days after the data is deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Functionality remains the same.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Service interface is accessed via an internet browser
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Our most recent independent web accessibility audit for this website was in April 2019, where they use both automated evaluation tools and manual testing with assistive technologies.
• API: No
• Customisation available: Yes
• Description of customisation: Organisations can define categories for Case notes functionality, allowing them to track activity relating to specific categories.

Scaling

• Independence of resources: Performance and capacity is monitored 24/7, by our infrastructure management company and the infrastructure is such that remedial action can be taken instantly.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: AWS data centres operators are is climate controlled, with high level security, fire suppression and power redundancy and have been externally audited and certified to ISO 9001 (Quality Management), ISO 14001 (Environmental Management) and ISO 27001 (Information Security) standards.; ; All data and backups are encrypted at rest.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users can export individual letterbox exchanges via PDF download.
• Data export formats: Other
• Other data export formats:
  • PDF
  • Plain text
• Data import formats: Other
• Other data import formats:
  • Documents that can be uploaded; PDF, .doc, .docx
  • Image files that can be uploaded; .jpg, .png, jpeg, .gif
  • Video files that can be uploaded; Mp4, flv,avi, m4a, m4v
  • F4a, m4b, m4r, f4b, mov,3gp, wmv, ogv and ogg

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: In addition to the above we use CSRF and XSS protection.
• Data protection within supplier network: Other
• Other protection within supplier network: LMS have a VPC with restricted service/ports between servers, allowing non-web traffic only via a load balancer.

Availability and resilience

• Guaranteed availability: The LMS hosting provider has an average availability time of over 99.99%.
• Approach to resilience: The virtual infrastructure is hosted with AWS and is spread across two availability zones and can be switched from one to another within in minutes, therefore there is no single point of failure with regards to geographic sites. The VPC is fully redundant, with load balanced components so that components can be upgraded/replaced with no loss of service The data centre it is climate controlled, with high level security, fire suppression and power redundancy. LMS utilises AWS autoscaling for the EC2 instances, monitoring applications and automatically adjusting capacity to maintain a steady, predictable performance.
• Outage reporting: For any planned down time that exceeds 1 hour, users will be emailed 3 days in advance to advise of the outage. For any planned downtime less than an hour, an announcement is posted on the site for all users. All planned downtime is scheduled out of hours to minimise the impact on users.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: All accounts will be required to use Multi-Factor Authentication (MFA) to access the system. When logging in, the practitioner will have to provide a username, password and three digits from a PIN. If the device does not include a unique encrypted cookie for that user a one time code will be emailed to the user’s verified email address, or sent to their confirmed mobile phone number by SMS. This will then need to be entered online to complete the login process.
• Access restrictions in management interfaces and support channels: Access control policies are governed by ISO27001 and adhere to best practice. Access is role based, and follows principles of least privilege. ; ; LMS administrators can only access the site via a VPN, with a VPN username and strong password. They then need to enter a unique username, strong password and PIN for access to the web site.; ; Users can be granted management functionality either by other users in their organisation who already have that functionality, or by LMS administrators with the approval of an authorised representative.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: For the web site, LMS administrators can only access the site via a VPN, with a VPN username and strong password. They then need to enter a unique username, strong password and PIN for access to the web site. If the device does not include a unique encrypted cookie for that user a one time code will be emailed to the user’s verified email address, or sent to their confirmed mobile phone number by SMS. This will then need to be entered online to complete the login process.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 12/11/2015
• What the ISO/IEC 27001 doesn’t cover: LMS business operations that do not directly affect the online platform.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Co-Chief Executive of Link Maker Systems (LMS) is responsible for information assets and as such owns the information security policies and is the Senior Information Risk Owner (SIRO). Together with the LMS Security Board, policies are reviewed on an annual basis to ensure it is accurate and reflects the risks to information and commitment by LMS to safeguard personal data. ; ; LMS perform regular risk assessments. Risks are mitigated using appropriate controls and residual risks are monitored on an on-going basis. ; ; To ensure LMS continue to implement, maintain and comply with their information security policies an annual internal audit is carried out, by an independent resource to ensure impartiality. An internal audit report will be generated together with a list of recommendations from the audit. The auditor can select a random set of controls that cover at least a third of ISMS. ; ; On induction all staff are given formal training on Information Security and the LMS ISMS policies. Refreshers are repeated bi-annually.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: LMS operate an infrastructure change control procedure and a development and release process. All changes to the LMS infrastructure or web site are logged, and monitored by the security officer through to completion. ; Issues are reviewed against impact on data privacy the LMS security policies before being approved, and implemented.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Link Maker Systems uses an external CESG and CHECK approved IT Security health check provider to perform both network and application-level vulnerability scans. The findings are interpreted into a remediation plan which contains vulnerabilities which require fixing. This is maintained by the security officer and reviewed on a regular basis. ; IT Health Checks are carried out at least annually or when a major software update/site is issued. The remediation plan is then updated to reflect the new testing. This includes marking previous vulnerabilities as rectified and any new vulnerabilities together with an action plan for their resolution.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Anti-virus is installed on all infrastructure servers. ; ; LMS employ Cloud Native Security, where Rackspace security specialists will monitor for critical issues, and act according to a specified runbook. AWS GuardDuty, continuously monitors for malicious or unauthorised behaviour. All data is pulled together in the AWS Security Hub, which also provides compliance standard checks against industry best practice (e.g., CIS AWS foundations). LMS are notified of any issues immediately so any remedial action can be taken.; ; LMS uses AWS Patch manager to ensure that all critical patches are applied within 24 hours, and all others within 30 day of release.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: LMS are committed to identify, managing and recording incidents so that the information assurance and business processes can be continually improved. ; This policy and process applies to all individuals and business processes within LMS, as everyone has a responsibility to report suspicious or known malicious issues to senior stakeholders. Users can report incidents through the normal support channels. LMS Security officer will assign a severity level, and appropriate action taken. The size of the company enables LMS to have a flexible and agile approach to identifying, measuring and treating risk.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Alongside its main contracted service of helping to identify placements for children, and post adoption contact support, Link Maker has always found ways to help strengthen communities of support for adopters and carers around the UK. A significant part of the platform was developed specifically for this purpose, and has always been provided to service users free of charge. Link Maker now provides its online community platform, on a cost-free basis, to Adoption UK, the leading charity providing support, advocacy and a strong community for all those parenting or supporting children who cannot live with their birth parents. This collaboration gives adopters easy and safe ways to build their knowledge and support networks.

Pricing

• Price: £0.00 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: The free trial provides access to all functionality of Letter Swap. Organisations can add up to 100 letterboxes free of charge.
• Link to free trial: Www.letterswap.co.uk

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at accounts@linkmaker.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.