The Access Group

Access Legal Compliance Software

Our cloud-based risk and compliance platform helps firms record, track and manage their regulatory and quality standard obligations. The system is used to help them comply with the SRA Standards and Regulations, Lexcel and CQS.

We have designed modules to make it easier to complete common risk and compliance activities

Features

• Centralise your compliance data and reports on one integrated platform
• Automatic alerts to remind staff what needs to be done
• Set role-based permissions
• Identify potential risks and centrally plan and manage mitigation strategies
• Follow best practice with built-in workflows
• Collate your business’s compliance data in real-time
• Generate reports that will help to identify trends and patterns.

Benefits

• The system is highly customisable
• Workflows work for you and your business
• A variety of modules that can be mixed and matched

£1,625 a user a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tendernotifications@theaccessgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

108524624254182

Contact

Access UK
01206322575
tendernotifications@theaccessgroup.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Maintenance windows are minimal with the service so that we use all reasonable efforts to ensure that the SaaS Services are available for 99.70% of each calendar month. As a true SaaS solution customisation is not available although the product can be configured to meet all standard set up requirements.
• System requirements:
  • Supported system for the data to be used in
  • Internet Access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: This is dependent on Success Plan chosen initial response times are; P1 - up to 1 hr P2 - up to 2 hrs P3 - up to 4 hrs P4 - up to 1 Business Day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide 3 main support plans as detailed below. The Essential Plan The online service The Essential Plan is available to all Access customers as part of your license fee and provides you with easy-to-access online support for all your queries, facilitated via our Customer Success portal. The Standard Plan Get answers faster As a Standard Plan customer you benefit from faster response times and can access our support teams via telephone and live chat, as well as through our Customer Success portal. To help your team be more productive, you are provided with continued access to our e-learning content as well as a programme of Success webinars, designed to keep you up to date with new features and share best-practice advice and guidance. The Premier Plan Boost productivity with direct access to the experts and achieve a higher return on investment Our Premier Plan enables your team to achieve more and improve productivity through an ongoing relationship with your own designated Customer Success Manager. Your CSM will get to understand how you’re using the technology and will advise you on how to get more from it.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We believe wholeheartedly that the functionality that our software offers our customers is very important, but it is only half of the value equation, how the system is rolled out is critical if full value from your new investment is to be achieved. We also know that you may view new software implementations with some trepidation and many customers can find this period daunting. In fact, for some customers, this may be the first software roll out they have managed. We recognise this and we have designed our best practise, remote-first implementation services to help ensure you have a great experience and are looked after along the way, so that the whole process is less daunting… this is our FlightPath implementation approach.Our FlightPath services have been designed to be remote-first, providing you with an improved low-risk implementation journey, no matter how your organisation is structured or wherever your employees are working. We use video technology to facilitate face to face contact, so you still get the hands-on benefit of working with an Access expert and our years of software deployment expertise. We have also invested in product e-learning, so your users can learn our products at their own pace.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Our exit process is; The Renewals team receive the notification and undertake discussions with the client, the account manager and any other stakeholders. Once termination is confirmed, the “termination data requirements document” is sent to the client and a record created on the Offboarding register in line with internal processes. The status is set to “waiting customer”. On receipt of the offboarding document, Access Offboarding Review team will review the response, respond to any queries, annotate the record to reflect the customer requirements, upload the document and set the record to “not started” The Service Delivery team will pick up the ticket, arrange the return of data, decommission the system then they or hosting delete the data (production and backup unless “beyond access”(in which case it will be overwritten). Closure of the ticket triggers a confirmation to the customer that their data is deleted.
• End-of-contract process: Our exit process is; The Renewals team receive the notification and undertake discussions with the client, the account manager and any other stakeholders. Once termination is confirmed, the “termination data requirements document” is sent to the client and a record created on the Offboarding register in line with internal processes. The status is set to “waiting customer”. Note: In the event that a Customer does not return the document, they will be contacted again twice prior to termination and data will be deleted within 30 days from contract end as Access has no legal basis for processing from that point

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Windows
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The system is highly customisable; with the flexibility to tailor your view, we ensure that the workflows work for you and your business. It even comes pre-configured with best-practice workflows designed by our regulatory experts.

Scaling

• Independence of resources: Access Legal Compliance is hosted by Access Cloud Hosting providing a secure and highly scalable hosting environment.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Running reports and exporting the results.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Xls(x)
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We will use commercially reasonable efforts to make the SaaS available 99.7% except for unavailability during emergency or routine maintenance.
• Approach to resilience: Available on request
• Outage reporting: We have a portal with a dashboard (privately accessed) and email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Users are set with specific roles within the organisation. Different roles provide different views and access privileges.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 01/09/2014
• What the ISO/IEC 27001 doesn’t cover: Nothing is excluded from the Standard
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Access Group is ISO27001 certified and operates an Information Security Management System (ISMS) in accordance with the ISO27001 standard. Access is audited annually by the British Standards Institute (BSI) who audit process adherence and compliance with ISO27001 controls. Access internally audits information security every month with a specialist security consultant. The ISMS is steered by the Information Security Working Group (ISWG) headed by the Chief Technical Officer and attended by the Chief Operating Officer, Finance Director and Information Security Analyst with representation from HR, IT and Hosting teams. The ISWG has an operational meeting every month following audits and a strategic review meeting every 4 months. Access operates a risk register and an incident, improvement and audit log for managing the ISMS on an operational basis. All Information Security and Acceptable Use policies are reviewed at least annually and changes to the ISMS are reviewed 3 times a year and form part of the ISWG strategic review.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: No major change should be implemented without: A completed Change MAnagement Form to record business case, problem, solution and risks Approval by the relevant Business Unit Director, Information Security Working Group or Quality Management Working Group An approved, documented plan of the sequence or steps for implementing and releasing the change into business as usual. This should be stored in an appropriate place. Evidence demonstrating the fact that this change has been tested first A rollback/mitigation plan A post-change test being documented to check that the change has been successful Appropriate communication and training for any change.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Patched and audited by our patch management system. All non-critical OS patches are applied within one calendar month of release, first into pre-production and then into production, as part of the scheduled maintenance window. AV Updates - Signatures are updated hourly. / Rules are reviewed at minimum every 3 months. Logs are reviewed at minimum every 3 months. Access staff responsible for the maintenance of our hosting services subscribe to industry newsletters, belong to various security forums and we additionally receive notifications from our vendors.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We have traffic monitoring and content based alerting which alerts on changes to the site and/or traffic flows implemented at infrastructure and application level. We proactively monitor third party suppliers (hardware, OS, application/web and database server software) vulnerability reporting and security fix availability. Any vulnerabilities found and fixes provided by third party suppliers are patched by our infrastructure team in a timescale appropriate for their level of severity. Any penetration test findings are fixed by Development in a timescale appropriate for their level of severity. Our infrastructure response is within 1 hour in the SLA period 8am-8pm Monday – Friday.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We operate a robust incident management process in line with ISO27001:2013 Staff are encouraged to report all incidents using a pre-defined process using a form available on our Company Collaborate site Incident reports will be provided following forensics and closure

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Access UK Limited is a Software author and provide associated services, including Hosting, Payroll Bureau and Payment services. We recognise that although we do not undertake manufacturing, our day to day operations will have impact on the environment at global, national, and local level. We are committed to the care of the environment and the prevention of pollution. •Access ensures that all our operations are carried out in with the minimum adverse effect on the environment but implementing many available resources and approved processes •We protect the environment by striving to prevent and minimise our contribution to pollution of land, air, and water •We keep wastage to a minimum and maximise the efficient use of materials and resources, and manage disposal of all waste in a responsible manner •We use energy, water, and natural resources wisely and prevent pollution by minimising waste, recycling whenever possible and properly disposing of waste that cannot be recycled. •Our management processes are developed to ensure that environmental factors are considered during planning and implementation •We raise employee awareness and encourage best practices for sustainability at work

  Equal opportunity

  We want everyone to feel at home at Access, knowing that they are valued for what they do, not who they are. We want people to feel that they truly belong here regardless of their age, gender, race, sexual orientation, or anything else that makes them individual; after all, if we were all the same it would be a pretty dull place. We love the fact that we’re all different. Having more diverse perspectives at work improves how we run our business, helps us support our customers, and when you think about it, it's just more fun. For us, this all starts with helping everyone feel part of the family and being at their best every day, making Access a place where everyone can love what they do and do what they love. We all have regular check-ins with our leaders, take part in monthly employee surveys, have lots of chances to share our views and ask for help, and with our own learning system, 'Access Shine', we really can make things even better each and every day. At Access we'll always hire the best candidate but we're continually looking for creative ways to increase the mix of diverse candidates into our recruitment process. On the basis that you ‘have to see it, to be it’, one thing we're doing is sharing more stories to celebrate the wonderful diverse range of talent we have at Access. It is important for us that our employees understand and reflect the customers and communities we support, and we want everyone to feel at home here, knowing that they are valued for what they do, not who they are. We want people to feel that they truly belong here regardless of their age, gender, race, sexual orientation, or anything else that makes them individual.

  Wellbeing

  Access places specific emphasis on the health and wellbeing of its staff and provides a “Well-being” hub in workspace that provides support for Mental Health, Finances, Social, Physical, Emotional and purpose. Assistance from Health Assured is available for all staff and there are training resources for “working in the new normal” and “Mental health and wellbeing” . Access also has “well-being” champions throughout the organisation. This is supported by monthly employee “check in” surveys and offers of flexible working for staff to meet caring commitments.

Pricing

• Price: £1,625 a user a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tendernotifications@theaccessgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.