VERNA EARTH SOLUTIONS LTD

Mycelia

Mycelia is a software solution to help Local Planning Authorities (and similar organisations) drive better environmental outcomes in less time. It includes end-to-end support for Biodiversity Net Gain, covering validation, assessment, monitoring, and reporting.

Features

• Drag-and-drop import of the Biodiversity Metric
• Radically easier interfaces for interacting with the Metric
• Full and faithful recreation of the BNG algorithm
• Smart error-checking, including automated validation checks
• Tracking of monitoring data, responsibilities, and deadlines for every case
• Ecology-driven risk-flagging and prioritisation
• Auto-reporting of BNG progress
• Built from ground up to handle and display spatial data
• Based on extensive research with local government ecologists

Benefits

• Save time across teams and throughout the BNG process
• Drive better environmental outcomes, using tools designed by ecologists
• Catch and manage risks, with smart checks, alerts, and prioritisation

£10,000 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rafi.cohen@verna.earth. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

111349551370280

Contact

Rafi Cohen
07817257041
rafi.cohen@verna.earth

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements: GDS-supported browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our target is to respond within four working hours, and in practice we are often faster than this. Our support hours are 9am-5pm Mondays to Fridays (excluding public holidays).
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Full support is included for all users at no additional cost. Users are able to contact support by phone and email. Our support hours are 9am-5pm Mondays to Fridays excluding bank and public holidays. ; Our targets are to acknowledge issues within 4 working hours and to fix serious problems (e.g. outages, material risks to security or privacy) within 24 hours; however these are minimum standards which in practice we outperform. All organisations using Mycelia have an account manager; there is no need for engineering support as no technical work is required by the customer – the service is delivered entirely through a web browser.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Mycelia is a modern, intuitive app accessed entirely through a web browser. When an organisation adopts Mycelia, to help get started we provide a live, online training session for any/all users at the organisation. This is supported by documentation, other resources (e.g. videos), regular “catch-up” live training sessions, special live training sessions when new functionality is rolled out, and ongoing phone and email support.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: The Mycelia contract specifies that at end of contract the customer may request that all its data within the software be transferred to the customer in a useable format at no extra cost.
• End-of-contract process: If a customer chooses to end the contract, its use of the software is discontinued from contract end. The customer has the option to request a transfer of all its data on the system (at no additional cost), after which the data is securely destroyed. Some standard contract provisions, such as confidentiality and data protection, continue after the contract ends.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Mycelia is an HTML5 webapp, accessed through a web browser.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: N/a
• API: No
• Customisation available: Yes
• Description of customisation: Each authority using Mycelia is set up as a separate organisation, with its own configuration. A variety of aspects can be customised to the organisation, including for example mapping data and workflow options. Customisation options will grow further over time as the software continues to develop.

Scaling

• Independence of resources: Mycelia is a scalable multi-tenant solution, hosted in datacentres managed by industry-leading providers. The resources allocated within these datacentres are dynamically controlled by software configuration, so can be rapidly scaled in response to user demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Mycelia is hosted on fly.io, a large mainstream cloud provider

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: All files uploaded to Mycelia can be exported in their original form. In addition, Mycelia is designed to provide custom data reporting and exporting functionality tailored to the needs of ecology and Biodiversity Net Gain. This area of functionality is continuously being developed, in line with customers’ evolving needs.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: Statutory Biodiversity Metric

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We aim for 100% uptime. Our contractual standards for serious problems such as outages are notification within 4 hours and fix within 24 hours; these are minimum standards which in practice we outperform.
• Approach to resilience: Mycelia is hosted in UK datacentres which are ISO27001 certified and have UPS, backup generators, and further disaster recovery measures, plus multiple layers of physical security. Mycelia uses a redundant server cluster, with automatic data synchronisation and automated failover. Backup data snapshots are taken and stored offsite at least daily. Further details are available on request.
• Outage reporting: All users are notified of any outages by email. In the near future we will also be implementing a public status dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: At present, management interfaces are available only to the Verna team (restricted by various access controls including multi-factor authentication), with user management requests actioned via support channels. Management interfaces for users will be rolled out in the future, protected by (at least) multi-factor authentication or Single Sign On authentication. Support requests are only accepted from confirmed users.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 15/06/2021
• What the ISO/IEC 27001 doesn’t cover: Covers the datacentres in which Mycelia is hosted.; Does not cover other aspects of the service.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC2, Covers the fly.io cloud service hosting Mycelia (2022)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Verna follows all relevant industry standards and guidance, including from the ICO and the NCSC. Verna’s Chief Technology Officer is responsible for the security of the service, and one of Verna’s Co-CEOs is responsible for the organisation’s data protection policy and measures. Security measures, procedures, and risks are reported on regularly at board level.
• Information security policies and processes: Our policies and processes are based on best practice guidance from the Information Commissioner’s Office and the National Cyber Security Centre, including the NCSC Cloud Security Principles. Our Chief Technology Officer is responsible for the security of the Mycelia service, accountable at board level to one of our Co-Chief Executives. Adherence to security policies is a mandatory requirement of our contracts with workers, reinforced by training and management oversight.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All of our application configuration, including hardware and software deployment descriptors, and container setup is managed as software and maintained under source code control. It is subject to the same code review processes as all of our application development, and access to deployment branches is protected and restricted to key staff. Secrets are deployed via a cryptographically secure store managed by our cloud provider. As part of the product management process, all potential changes are assessed against a range of key impact criteria including security impact. Changes are not accepted onto the roadmap without passing this process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We use a range of measures including scanning using automated tools, manual tests, checks of our supply chain, and encouraging security notifications. Our CI/CD configuration includes an automated step to check for package dependencies that have been withdrawn, or are subject to a CVE disclosure. Team members also monitor a range of security and threat assessment sources, including LWN and cvedetails.com, as well as groups dedicated to the technologies Mycelia relies on. Our targets are to acknowledge issues within 4 working hours and fix serious problems within 24 hours; these are minimum standards which in practice we outperform.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We continuously and routinely monitor the service for any indications of potential malicious activity. This is supported by Open Telemetry, via Honeycomb.io, and error detection, via Sentry.io, to monitor for unusual conditions or error states, with automated alerts to the product team to enable swift action to be taken. All access and use of the service is fully logged. Our targets are to acknowledge issues within 4 working hours and fix serious problems within 24 hours; these are minimum standards which in practice we outperform.
• Incident management type: Supplier-defined controls
• Incident management approach: We encourage security notifications from anyone via security@verna.earth. Our users can also report security issues via email (mycelia-support@verna.earth) and the dedicated Mycelia support phone line. All problems with the service are reported (and updated on) to users. We have robust systems to ensure security incidents are acted upon. We are an agile, tight-knit team and our incident management approach is based on rapid communication and rigorous project management (based on DSDM Agile). We keep users informed at every stage of the incident, by email, and (if necessary) phone cascade.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Wellbeing

  Fighting climate change

  Mycelia’s purpose is to help organisations enable and assure nature enhancement projects. This brings a wide range of environmental benefits, including for climate change mitigation and adaptation.

  Wellbeing

  Mycelia’s purpose is to help organisations enable and assure nature enhancement projects. These create wellbeing improvements for people who live in or visit these areas, including through enhanced ecosystem services and opportunities for recreation and connection to nature.

Pricing

• Price: £10,000 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rafi.cohen@verna.earth. Tell them what format you need. It will help if you say what assistive technology you use.