Compensation Planning & Equity Analytics

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: We provide full product usage, but we do not offer dedicated consultancy services.
System requirements: Works on all modern browsers except IE

CSV upload for Pay Equity Analytics

Data exchange via a secure portal for Compensation Planning

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response times are based on UK Business Hours Monday to Friday 8:30-5pm - they vary according to the priority of the request. Access & Entitlements and other critical requests, like users not seeing data and/or reports are dealt with within 4 hours.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: All subscribers are assigned a named Account Manager who will act as the primary point of contact throughout the subscription period. In addition, our Customer Success team are available to support with technical, content or user administration queries, including how to utilise the service.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Our Customer Success team will deliver an onboarding program and are then available 8.30-5pm each working day to provide ongoing support or refresher training.
Welcome emails are sent at the point of sign up, and access to the service is available immediately.
Service documentation: No
End-of-contract data extraction: If applicable, when the contract ends, users can download any final reports or data if they do not wish to renew the services.
End-of-contract process: The contract will typically run for 12 months (unless a longer contract period has been requested) and will auto-renew unless we are advised of a preference to cancel. You will be notified prior to the auto-renewal period to ensure you have time to cancel if required.
At the end of the Contract, Access and Entitlements of any registered users are revoked.
If the User requests that any outstanding data is deleted, this will be deleted within 30 days of the request being submitted.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Front end web application
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: Internal testing only in adherence with our accessibility standards
API: No
Customisation available: Yes
Description of customisation: You can customise your experience with pre-defined or personalized data labels, filters, interval definitions, and more to break down and categorize data as you see fit to get the analysis you need.

Scaling

Independence of resources: We have over 20,000 regular users across our portfolios within the UK and downtime is extremely rare. Our IT infrastructure is designed with load balancing to support high volumes of concurrent traffic.

Analytics

Service usage metrics: No

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: *as CSV file
* as PowerPoint report
Data export formats: CSV

Other
Other data export formats: Pptx

Png
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Brightmine shall use reasonable endeavours to ensure that the Product(s) are available to Customers and Licensed Users excluding downtime for regular or emergency maintenance which shall be kept to a minimum. Time is not of the essence in respect to the delivery of any the Product(s) or Licensed Material, and Brightmine's sole obligation and Customer’s sole and exclusive remedy is to request that Brightmine's effect delivery or reinstate service as soon as is practically possible.
Approach to resilience: Multi-zonal, active/active, load balanced cloud infrastructure set up.
Outage reporting: Email alerts.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Username or password
Access restrictions in management interfaces and support channels: Only authorised users have access to management interfaces.
Access restrictions are defined in in-house policies and procedures e.g. Brightmine's Access Control procedure and its User Registration and De-registration procedure.
Access is assessed and granted on a need to know and need to use basis. Assets have different levels of access generally falling into public, internal or confidential categories.
We also have OAuth token mechanisms in place for where this is required.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: No audit information available
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: SGS
ISO/IEC 27001 accreditation date: 08/09/2022
What the ISO/IEC 27001 doesn’t cover: None
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Information Security is central to Brightmine, protecting data throughout the business. ISO 27001 certified ensuring:

• Roles and responsibilities are defined
• Access control to all assets based on classification
• Risk management is rigorously applied
• Confidentiality agreement or NDA signed by employees and requirement to adhere to all policies
• Data is encrypted in transit
• Regular system backups
• Change control systems embedded
• Management of personal data
• Information security and business continuity with service providers
• Compliance with legal requirements

All polices are scrutinised and evaluated with effective cascading of information to all staff. Processes are monitored for compliance with international best practice.

Information Security policies are reviewed to implement ways of improving the Information Security Management System (ISMS). Reviews are triggered by:
• The analysis ISMS
• Internal/external audit
• Following an incident
• To implement a new technology or change in legislative requirements.

Brightmine's approach to managing IS and its implementation (i.e. control objectives, controls, policies, processes and procedures) is reviewed independently at planned intervals or when significant changes occur.

Managers regularly review compliance of information processing and procedures against appropriate security policies, standards or other security requirements.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Brightmine is using agile software development methodologies.
All new requirements are recorded in the tracking system, and prioritised and added to a work schedule. During the specification of changes
the security implications are assessed and post build changes are tested for vulnerabilities and impact on existing system elements before being released. We have a Technical Lead who supervises this work to ensure and maintain the system's integrity.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Vulnerability management is defined in our in-house Security and Risk management system as part of our ISO 27001 certification, explicitly in the Risk Management Procedure and the Information Security Incident Management Policy. The related Risk Analysis spreadsheet sets out the supporting detail of vulnerabilities in rank order, with their impact and the risk mitigation processes.

Software patches and updates are deployed out of hours to maintain system availability for users.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Identifying potential compromises is guaranteed by our cloud provider by providing performance and security monitor indicators as well a notification system.
According to our internal Information Security Incident Management policy all incidents are classified by type and severity, they are recorded, an action plan is defined for closing the incident to minimise or eradicate the potential for a repeat.
Depending on incident classification Brightmine are able to react within an hour during normal office hours with a slightly longer response time out of hours.
Incident management type: Supplier-defined controls
Incident management approach: Our incident management process is defined Brightmine's Information Security Incident Management policy within our ISO 27001 certification.
All incidents or potential incidents are reported.
The Technical Squad is responsible for classifying, recording and defining action plans and/or implementing all necessary corrective and preventive actions to mitigate and close the incident.
All incidents are recorded and the Information Security Manager or Chief Technology Officer is responsible to report the incident to senior staff.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Tackling economic inequality
Equal opportunity

Fighting climate change

As a business within the RELX organisation we are committed to a wide range of corporate social responsibility action. Details on our approach to the environment can be found here https://www.relx.com/corporate-responsibility/being-a-responsible-business/environment.

Tackling economic inequality

Brightmine Compensation Planning and Pay Equity Analytics services helps to identify gaps for employers in different sections of the organisation where minority or disadvantaged groups face barriers to employment and career progression, as well as benchmarking so that employers can understand if pay is fair to the market. We identifies how those gaps impact an organisations diversity and inclusion targets and identify insights that help employers tackle and address these gaps.

Equal opportunity

Brightmine services delivers against the "equal opportunity" Social Value theme in that the software demonstrates clear actions to help employers identify and tackle inequality in employment and pay in the workforce. Brightmine identifies pay and representation gaps of minority and disadvantaged groups, insights into progression into more higher paid work, and models possible remediation to close and address gaps in representation and pay.

Pricing

Price: £6,655 a licence a year
Discount for educational organisations: No
Free trial available: No

Compensation Planning & Equity Analytics

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Compensation Planning & Equity Analytics

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents