CRB Cunninghams Limited

iPayimpact Online Payments

iPayimpact is a market leading online payments solution for the education sector. Used by over 1500 schools, MATS, and councils across the UK to collect payments for school meals, trips, clubs and more.

iPayimpact seamlessly links with our Fusion Cashless system for Secondaries, and includes meal pre-ordering for Primary schools.

Features

• Online payments for schools
• Parental communications
• School lunch money management
• Real-time comprehensive reporting
• PayPoint payments
• MIS integration
• Encrypted secure database and payments
• Web-browser access
• Permission based access
• PCI compliance

Benefits

• Reduce cash brought into schools and the cash handling errors
• Manage allergens and avoid potential health risks
• Manage school trips, shop and dinner monies
• Enhance the dining-room experience and speed up the catering service
• Accurate management information and improve auditing
• Save administration time by automating many payment processes
• Allow parents to pay online
• Increase office admin efficiency
• Reduce debt levels
• Accept all payment methods

£349 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@crbcunninghams.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

114338308330749

Contact

Tracy Scott
03330143065
info@crbcunninghams.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The hosting environment is anticipated to be available 99.99% of the time, however the service also relies on infrastructure (network and internet access) provided by third parties and/or clients. ; ; Planned maintenances are advertised 2 weeks in advance.
• System requirements:
  • Customer has active contract with CRBC
  • Active internet connection for accessing solution
  • Accessibility to customers school MIS database
  • Android, or iOS device for access to App
  • Browsers supported are Safari, Firefox, and Chromium (last 3 versions)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Call response times depend on the severity of the question raised.; ; Critical response time is 30 working minutes; Material response time is 2 working hours; Minor response time is 8 working hours; ; Our response times defined within our SLA ensure our support desk are prioritising calls based upon the need of our customers, and the severity of the impact of the reason for the call to our customers service.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: All customers using iPayimpact receive identical levels of support. This enables our customers to raise tickets via phone, email, or directly through our website.; ; Tickets logged are then reviewed for their severity, and potential impact to the customer. Once reviewed, assignment to a technician is made to manage the ticket to resolution.; ; For user related enquiries, we do provide remote support enabling connection to the users workstation for visible assistance with their query.; ; All support contracts are renewed annually, with the cost dependent on the modules used within iPayimpact.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A project manager will guide the customer through the implementation process.; ; Firstly, the schedule of key dates for implementation is agreed with the customer, including training, and go-live dates. We provide customers with a "parent pack" including FAQs about iPayimpact, flyers, and material for the customers website.; ; Training is provided remotely, and we record every session to share with the customer so they have the means to re-watch any areas of the course they need refreshing on.; ; FAQs for admin users are also available through the iPayimpact website, but there is also an additional knowledge base that can be accessed online.; ; When approaching the launch of the system, we release all of the "onboarding codes" that require distribution to parents allowing them to set their account up and "connect" their child, or children.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All reports within iPayimpact are exportable, allowing admin users to gather any required information prior to the system contract end.; ; For example, a school may need to know the closing school meal balance of their pupils for contract end, and they can either get and extract this information themselves, or CRBC will provide them with assistance to gather this, or any other data required.
• End-of-contract process: At the end of the contract, all customers will be notified via a reminder approx. 3 months in advance, and offered a contract extension. The extension covers the specified length of new contract (minimum 12 months) and cost for renewal. Renewal of contract enables the customer to continue using iPayimpact and receive all support benefits offered via our SLA.; ; Notice required to end usage of the system and not renew a contract requires a 60 day notice given. As the contract end date approaches, CRBC will work with the customer to ensure they have all necessary information and data from the system. At the end of the final day of use, CRBC will disconnect all 3rd party links to MIS, and Cashless Catering systems. Customers will still have access to their system, and data for an agreed time following the end of contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There is no loss of functionality. Website has been designed responsively so screen and options all snap to device size.; ; We do have a mobile app specifically for iPayimpact which can be found in both the Apple App Store, and Google Play Store.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The API is not publicly available and is used to connect with 3rd party services such as a school MIS system, and our Fusion Cashless Catering system.
• API documentation: No
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Customers can add brand assets to iPayimpact and change some entity terminology within the product.

Scaling

• Independence of resources: We have a load balancer within the system to distribute sessions between a number of servers. We also have auto-scaling resources based on the current demand.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide dashboard reports and stats within user logins at an administrative level.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: Access to the cloud service environment is restricted as follows:; ; • Dedicated devices are used to access the environment, these are not used for day-to-day work or web browsing.; • Access to these devices is restricted to senior members of the R&D team only.; • These devices are locked down, patched and maintained by our internal IT team.; • These devices are identified by our firewall using the MAC address, and are provided with a separate external IP address.; • The firewall in our hosting environment is configured to refuse access except for the dedicated IP address allocated above.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: All reports can be exported into PDF, excel and Word.; ; We have an additional service called Data Factory which allows data to be collated in a central data warehouse for access by the customer.; ; End users (parents) can export their own personnel data directly from their account.
• Data export formats: CSV
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The hosting environment is anticipated to be available 99.999% of the time, however the service also relies on infrastructure (network and internet access) provided by third parties and/or clients. Details of recovery and availability can be found (including disaster recovery and the methods deployed to maintain a 99.999% uptime) at: https://docs.microsoft.com/enus/azure/security/azure-infrastructure-availability. There is no refund process for users if the guaranteed level of availability is breached.
• Approach to resilience: The hosting environment is anticipated to be available 99.999% of the time, however the service also relies on infrastructure (network and internet access) provided by third parties and/or clients. Details of recovery and availability can be found (including disaster recovery and the methods deployed to maintain a 99.999% uptime) at: https://docs.microsoft.com/enus/azure/security/azure-infrastructure-availability
• Outage reporting: CRB Cunninghams will take the following actions if an outage of the service occurs.; 1. iPay Team Evaluate the damage; 2. Disaster Management Team Identify the affected clients and applications; 3. Communications Team Inform users and Helpdesk of abnormal service; 4. iPay Team Spin up new Virtual Machines and App Services and restore from snapshot backups; 5. iPay Team Restore Azure SQL Database from most recent Point in Time backup; 6. iPay Team Check and correct configuration of new services; 7. Communications Team Inform clients of normal operations

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Permissions and roles are assigned to each administrative user which controls what features can be accessed within the system.; ; Support channels are controlled by identification checks on the person accessing the support channel (Check with TW)
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International Ltd
• ISO/IEC 27001 accreditation date: 30/03/2017
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Claranet Ltd
• PCI DSS accreditation date: 31/05/2023
• What the PCI DSS doesn’t cover: N/a
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: CRB Cunninghams follow an IT Security Policy implemented by our parent company Vesta Software Group. The purpose of this IT Security Policy is to establish and maintain a secure and reliable information technology environment within the Vesta Software Group. The information security objectives cover Confidentiality, Integrity, Availability and Compliance. To ensure continued compliance, periodic IT security audits and assessments are be conducted to ensure compliance with this policy and relevant regulations. Regular IT security training and awareness programs will be provided to all employees to enhance their understanding of security risks and best practices.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: CRB Cunninghams utilises Microsoft Azure services to host the iPay app, along with required databases and automated functions. A record of each of these is stored in our Asset Register, along with any vulnerabilities identified and actions to be taken for remediation.; ; All of our software source code is stored in our source control system, with new releases only made available after they have gone through successful alpha and beta testing.; ; Stack and performance testing, across different operating systems and hardware configurations, takes place to mitigate any potential security impact
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our R&D team continuously monitor security updates and advice, for hosting environment and resources, development tools and resources utilised to create the software / service, and hardware and software elements used in the software / service; ; This information is provided by the hosting environment provider, development tools and components vendor(s), and hardware vendors.; ; When a vulnerability is identified it is investigated to assess priority, service, timescale and resolution.; ; All changes made to the service(s), including the hosting environment, software or hardware, is changed according to our change release procedures. ; ; All changes are fully tested, reviewed and packaged for deployment.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: CRB Cunninghams and Microsoft Azure hosted services have intrusion detection systems in place. As standard, Cisco firewalls are in place and pro-active monitoring is in place across our dedicated servers. Detection of abnormal activity, including FTP, ping, SMTP, HTTP and POP3 are alerted to CRB Cunninghams via email and SMS.; ; CRB Cunninghams also have our own internal monitoring systems, which alert us to spikes in activity / usage of the system, failed login attempts, performance, backups and other operational actions to allow us to notify clients in advance of them being aware of any issues..
• Incident management type: Supplier-defined controls
• Incident management approach: CRB Cunninghams have pre-defined processes for common events.; ; This defined process is for clients to report security incidents via the helpdesk. General consumers (parents) have access to an email support address.; ; Where a security incident affects all clients/users of our solutions, CRB Cunninghams will notify the named contacts within the clients’ organisations of the issue. For consumers a public announcement ; is displayed advising of the issue and estimated time for resolution.; ; Prioritising of incidents and timescales are as follows:; Critical – within 1 hour; Medium – within 3 hours; Low – within 1 week

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity

  Fighting climate change

  Food waste has a detrimental effect on the environment and using innovative solutions to minimise waste will have a positive effect on reducing the effect. Allowing parents and pupils to pre-order their meals mean catering staff can prepare the correct amount of food eliminating the need to waste food which reduces emissions from production, transport and physical waste. Approx £1.2million meals are pre-ordered annually using our solutions across the UK contributing to improving the environment for our and future generations. ; ; We will commit to continually review and survey schools to ensure waste impact is analysed and the product improved/adapted. We will commit to being innovative and keep developing solutions that will positively impact the environment.

  Equal opportunity

  CRB Cunninghams are an Equal Opportunity employer and committed to ensuring a respectful, non-discriminatory or prejudicial relationship with our employees, potential employees, customers, partners, suppliers and the wider community. All staff have undergone Diversity and Equality training. ; ; We are an accredited Equalities Employer. ; ; We are in an enviable position where we have a very low staff turnover which is testament to our employee engagement practices and the fact that we pay better than the market rates for the job roles in our organisation and encourage a healthy work-life balance for all employees. From January 2024 the number of days leave was increased for all staff. We operate an open policy for flexible working and career breaks and staff in roles where it is possible are able to work from home or to work hours to suit their personal needs.; ; All our staff are employed on a salaried basis and paid above the Living Wage. We do not employ hourly paid operatives and we do not operate any zero hours contracts. ; ; CRB Cunninghams have a ‘Talent Development’ Programme which affords every employee the opportunity to get further training and development to enhance their skills and potential within the organisation and beyond, not just in their current role but to be able to feel confident in other roles across departments within our business and across the Jonas Group which operates in 30 countries. ; ; Our recruitment policies and procedures ensure that we have or make available positions which are suitable for the creation of a diverse workforce. All our recruitment policies promote equality of employment and we do not discriminate on the grounds of any diversity. The policies are available to all management and lead supervisory or those with recruiting responsibilities via our HR software or via training/webinars delivered by the HR team.

Pricing

• Price: £349 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@crbcunninghams.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.