RailSmart

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: Routine server maintenance is performed in a regular window on Tuesday evenings after 10pm, with any software deployments requiring downtime performed by prior arrangement before 9am on a weekday morning. Mobile applications are supported on current versions of iOS/Android and 2 previous versions. Due to the wide range of Android devices available we maintain known reference devices which can be added to on request.
System requirements: Mobile applications: iOS or Android

Web application: Recent supported web browser

Supported on current and previous 2 operating systems releases

User support

Email or online ticketing support: Email or online ticketing
Support response times: Standard Support levels do not include evening, bank holiday or weekend cover. Extended support hours can be contracted at a premium for P1 and P2 severity incidents in line with standard response times.

We offer a 2nd Line Service as standard with the expectation that the customer provides 1st line triaging and support for their users. 1st Line Support can be offered by 3Squared at extra cost.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Support is provided in house by Software Support Analysts technically trained in our applications and knowledgeable about your business sector. Standard 2nd Line Support is included in the license price, with 1st Line Support for all ticket types and/or Extended Support Hours (evening and weekends) for P1 and P2 incidents available at extra cost. Standard Support provides office hours support in line with agreed SLAs for any issues raised according to the following SLA: P1: Critical - Response within 1 business hour, Resolution Plan within 2 business hours. P2: High - Response within 1 business day , Resolution Plan within 2 business days. P3: Medium - Response within 2 business days, Resolution Plan within 5 business days. P4: Low - Response within 3 business days. Extended Support costs will depend on size of organisation and specific coverage required.
Support available to third parties: No

Onboarding and offboarding

Getting started: 3Squared have a robust, tried and tested onboarding process that has been continually improved using lessons learnt from previous implementation projects. The process consists of five main stages. In the first Analysis and Planning stage the project plan is agreed, teams identified and project governance is outlined. We begin aligning the software to current business processes and undertake data mapping exercises. During the Software Set Up stage we provision a specific instance of the software and undertake the necessary data configuration and import. In the third stage we undertake internal and client testing. This involves a collaborative pilot where feedback is gained from a small group of end users. In the fourth stage we will work with the client to devise an engagement and training strategy that caters to the specific needs of the business. This an include face to face training, distance learning or a blended approach. During the final stage, the software is rolled out across the business. We will work with the client every step of the way to ensure the transition is as smooth as possible. We pre-define communication strategies and collaboration for the early life support period.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: On contract end, by request, a database export of all company data within the system can be provided
End-of-contract process: Upon contract end, all client data is hard deleted within 6 months.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Chrome

Safari
Application to install: Yes
Compatible operating systems: Android

IOS
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: For the products which have companion apps (EDS, IM, DFH and SafeTrack), these are aimed at end users, allowing them to access and input data such as submitting assessments, recording incidents and defects and reading documents. While the web versions generally also include these features, they also have admin tools such as user management, reporting and more.
Service interface: Yes
User support accessibility: None or don’t know
Description of service interface: Our products give clear visibility of data ranging from employee competencies, to incidents and defects, route maps and rosters. Data tables provide overviews which can be filtered and sorted, while reporting dashboards available in the majority of our products give business insights. The web apps make managing this data easy, allowing creation, editing and deletion. Where we have companion mobile apps, users can easily access the data they require on the move, uploading consists, delay reasons, assessments and more.
Accessibility standards: None or don’t know
Description of accessibility: Our products vary in accessibility, and is something which we are continuously improving. Overall, they partially support 10.2.7 Info and Relationships, 10.2.8 Meaningful Sequence, 10.2.10 Use of colour 10.2.14 Images of Text, 10.2.9 10.2.13 Resize Text, Three Flashes or below threshold and 10.2.21 Document Titled, 10.2.37 Parsing, 10.2.28 Name, Role and Value, 10.2.5 Headings and Labels, 10.2.23 Link purpose, 10.2.33 Error Identification, 10.2.34.

In general our products do not support 10.2.15 Keyboard, 10.2.16 Keyboard Trap, 10.2.26 Focus visible, 10.2.27 Language of Page.

Remaining criteria do not apply to the content or structure of our products.
Accessibility testing: This is not an area where we have performed any formal testing, however we are happy to work with you on order to meet any requirements you have around Accessibility and Assistive Technology.
API: Yes
What users can and can't do using the API: Users can request access to the RailSmart API which currently provides data from EDS. Once this is set up by us on behalf of the user, they can then access and update a wide range of EDS data, from assessments and users to competencies etc.
API documentation: Yes
API documentation formats: HTML
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Buys can request customisations to meet their specific business requirements on a product by product basis at an extra cost. Requirements are agreed following a discovery workshop and delivered via a robust project methodology.

Scaling

Independence of resources: Our applications are deployed using cloud computing platforms where possible, services can be sized to meet capacity requirements, with automatic scaling enabled where appropriate. In situations where one customer could adversely affect the performance of the platform through normal usage, customer level resource isolation is used to mitigate this risk.

Analytics

Service usage metrics: Yes
Metrics types: Within our applications, reporting dashboards give insights into behaviours and trends within the system which can be used to measure operational business goals and provide insights into behaviour, as well as allowing easy monitoring of compliance with relevant policies. Monthly service reports can be provided detailing service desk engagement statistics, along with additional user behaviour information taken from a suite of Analytics services integrated into our platforms. Custom reports are available on request through the service desk on an ad hoc or regular basis.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least every 6 months
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users request data access through their internal designated RailSmart admin who raises a ticket with our support team. The exported data is then provided by our a support team in an encrypted, password protected zip file.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: The Target availability for this application is 99.5%, excluding agreed maintenance periods. For the avoidance of doubt the calculation of Availability will be: (Number of days in period) x 24 – (Cumulative hours down time for such period) / Number of days in period. There is a sliding scale of License Fee reductions applicable to the period starting at 10% should availability drop below 99.5%, 20% below 97%, and 25% should availability drop below 95%.
Approach to resilience: Full details of service resiliency are available on request. As a basic principle all our solutions are hosted using high performance enterprise cloud solutions backed by service availability guarantees, ensuring the underlying infrastructure SLAs exceed the service SLAs. All services are provisioned with automatic backups to enable restore from total loss to be made in a timely fashion, and critical components are deployed in a resilient fashion where possible. Extensive system monitoring is in place to alert engineers in the event of any problems being identified.
Outage reporting: Service Outages are reported by email alerts and follow up phone calls where the applications in question are critical to the business of the customer. Certain applications with dependency on third party systems additionally contain alert banners within the system to notify of any degraded service provision as a result of external factors.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Username or password
Access restrictions in management interfaces and support channels: Access to the system is controlled by user accounts with role based permissions. Access to certain user data can be further restricted based on the organisational hierarchy. Access to our support ticketing system is limited to a pre-defined list of users, who access the service username and password. These user accounts are created as the service moves from Early Life Support (ELU) to Business as Usual (BAU).
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: British Assessment Bureau
ISO/IEC 27001 accreditation date: 11/12/2023
What the ISO/IEC 27001 doesn’t cover: N/A, our statement of applicability covers the delivery of Software Solutions.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: Cyber Essentials
Information security policies and processes: As part of our ISO27001 certification, 3Squared implemented an Information Security Management System which consists of a number of controls including policies and processes to control our information security risks. Our in house, cross departmental compliance team own the ISMS and are responsible for designing and implementing appropriate policies and procedures. All staff are trained on these when they join the organisation, with direct line managers responsible for ensuring they are followed. Any staff found not following these policies or procedures are dealt with inline with our disciplinary procedure. In order to verify our policies are followed, internal audits are conducted monthly by an individual who is independent of the compliance team and is appropriately trained. 3Squared also employs a security hotline which all members of staff can use to highlight security concerns or risks. These are then triaged by the compliance team and appropriate action taken.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All work undertaken on our products follows our Secure Development Lifecycle Policy. This ensures security is considered from initial conception and then validated prior to deployment to a production environment. Steps we take to assess potential security impacts include threat models on the infrastructure and vulnerability scanning. Prior to deployment to a production environment, our applications are subject to a thorough functional testing process to ensure there are no critical defects that may impair our end users.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Information about potential threats is sourced through subscriptions to vendor and industry notification services, and these are assessed for risk based on potential impact and likelihood. Where the risk is high we will take immediate steps to mitigate the risk and deploy a patch as soon as practical. For all risks which do not exceed the threshold patches will be deployed on a monthly basis within a predefined maintenance window.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We employ passive monitoring on our servers, monitoring items such as: Disk, CPU and Memory usage. Should these certain level above our standard threshold, alerts are triggered to key personnel who can immediately investigate. At 3Squared we employee a major incident and data breach process that staff are aware of, which is to be followed in the event of an incident. These processes also include the client communication process, ensuring impacted clients are notified as soon as possible.
Incident management type: Supplier-defined controls
Incident management approach: 3Squared employees 2 distinct incident management processes; 1 for major incidents (classified as outages to the system or any defect in production categorised as 'Critical) and a second specifically to handle data breaches. Defects are initially identified via our support or IT teams and my come from a client or internally. Once it has been triaged and established as a Critical issue (a P1), the issue is escalated to director level and appropriate resource is assigned to investigate and resolve the issue. Once resolved, incident reports are provided to clients in written form.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Tackling economic inequality

Fighting climate change

While transport by rail is already a key part of the modal shift required to reach net zero, our software such as CoPilot goes one step further by encouraging greater fuel efficiency. By giving drivers the information they need to monitor their speed and progress throughout their journey, they can reduce the amount of dwell time and ensure they keep moving. This combined with RailSmart IM and IMS means that any disruption can be managed, all with the end goal of improving rail transport and getting cars and lorries off the roads.

Tackling economic inequality

Through extensive collaboration with passenger and freight operators, we have developed software customised to meet the exacting needs of the rail industry to modernise delivery, influence change and provide innovative and disruptive technological solutions. With diverse working groups at the core of our products such as RailSmart EDS and SafeTrack, our software supports businesses in improving their processes and efficiency in areas such as competency and incident management, consisting of trains and even the train journeys themselves.

Pricing

Price: £20 to £295 a user a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

RailSmart

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents