mtc Media Ltd

Kiosk design and development

mtc provides a full service digital design and development service agency providing a range of specialist services. Our kiosk user interface design and development service is aimed at independent theatre, cinema, and visitor attractions, using Spektrix as their ticket fulfilment and CRM software provider.

Features

• User centred service design principals
• Collaborative practice involving client and key stakeholders
• Design sign-off accompanied by full project development specification
• Real time Spektrix API integration
• Ability to control individual kiosks
• All content drawn from Spektrix (no additional content management required)
• Online collaboration project management tools
• Tailored reporting
• Robust solution

Benefits

• Simple to browse and book events
• Open when your box office is closed
• People like to self serve
• Serve more than person at a time
• Sell value add on such as drinks and snacks
• Collect donations and GiftAid
• Assign individual kiosks to different event categories
• Cost effective solution
• Relieve staff to perform other duties
• 24/7 support available

£10,600 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.flack@mtc.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

137891265069509

Contact

Andrew Flack
0844 804 2021
andrew.flack@mtc.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: The mtc kiosk solution is an add on to Spektrix CRM and ticket solution. Customers should already be or are considering using Spektrix for their ticketing software solution.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: The service is only available for organisations considering or already using the Spektrix ticket solution. The solution is currently only available when paired with a physical kiosk supplied under a separate contract with Evoke Creative, a leading UK supplier of kiosk hardware.
• System requirements: Only compatible with Spektrix ticket solution software

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Responses range from immediate to several hours depending on the urgency of the ticket. Emergency issues can also be raised by telephone. Out of hours support is provided at an additional cost.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support is provided during office hours - 9:00 - 5:30. During this time customers may call the Helpdesk. Similarly tickets will be attended to during this time. ; ; Customers may also opt for an extended bespoke SLA offering out of hours support as well as any specific support requirements. ; ; Clients opting for a support SLA are placed under an account manager. The purpose of the support SLA is to troubleshoot any issues arising and to ensure the timely attendance to issues requiring intervention. ; ; SLA fees (Feb 2024) start at £2,250 in year 1, rising to £3,600 in following years.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Our service is analogous to developing a website. The process starts with a process of discovery to investigate the venue's requirement for kiosks. ; ; Following discovery a designer develops a wireframe of the kiosk interface to check and agree the user journey. Upon agreement of the user journey fully branded design are produced along with a technical specification. ; ; Upon sign off of the design and specifications the development team proceed with development leading to virtual testing prior to installation on the physical kiosks at the venue location. ; ; Training requirement is minimal but can be provided at the venue.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The mtc kiosk solution does not store any data. All data is drawn from the client's Spektrix database which is wholly separate to the mtc kiosk service.
• End-of-contract process: There are no specific costs to end the contract with mtc. However, where hosting has been paid in advance a maximum value equal to 3 months hosting is deductible from the refund.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service interface is design to work on specific kiosk screen sizes/resolutions. The purpose of the kiosk is to allow customers at theatre, cinema, and visitor attractions to browse and book event tickets. The interface guides users on a carefully constructed user journey towards payment and ticket collection.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: The service has been extensively tested at customer locations and amendments, enhancements, and updates made following feedback. Assistive technology is not currently in place on kiosks.
• API: No
• Customisation available: Yes
• Description of customisation: Our kiosk design service is targeted at theatres, cinemas, and visitor attractions. It is adaptable to suit the needs of the individual commissioning organisation. mtc works collaboratively with the customer organisation to customise the service to their unique requirements.

Scaling

• Independence of resources: Mtc is a large full service digital design agency. Work load is carefully planned and managed by an integrated operations and project management team. It is the team's responsibility to ensure time is amply ring fenced for each project to safely make its way through the production cycle.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: No data is held
• Data export formats: Other
• Other data export formats:
  • No data is held in the system.
  • Data is drawn through a live API linked to Spektrix
• Data import formats: Other
• Other data import formats: Data is drawn in through a Spektrix API

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our server uptime is guaranteed as 99.9%. ; ; Where a service is not available due to a system bug we aim to identify the issue within 2 hours and to fix the issue within 1 working day. ; ; Issues are graded from critical to low. Critical issues are resolved within 4 hours and low grade issues are resolved within 5 days.
• Approach to resilience: Mtc physical hosting infrastructure is wholly owned and managed by mtc and deployed within NTT Global's Data Centre, Hemel Hempstead. Servers are monitored 24/7, 365 days a year, using a range of automated and manual intervention systems. Servers are backed up at least twice daily, both onsite and offsite, working to the grandfather, father, son, back-up rotation principle. ; ; Regarding encryption no personal or transactional data is stored on the system server. All sensitive data is stored on the Spektrix data system, wholly separate to the mtc kiosk solution. Data in transit between the systems is encrypted using TLS1.3 cypher. ; ; When server equipment reaches its end of life mtc employs a certified data equipment disposal service.; ; More information about our datacentre setup can be found here: https://services.global.ntt/en-us/services-and-products/global-data-centers/global-locations/emea/hemel-hempstead-2-data-center
• Outage reporting: The mtc server team constantly monitors our servers for any issues arising that may affect the performance or availability of our service. Where an issue arises, the server team receives automated alerts through several channels. Where the issue relates directly to the kiosk service they will raise a ticket for the attention of the mtc client account manager. Where an issue is affecting the functionality and user experience of the service, contact will be made with the affected client/s to notify them of the issue and to furnish them with any particular advice and the intended plan to rectify the issue.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Entry to the service is through a kiosk interface. Users do not require a log in account to access services on the kiosk. The kiosk owner is typically a theatre or visitor attraction. Some users at the kiosks may be registered members at the venue, if so they can soft-login using just their account username. This will gain them access to member privileges such as discounts. A logged in user is not able to manage their account. The venue does not require a login to the kiosk system.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Less than 1 month
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Note: mtc is currently working towards ISO 27001 accreditation.
  • UCAS Accreditation is aimed to be achieved by June 2024

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Mtc has a set of detailed functioning information security policies in place to protect all mtc and client information systems. Our guiding principle across all systems is that access to systems is founded on a need-to-know basis. ; ; Furthermore mtc is currently working towards ISO27001 accreditation. We are reviewing and modifying our processes as required to correctly align with the standard. We anticipate gaining accreditation by June 2024.
• Information security policies and processes: Mtc is currently gaining ISO27001. ; ; mtc policies:; ; Roles and Responsibilities: Staff across the company are trained in relation to information security.; ; Information Classification: Information is classified based on its sensitivity and importance.; ; Access Control: Procedures manage user access to systems and data, including user authentication, authorization, and account management.; ; Data Protection: Data is protected from unauthorized access, disclosure, alteration, or destruction.; ; Network Security: Networks are protected by firewalls, intrusion detection systems, and network segmentation.; ; Endpoint Security: Corporate devices are managed through endpoint management software. BYOD's are controlled by Device Management Policies and subject to routine maintenance checks. ; ; Incident Response: Procedures are in place for detecting, reporting, and responding to security incidents, including incident identification, containment, eradication, recovery, and post-incident analysis.; ; Physical Security: Buildings are protected by electronic entry and surveillance systems. ; ; Training and Awareness: Information Security training is provided as part of employee onboarding and regular compulsory IS awareness training.; ; Policy Enforcement and Monitoring: All staff are bound by contract to adhere to IS policies. The company will be subject to annual external audit.; ; Policy Review and Revision: An InfoSec group will meet monthly to review and update policies in response to emerging threats, technological changes, and organizational requirements.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes to the kiosk system software are managed separately to the client's live system. The development process utilises a controlled version control system, whereby changes are made on a remote version of the build and pushed to the live environment with change logs present. ; ; Changes are fully tested before deployment to the live system. Developers are fully trained to recognise changes that may represent a security risk and to carry out further testing in a safe environment to eliminate any risk before deployment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We currently carry out quarterly penetration tests across our hosting infrastructure to assess potential threats. In tandem with this activity we utilise SIEM and XDR software across the hosting infrastructure to provide realtime information relating to potential threats. Required patches are applied within 7 days.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Mtc employs the Monarx linux server antivirus software across their hosting infrastructure. This provides realtime scanning and protection. ; mtc utilises XDR/SIEM systems alongside automated malware protection to identify potential compromises. ; When a potential compromise arises, responses are automatically triggered including automatic quarantine/blocking systems. ; Response times are scaled according to the threat and range from immediate to 1 day.
• Incident management type: Supplier-defined controls
• Incident management approach: Staff report and incident through a SharePoint form. The form uses simple logic to categorise the incident and to populate a central incident tracking system. When an incident is reported and email describing the incident is sent to the incident response team. The response team lead triages the incident and notifies the team of what action is required. If the incident is considered critical, the team will meet immediately to agree next steps. When resolved, the incident is closed in the database and set for review at the next InfoSec Group meeting.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  By placing information and ticket purchase kiosks in venue locations, customers are gaining full access to browse all events available at the venue at any time the venue is open. This is of particular advantage to users that are elderly or disadvantaged and who therefor may not have access to the internet at home.

Pricing

• Price: £10,600 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.flack@mtc.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.