Pax-CM
PaxCM is our cloud-based school contract and passenger transport management system. Built specifically for SEND transport and Mainstream passenger transport departments in a LA to deliver safe and efficient home to school transport. A modern, integrated passenger transport software supporting operational management, financial outcomes as-well-as integrations with other software systems.
Features
- Contract Route Management
- Customer Management
- School & Establishment Management
- Supplier Management
- Reporting
- Financial Management & Reporting
- Admissions Data Import
- API with QRoutes Route Planning software
- Driver & Assistant Record Management
- Automated Customer Processes
Benefits
- Designed specifically for Passenger Transport Services in a Council
- Quick and easy to import data for system set-up
- Modular system to meet Council service and budget requirements
- Designed to integrate with other Council systems and software
- API with QRoutes for route planning
- Hosted in an accredited ISO27001 UK datacentre
- Improves operational efficiency
- Comprehensive financial forecasting with in depth analysis
- Intuitive and easy to use
- Saves on contract route costs
Pricing
£17,000.00 to £35,750.00 a unit a year
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
1 5 8 2 8 8 6 1 9 4 0 9 0 4 8
Contact
PAX Systems Ltd
Phil Dyson
Telephone: 07973703165
Email: phil.dyson@paxsystems.co.uk
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- Pax CM has full integration into the 'QRoutes' scheduling system to enable seamless route planning and optimisation.
- Cloud deployment model
- Public cloud
- Service constraints
- No
- System requirements
-
- Stable connection to public internet
- A modern browser with latest updates applied
- Software to view/edit csv, docx, xlsx and pdf files
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
During business hours and where any further support is required issues will be prioritised based on severity.
Priority 1 response is immediate.
Priority 2 response is within 16 hours.
Priority 3 response is 24 hours.
During weekend and public holiday hours response to critical issues will be immediate and all other non-critical issues will be actioned on the next working day. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
-
Pax CM support is included as part of the annual subscription fee. This includes:
- unlimited online and phone support.
- standard system configuration.
- initial start-up training package.
All support between the customer and Pax Systems is overseen by a technical account manager. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Pax Systems, under the terms of the contract, will support the system configuration and migration of all current data from existing systems and deliver an implementation project to move Council’s to the live Pax-QR environment.
Pax Systems will work with the Local Authority to configure the user rights, secure access or single sign-on, configure reference data, migrate the data from existing systems, train users and provide training material prior to going live.
Thereafter help desk Support is provided to users via telephone, email and an online support ticket system - Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
-
All data can be extracted directly from Pax CM by an end user with administrative rights, in csv format .
Pictures and documents can be extracted as well. - End-of-contract process
-
Pax Systems, at the end of the contract, will support the Council to moving to a new software service by advising on the export of all the static data in a .csv format and data items such as pictures and documents can be exported directly to disc. For an additional cost the Pax-QR environment and data can be retained for up to a further 30 days to support any Council post-contract queries.
All Council data will be securely destroyed between 30 and 120 days after the contract has ended. A copy of the back-end database and written confirmation that Pax no longer retains any customer data, login credentials or any other sensitive details relating to the customer, will be provided at no cost.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- None
- Service interface
- Yes
- User support accessibility
- None or don’t know
- Description of service interface
- Our service interface is the web application front end. From this application the configuration and security can be managed by a system administrator.
- Accessibility standards
- None or don’t know
- Description of accessibility
-
Pax CM incorporates a number of facilities to support identified system accessibility requirements, such as colour scheme, fonts and font size.
Pax will continue to work with customers to identify any further accessibility requirements and any required works will be undertaken as part of the annual subscription cost. - Accessibility testing
- Our interface testing includes setting up colour schemes and font sizes that will improve the accessibility for visually impaired users.
- API
- Yes
- What users can and can't do using the API
-
School Admissions API - Users can setup the service through this API which allows the import of new year pupil data from an education admissions system.
Reporting API – An API to allow access to the system data and enable connectivity from third party BI tools.
Pass Printing API – allows the pass details of customers in Pax CM to be sent to pass printing organisations and printing confirmations to be received back. - API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Reference Data -
Users can customise the contents of all drop down fields.
Dynamic Attributes -
The system also provides functionality to allow the creation of dynamic (user defined) attributes. This feature can be restricted to authorised users.
Letters -
Along with a standard set of letter templates the system also provides the functionality to create bespoke letter templates. This template functionality is available within the core system and is available for authorised users.
Reports -
Along with a standard set of reports, the majority of reporting data is also available in a CSV or Excel xlsx format. The system also provides functionality to access the system data directly to enable the creation of reports through organisational Business Intelligence tools.
Bespoke development can be requested by the buyer.
Scaling
- Independence of resources
-
Each customer has a dedicated and isolated environment.
Within each customer environment the resource requirements are baselined on an assessment of typical usage, however, resources are allocated dynamically and scale up as necessary to match any demand.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Pax provides the following periodic service metrics on a monthly basis:
- Time spent per user per day
- System up-time statistics
- Number of new, closed and outstanding support calls - Reporting types
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
-
System User reporting - Data can be exported from Pax CM to Excel from multiple screens. This allows users to view data on screen and then export the selected data into Excel .
Export for route planning - contract and customer data can be selected and exported directly into the 'QRoutes' system for route optimisation and scheduling. - Data export formats
-
- CSV
- Other
- Other data export formats
- Docx
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
Pax Systems uses commercially reasonable endeavours to make the service available for the agreed work pattern with the customer. Outside of the agreed work pattern the system can still be made available to users at short notice.
All planned maintenance will be scheduled out of hours and communicated in advance. - Approach to resilience
- Available on request
- Outage reporting
-
We report any outages to all system users by email.
All planned outages are scheduled outside of agreed work patterns.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
- Other
- Other user authentication
- Preference for Single Sign ON or System access can optionally be set to be restricted to be from within the customers local network domain. Local and remote users (via VPN) must therefore login to their network domain before they can login to Pax CM. Login attempts from IP address ranges other than those configured in the system will be denied access.
- Access restrictions in management interfaces and support channels
- Access to management interfaces and support channels is restricted to be from within the customers local network domain.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
- Other
- Description of management access authentication
- System access can optionally be set to be restricted to be from within the customers local network domain. Local and remote users (via VPN) must therefore login to their network domain before they can login to Pax CM. Login attempts from IP address ranges other than those configured in the system will be denied access.
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users receive audit information on a regular basis
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
-
Cyber Essentials
Cyber Essentials Plus - Information security policies and processes
-
Pax Systems has a Cyber Security Framework created to specifically control and direct our approach to information and cyber security risk. We align our security framework with the National Cyber Security Centres 14 Cloud Security Principles framework to manage risk and response with policies in place providing clarity on the processes, procedures, roles and responsibilities for risk and sets out how risks are managed.
We have a Chief Information Officer at board level with responsibility and oversight of our data and system security and a second Director at board level responsible for ensuring controls are in place for all Information Security policies and procedures.
Our IT risk management controls provides key management information about the status and performance of our information security management. It combines important metrics about assets, risk assessments, security incidents and documentation status to provide system-wide visibility of Pax Systems information security health.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
We have the relevant policy, procedures and systems in place to ensure our security governance.
Software changes and change requests are managed through JIRA and deployed to a test server for review and acceptance testing prior to regression testing and deployment to live.
Configuration register is used for the product environment services which include deployment checklist during the setup of services, pre go-live check before switching on public (internet connected) services and performing vulnerability risk assessments of live services. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
We have a process for continuous monitoring of all critical elements of our SaaS infrastructure. This identifies any new configuration issue or vulnerability that could potentially cause a security risk.
Vulnerability identified through a daily feed from vuldb.com are assessed, then recorded in Jira, risk assessed to establish the immediate threat posed, vulnerability type and which software components are potentially affected. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Our protective monitoring processes includes third party penetration testing, pro-active patching of the SaaS environment and software, based on a daily feed of newly identified vulnerabilities from a vulnerability intelligence service.
Additionally we subscribe to services that alert us if any system account credentials are compromised.
We have internal logging alerts to monitor user access and identify unexpected activity.
The hosting provider has dedicated monitoring that supports the hosted environment and detect hardware issues and critical faults with the PaaS Platform.
Our response is determined by the potential risk that are exposed by the incident. - Incident management type
- Supplier-defined controls
- Incident management approach
-
There are pre-defined processes in our Business Continuity and Disaster Recovery Plan for handling common incident types (data incidents, system failure, performance issues, denial of service attacks, ransomware attacks, zero day critical vulnerabilities)
Our risk management software includes a security incident module which supports management and progress tracking of security incidents from initial reporting, through investigation and remedial actions to final closure, reports and lessons learnt.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
Fighting climate changeFighting climate change
Reduction in volume of vehicles required to deliver pupil transport service for local authority statutory services.
Pricing
- Price
- £17,000.00 to £35,750.00 a unit a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- A pre-configured version of the software is available for a short period to evaluate the system.