HANDS HQ

HandsHQ: Risk Assessment and Method Statement (RAMS)

HandsHQ is a Risk Assessment and Method Statement platform, which helps customers to create better RAMS in less time. Businesses can easily create professional, site-specific RAMS and COSHH documents in minutes, thanks to an easy-to-use system with an extensive content library of risk assessments.

Features

• Project/task-based risk assessments and method statements
• Site-specific risk assessments and method statements
• COSHH assessments, MSDS; PPE
• Extensive content library with hundreds of risk assessments
• Construction Phase Plans: compliant with CDM 2015 regulations
• Internal approvals workflow
• Digital signatures
• Customisable templates and risk content library to meet organisational needs
• Risk Register for central control and compliance
• Integration with Procore to include RAMS in project documentation

Benefits

• Create better RAMS in less time
• Improve collaboration in occupational health & safety
• Access RAMS documents on-the-go
• Audit trail automatically captured to achieve industry standards
• Effortless approval workflows to accept/reject documents
• Comprehensive history of when, by who and why projects changed
• Consistent, professional-looking on-brand documents
• Completely customisable: add logos, employees, and images
• Accelerate digitalisation: quickly move away from paper
• Simple design-driven platform that requires limited technical skills

£2,500 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at help@handshq.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

200014296043277

Contact

Jamie Carruthers
020 3318 4901
help@handshq.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: HandsHQ: Training Register
• Cloud deployment model: Private cloud
• Service constraints: As a cloud platform, HandsHQ has limited constraints associated with the platform. An internet connection is required to use HANDS HQ. Each user will have their own individual login accessed via an email address. ; ; The platform works across all the latest browsers, however, we do suggest using Google Chome if you have the option. HandsHQ can be used on desktop, tablets and smartphones, however, tablets offer the best user experience due to the size of the screen available.
• System requirements:
  • Active internet connection
  • A modern web browser (ideally Google Chrome)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond to questions received during normal business hours within 1-2 hours. ; Normal business hours are Monday- Friday, 9am-5pm.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: HandsHQ uses Intercom to power web chat. All Intercom products are built to be accessible, including Screen Reader Support, Keyboard Navigation and Colour Contrast
• Onsite support: Yes, at extra cost
• Support levels: As standard, all HandsHQ customers have access to an online knowledge base containing FAQs and live chat/in-app support during office hours. ; ; Customers on some Teams and Enterprise pricing plans have a named, dedicated, Customer Success Manager who provides initial platform set up, onboarding and continuous learning throughout the organisation. This can include, but is not limited to, site visits, in-person training days and webinars. ; Training plans are customised to suit customer requirements. Training covers all aspects of the software, including different features, functions and permissions.; ; All customers can upgrade the service and support they get with our services package. This can include premium response times and additional training sessions.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The onboarding process for all new customers of HandsHQ includes access to an online knowledge base, phone and email support and in-app support during UK office hours. For larger Team and Enterprise customers we create customised training plans that ensure all individual needs are met. This can include but is not limited to, on-site training and web training. As an optional service, Team and Enterprise accounts can request support in setting up a customised content library for their account. This involves the account manager rationalising and migrating the client’s existing RAMS content onto the HandsHQ platform, as well as potentially setting up multiple divisions to help control access across a larger business.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Online knowledge base
  • Video
• End-of-contract data extraction: Customers are able to access, and export, their data into PDF format or CSV depending on data type while they have an active HandsHQ subscription. For a period of two years following the termination of a contract, their data will be securely retained. If within that period of time their subscription is not reactivated, their data will be deleted.; ; During that two year period, former customers of HandsHQ are able to contact the team should they wish to access their documents without reactivating their subscription. Documents will be supplied in PDF and data in CSV format.
• End-of-contract process: HandsHQ customers are required to inform the company of the decision to terminate the agreement with 30 days notice. ; ; Upon termination of the agreement, customers can choose to receive a folder containing all of the documents stored in the HandsHQ platform in PDF format data can be supplied in CSV format on request.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: HandsHQ offers API integration via automation tools Zapier and Microsoft Flow . Customers that wish to use the API simply need to contact their Customer Success Manager, who will provide their API Key and guide through set up. HandsHQ also offers direct API access for those who want to use completely custom solutions and have the technical know-how to implement them, this also uses an API key to interact with the API and the developers using the API will have the documentation be made available to them. The API currently supports: - Subscriptions to webhook notifications when a new PDF is created within the app, such as when creating a project or updating an existing one. As well as actions such as creation of new projects, duplicating them, managing the personnel on a project, and the ability to interact with the digital signatures feature.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: HandsHQ can be customised to each customer's requirements. It can be set up to reflect the organisation structure of a customer's organisation, including separating divisions and teams of an organisation. ; Custom branding is available. ; Customers can have their own custom templates added to the platform and are able to upload their own custom content in addition to having access to the HANDS HQ content. ; Custom templates are built by the HandsHQ customer success team. The users can also add custom content to their RAMS library, depending on their package.; The front-end of the platform can be customised to reflect our customers' branding. The layout of the final documents produced within HandsHQ can be customised to align with the look and feel of our customers' existing documentation.

Scaling

• Independence of resources: HandsHQ uses an Auto Scaling service which monitors applications and adjusts capacity to maintain a steady service. The service, provided by Heroku, means that demand is never an issue. Additionally, we receive a number of alerts around capacity thresholds as a backup.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics for; Current RAMS projects; Top risks per project ; Signature status ; Approval status ; No of projects created over time
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Other
• Other data at rest protection approach: The database plan we are using via Heroku is encrypted at rest with AES-256, block-level storage encryption.; We protect data in transit by requiring the use of HTTPS for all application communication.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Customers or ex-customers can contact the HandsHQ team through any of our support channels to request a data export.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: PDF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: HANDS HQ has a target of 99.6% uptime. For any downtime beyond one consecutive day, customers will receive pro rata credit to their account.
• Approach to resilience: HANDS HQ use Heroku and AWS; details of their data centre measures can be found on their websites. The HANDS HQ platform has been built with a high level of self-healing and redundancy built into our service. If there is a failure, we are alerted immediately. Our databases are backed up daily; in the event of an outage, we can restore in any point of time over the last seven days.
• Outage reporting: Customers are informed of any upcoming downtime at least two days before it occurs via email. In cases of unexpected downtime, we inform customers it has occurred, the reason why, and the steps we are taking to mitigate risk. We additionally publish downtime statistics on the HANDS HQ website.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: We use an access control matrix to ensure that only staff that require high impact systems are provided with access to them. As well as this, HANDS HQ has several additional policies in place, such as reviewing privileged access at ISO Committees We also have a staff offboarding process to ensure all systems access is adequately removed on their last day or before, depending on the situation. We do not allow our staff to unencrypt or download customer confidential data, but those that have the access rights to do so are limited.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 13/06/2018
• What the ISO/IEC 27001 doesn’t cover: The whole business is covered by this certification
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: HandsHQ has ISO 27001:2022 which is headed up by our CEO. The company adheres to multiple policies and procedures that are required or are best practice in line with ISO 27001, including Asset Management, Access management, Third Party Management, Secure Development practices etc. (see our SOA which controls apply). HandsHQ runs an ISO Committee every quarter which reports on the effectiveness of our ISMS and conduct quarterly internal audits. We ensure policies are followed through internal audits and staff management - both day-to-day and via performance targets. HandsHQ holds regular security training and inductions to ensure all staff remain aware of the security policies and are kept up to date with the latest threats and vulnerabilities.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: HandsHQ is built with Ruby on Rails with Postgres hosted on Heroku/AWS.; ; We use a product management tool (Product Board) to gather feedback/issues from customers which are prioritised by the development team. All code is peer-reviewed and we use a test-driven development methodology with a target of 95% test coverage to ensure code quality. We have continuous monitoring of all code dependencies to identify security issues and all new features are run against our penetration testing tool. All of the development team are trained in secure development practices and we adhere to OWASP best practices
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Code will be assessed for vulnerabilities, dependencies and known issues by using a combination of continuous code checking through Code Climate and Github tools, and then half yearly vulnerability scanning using ZAP on our staging environment, which is an identical reproduction of our production environment. These tools rate the risk in three layers and HANDS HQ has applied timescales for each.; ; The team will log test results in a spreadsheet and state which are applicable to the Production environment which will take priority and adapt the impact accordingly where necessary and detail the reasoning for the change or downgrade.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor service downtime and degradation using a variety of tools which measure from as little as continuously to up to an hour intervals. We monitor vulnerabilities and capacity as previously described. Alerts are flagged immediately and assessed for their severity by a member of staff. If the issue is categorised by the staff member as an incident they will evoke the incident management procedure.
• Incident management type: Supplier-defined controls
• Incident management approach: HandsHQ uses Asana for incident management purposes. Employees report any CRITICAL/ HIGH incidents immediately to co-founders who will record the information going forward. MAJOR OR MINOR incidents can be added directly. An impact rating will be added to the case as follows: URGENT: Leak of confidential information (Fix within 72 hours) HIGH: Partial loss of service or potential corruption of data (Fix within two weeks) NORMAL: Loss, corruption or leak of non-core functionality (Fix within three months) Knowledge gained from analysing and resolving information security incidents is entered into future test scripts to prevent the issues arising again.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Our software ensures that employees are kept safe while working by providing comprehensive risk assessments.

Pricing

• Price: £2,500 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at help@handshq.com. Tell them what format you need. It will help if you say what assistive technology you use.