CUTTLEFISH SOFTWARE LTD

Visor Health & Safety Management System

Visor allows staff to report safety events and have the investigations of those events managed by the H&S team. The H&S team and other participants are proactively notified by the system as investigations proceed. Visor tracks follow-up actions to completion, enabling the team to prove what action was taken.

Features

Implements your workflow for managing investigations
Identifies user responsible for next action
Proactive notification emails to users when tasks assigned
Weekly reminder emails for open tasks
Full audit trail
Uses Windows user accounts for identity
Power BI reporting dashboard
Home Office returns produced by system

Benefits

Enables H&S team to track progress of investigations and actions
Automatic reminders for users and managers means less chasing
Always clear which user made which changes to investigations
Use of Windows user accounts means no forgotten passwords
Reduces admin burden to H&S team
Enables process improvement via KPI tracking
Data quality improved by validation at point of entry

£12,500 to £37,500 a licence a year

Service documents

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nick@cuttlefishsoftware.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

Contact

CUTTLEFISH SOFTWARE LTD Nick Mace
Telephone: 07312082959
Email: nick@cuttlefishsoftware.co.uk

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: None
System requirements: Users require their own Power BI licences

Permissions in Microsoft Entra ID required

User support

Email or online ticketing support: Email or online ticketing
Support response times: Support is provided during business hours: 8am to 6pm, Monday to Friday, except bank holidays and public holidays.

Responses times are:
2 hours - where the system is inaccessible
4 hours - where operation of the system is severely degraded
12 hours - where non-essential features are impaired
24 hours - where errors are non-disabling or cosmetic
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: No
Web chat support: No
Onsite support: No
Support levels: Support
Cuttlefish Software accepts support tickets submitted to the online ticketing system 24 hours a day, seven days a week. We will use reasonable endeavours to process support requests, determine the source of the problem and respond to the customer. We will use reasonable endeavours to respond to all support requests within the time periods specified.

Availability
Cuttlefish Software shall provide at least a 99% uptime service availability level during business hours. The uptime service level is to be measured as the number of possible minutes of availability during business hours in each month.
Support available to third parties: No

Onboarding and offboarding

Getting started: Customisation of the system by Cuttlefish Software is included in the price for the system. We will organise a kick-off meeting (which can be in-person or remote, as per the preferences of the customer) to talk through how the implementation project will proceed. We will then conduct remote meetings on a weekly or fortnightly basis to discuss progress. Cuttlefish Software has recorded training videos to demonstrate how to use the Visor system.
Service documentation: Yes
Documentation formats: Other
Other documentation formats: Video
End-of-contract data extraction: The organisation can extract its data when the contract ends from the OData reporting endpoint.
End-of-contract process: Users can download their data from the OData endpoint for free. If users want the data to be provided in a different format, then this will be charged for. If users want the copies of the uploaded documents attached to cases, then this will be charged for.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None
Service interface: Yes
User support accessibility: WCAG 2.1 A
Description of service interface: The system is a browser-based web application with a familiar look-and-feel. Users can see the tasks assigned to them and act on them. The H&S team can view the status of all tasks in progress and approve/reject work, as appropriate.
Accessibility standards: WCAG 2.1 A
Accessibility testing: None
API: No
Customisation available: Yes
Description of customisation: Cuttlefish software customises the investigation workflow on behalf on the customer. We do not charge for this services. It is included in the price.

Scaling

Independence of resources: The application consists of a web application and a database.
The web application layer is shared across customers; the number of instances can be scaled up immediately if the service is affected by high load.
The databases share an Elastic Pool. Resource utlization is reviewed on an ad-hoc basis. The size of this pool can be scaled up immediately if the service is affected by high load.

Analytics

Service usage metrics: No

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: In-house
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Other
Other data at rest protection approach: Azure SQL Databases use transparent data encryption
Data sanitisation process: No
Equipment disposal approach: In-house destruction process

Data importing and exporting

Data export approach: Data is provided to users via Microsoft Power BI, from which data can be exported in multiple formats. Document attachments uploaded into the system can be re-downloaded by users.
Data export formats: CSV

Other
Other data export formats: XSLX

Original format (document attachment download)

PDF
Data import formats: Other
Other data import formats: None

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Cuttlefish Software shall provide at least a 99% uptime service availability level during business hours. The uptime service level is to be measured as the number of possible minutes of availability during business hours in each month.
Approach to resilience: The system is delivered via Microsoft's Azure platform in the UK South data centre. Point-in-time backups are replicated to the UK West data centre. Document storage is also replicated to the UK West data centre. App service would be manually deployed to UK West if required.
Outage reporting: System uptime is monitored using a health check API endpoint and Microsoft Azure standard uptime monitoring will alert us if a threshold of failures is breached.
Customers can monitor this endpoint themselves if they wish.

Identity and authentication

User authentication needed: Yes
User authentication: Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels: The system comes with a fixed set of permissions. Users with the "user management" permission can define roles (a given set of permissions) and assign those roles to users.
Access restriction testing frequency: At least every 6 months
Management access authentication: Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: No audit information available
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: We follow best practices including OWASP development practices, and NCSC guidance for approaching cyber security.
Information security policies and processes: We have a Security Handbook, and Sensitive Data Policy. The director in charge of security is responsible for ensuring all staff are familiar with all relevant policy documents, and comply with them.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Changes to configuration in Microsoft Azure is audited.
Development is routinely peer-reviewed and assessed for potential security impact.
Deployment is automated, removing human error and ensuring service resources are deployed consistently, to our expected standard.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Microsoft Azure platform services are routinely patched with security updates with no supplier action required.
We routinely review third-party software used in building our application. We use Nuget security warnings to decide which updates are required. We review JavaScript libraries manually.
Time to deploy depends on the level of vulnerability: we can immediately deploy patches if a critical vulnerability is detected.
Protective monitoring type: Undisclosed
Protective monitoring approach: Microsoft Application Insights logs all activity within our application.
Changes to Azure infrastructure are logged.
We respond within 24 hours to any report of an incident. We would review all access logs available to us to determine whether suspicious activity had occurred.
Incident management type: Supplier-defined controls
Incident management approach: All incidents are considered on a case-by-case basis. Users report incidents via our standard support system. We provide incident reports via our support system.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Pricing

Price: £12,500 to £37,500 a licence a year
Discount for educational organisations: No
Free trial available: No

Service documents

Request an accessible format

Cookies on Digital Marketplace

Visor Health & Safety Management System

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents