REWARD GATEWAY (UK) LTD

Employee Engagement Platform and App - Benefits, Rewards, Wellbeing and Communications

A fully managed employee engagement solution inclusive of a client branded platform and App that centralises access to employee benefits, discounts, reward and recognition (including social recognition), wellbeing, surveys, total reward statements and communications.

Features

• Centralised employee benefits, reward and recognition, wellbeing and communications
• 24/7/365 access from any device in any location, including App
• Fully managed service including onboarding, training, communications and contract management
• Competitive retail discounts and offers across 850+ retailers
• 24/7/365 employee support via phone, email and live chat
• Fully branded and customised interface
• Benchmarked and vetted range of employee benefits
• ISO 27001, ISO 9001, Cyber Essentials Plus, SOC 2 compliant
• 62 options facilitate integration with your ecosystem and benefit providers
• Real-time activity dashboards and reports, scheduled payroll reports

Benefits

• Centralised benefits increase awareness of your Employee Value Proposition
• Positive UX and accessibility options drive engagement
• Multi-disciplined customer support minimise your onboarding and ongoing efforts
• 850+ retail discounts help employees' salaries go further
• Comprehensive employee support minimises queries addressed to your HR team
• Customised look and feel
• Wide range of benefits provide financial and mental wellbeing support
• Accreditations provide security, data protection and quality assurance
• Continuous secure data exchange via automated workflows
• Rich management information for scheme visibility

£0.65 to £1.80 a user a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders-uk@edenred.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

207135073178725

Contact

Colin Hodgson
01244 625331
tenders-uk@edenred.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Employee helpdesk provides 24/7/365 comprehensive support that minimise queries being escalated to customers. Multi-channel support available via:; • Email; • Live chat ; • Phone.; ; A second helpdesk provides dedicated 24/5 support to customers for technical queries via:; • Email; • Live chat ; • Phone; ; 90% of Live Chats are answered within 60 seconds.; Emails are responded to within 2 working days by a human.; Complaints are resolved within 5 working days.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Our partnership with Level Access allows us to leverage their technology platform and 25 years of experience to achieve and sustain conformance to accessibility standards. Their accessibility technology platform is used to evaluate our digital properties in accordance with best practices and is supported by a diverse team of accessibility professionals, including users with disabilities. Accessibility audit (testing assisted technologies) confirms compatibility.
• Onsite support: Onsite support
• Support levels: Each customer will receive support from the following channels:; ; • Employee Engagement Consultant - guides the overarching employee engagement strategy to determine how we can best help you reach your goals.; ; • Client Success Manager - strategic partner who will develop and execute communication strategies that generate excitement and drive maximum employee engagement. This includes platform training and benchmarked recommendations on how to get the most out of the platform. ; ; • Implementation Specialist - Project Manages implementation with responsibility for building your unique, tailored solution, overseeing all the details from kick-off to launch and serves as your liaison to our other internal technical resources.; ; • Design Team - create a platform that speaks to your goals, brand and even colour palette. Additional costs may apply if multiple redesigns are requested. ; ; • 24/5 Customer Helpdesk - for all technical admin queries via phone/email/live-chat.; ; • 24/7/365 Employee Helpdesk - minimises employee queries being directed to your HR/Reward teams. Support channels are phone/email/live-chat.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers and their employees receive full support from the following resources when they begin using our service:; ; • Multi-disciplined customer team including Implementation Specialist who will be responsible for a successful launch. They will host a kick-off call with all stakeholders to align platform requirements and implementation timeframes. ; ; • Constant communication on implementation milestones and outstanding tasks. ; ; • Client Success Manager who will collaborate on a communications strategy for pre and post launch engagement.; ; • Admin and manager training provided at no extra cost, ensures teams are upskilled prior to launch.; ; • Additional admin training available 24/5 via customer helpdesk.; ; • Back-end admin system access for approved users to conduct pre-launch testing and training. ; ; • Curated self-serve support via online ‘how to’ guides, videos and articles on platform functions.; ; • 24/7/365 phone, email and live chat employee support minimises queries directed at your HR/Reward teams.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Excel
  • CSV
• End-of-contract data extraction: Your customer service team will lead you through our documented offboarding process at contract end, including your preferred method of receiving the last employee data files. ; ; Once services are terminated, we overwrite customer data to remove all personal data from our records. Backups of customer data are retained for no longer than one month, at which point the data is permanently deleted. ; ; The underlying disks used by our databases are Amazon EBS and EFS volumes. These are encrypted with AES256 using our keys stored in AWS KMS. To wipe a disk we can simply destroy the keys, or re-encrypt the disks with new keys. This happens every time AWS provisions a volume to a new AWS customer - they are wiped and encrypted with the next AWS customer's keys. For more details on this, please see: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/aws-overview.pdf
• End-of-contract process: Offboarding at contract end is managed as professionally as any other account management service. Your dedicated customer team will discuss your offboarding requirements and options prior to contract end to ensure risk of service disruption is minimised from our end. Our documented exit plan will capture the schedule of activities and stakeholders involved.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences between the services available via a mobile device vs a desktop. Our mobile application mirrors the services available via desktops, giving users the flexibility to begin a transaction on one device and complete it on another. For example, employees can being a Cycle to Work application on their desktop, save progress and then complete it on a mobile device at a time that suits them. This applies to all mobile devices including phones and tablets.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Our market-leading engagement platform provides a fully branded, centralised location for employees to access employee benefits, discounts, rewards, recognition, and communications. 24/7/365 access from any device, in any location increases engagement opportunities for both online and offline users. ; ; Enhanced accessibility is supported by a 24/7/365 employee helpdesk and ISO 27001 and SOC 2 accredited protocols that safeguard data in compliance with GDPR requirements. 62 integration options mean the platform will serve as an extension of your internal ecosystem that can be accessed via single-sign-on to remove engagement barriers. Approved admins can self-serve to access real-time dashboards on all platform activity.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Our partnership with Level Access allows us to leverage their technology platform and 25 years of experience to achieve and sustain conformance to accessibility standards. Their accessibility technology platform is used to evaluate our digital properties in accordance with best practices and is supported by a diverse team of accessibility professionals, including users with disabilities. Accessibility audit (testing assisted technologies) confirms compatibility.
• API: Yes
• What users can and can't do using the API: During implementation, we will map out your integration requirements based on your internal ecosystem. API options include:; - REST API - provides a predictable and intuitive interface for interacting with all Reward Gateway products. You can build your own solutions on top of our functionalities. ; - SCIM manages employee data. It provides an easy way for our customers to manage new hires and leavers from their business, ensuring they have the right access to the program at the right times – e.g. new hires will be added once joined and leavers will be removed once they leave. This will work automatically via the SCIM integration and will require no additional input from HR.; ; Approved admin users will be provided training on how to set-up and manage API's using our 'Integrations Dashboard'.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: During implementation we will work with you to create a unique platform that aligns with your brand guidelines and benefit requirements. Additional customisation options include:; • Platform 'brand' name; • Logo visible on each page; • Platform colours for tiles, banners and text; • Content font; • Tone and language to reflect your voice ; • Platform design and layout ; • Employee segmentation for benefits access, reporting and communication; • Admin access ensuring users only access the data and functions required for their role.; • Manager access for dashboards and allocation of financial rewards; • Communications strategy developed by Client Success Manager ; ; Each employee will receive a personalised experience where they are greeted by name, only view the benefits they are eligible for and can see their own platform activity e.g. savings made, recognitions sent/received. ; ; Approved admins will receive training on how to create and customise content including:; • updating benefits content; • publishing blogs to communicate internal initiatives; • adding filters to dashboards and reports ; • creating content pages to raise awareness, for example a new benefit may compliment an internal initiative you are running and this can be communicated holistically via a content page that you control.

Scaling

• Independence of resources: We consistently monitor application performance and our contractual service level uptime is 99.5%. ; ; Weekly product load tests are conducted using Apache JMeter. These simulate large amounts of application traffic. The output from these tests is automatically compared to baseline and deviations reported for review.; ; Metrics on application response time, database performance and execution times, as well as other application-specific metrics are constantly collected and monitored. The infrastructure health is also monitored including disk space, memory utilisation, CPU usage etc which are all tracked.; ; Alerts are set up against relevant metrics and actioned by our on-call team members.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide 24/7/365 access to real-time, rich and customised management information. With data capturing all activity, you have detailed insight into benefits and service engagement. ; Data can be customised to suit client requirements using filters for specific employees, departments, campuses, pages, benefits and time period. This allows you to track overall and very specific engagement in real time, highlighting where additional focus is required and device strategies accordingly. ; Reports can be downloaded as PDFs with bright, colourful graphs or into Microsoft Excel, .CSV format. Account Manager provide additional analysis and data-driven actions to increase engagement on request.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Approved admin users can export summary user data through our self-serve admin centre in Excel, CSV and PDF format. Export limitations can be applied for added security and control. For example, customers can choose to only allow data exports within their office network.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Reward Gateway's service operates 24/7 365. ; Our SLAs are:; • Availability - contractually guarantee a 99.5% service uptime over a rolling 12-month period; • Release Window - maintenance and upgrades to the programme (including routine improvements) are conducted on a zero-downtime basis weekly on Wednesday, between 05:30 and 06:30 GMT; Maintenance requiring downtime is conducted with 30 days notice on Saturday or Sunday.; • Recovery Time Objective - 20 mins; • Recovery Point Objective - 24 hours
• Approach to resilience: To ensure resilience, all data processing takes place within the infrastructure provided by AWS data centres. Some of our Business Continuity, resilience, and availability controls are;; • Active standby mirrored AWS infrastructure in Frankfurt which can be activated when required; • Workplace Recovery offices on standby; • Technology systems without single points of failure; • Backup technology systems; • Our global office coverage allows 24/7 staff availability.; ; Reward Gateway has a full Business Continuity Management system, which includes Disaster Recovery and a Business Impact Analysis, identifying risks on a priority scale and adhering to the Risk Management process. Business Continuity and Disaster Recovery plans are tested and updated annually. For more information please view the link below: rg.co/security
• Outage reporting: Our service status is publicly available at https://rewardgateway.statuspage.io/ ; ; We do not have planned outages other than our regular patching each Wednesday during off-peak hours (never resulting in more than 60 seconds of downtime).

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: We support XML-based Security Assertion Markup Language 2.0 (SAML) protocol and OAUTH 2.0 for Single Sign-On. User authentication can be set up via Single Sign-On with Okta, ADFS, Microsoft Azure, Ping identity and OneLogin as well as other systems that can support SAML 2.0. This means if your internal identity management system has the data and capabilities you could Single Sign-On directly to your engagement platform with just one click.
• Access restrictions in management interfaces and support channels: We work with our customers during implementation to determine their data security and access requirements. We use multi-factor authentication to secure access, encrypt data and prevent fraud in-line with ISO 27001. Unique identifiers ensure that users registering on the system are verified. ; ; During implementation we will work with you to create an eligibility list of all approved employees. We’ll use secure data transfer methods such as SFTP or HRIS integration to manage changes to this list such as joiners and leavers.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: International Accreditation Service | Insight Assurance
• ISO/IEC 27001 accreditation date: 18/10/2023
• What the ISO/IEC 27001 doesn’t cover: Our ISO 27001 certification covers Reward Gateway personnel, technology and processes used to deliver our services.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Payment Card Industry Security Standards Council
• PCI DSS accreditation date: 01/12/2022
• What the PCI DSS doesn’t cover: Our PCI DSS certification covers Reward Gateway personnel, technology and processes used to deliver our services.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: SOC 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: System and Organisation Controls (SOC) 2
• Information security policies and processes: All our policies are aligned to our range of security certifications, any breach of our internal policies will result in either disciplinary action or training as determined by management.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: For IT related changes, we follow the ITIL framework for Change Management. ; ; Changes are raised and tracked through Jira tickets, approved by the CAB and then carefully deployed. ; ; Code changes for our application are covered by our SDLC.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Penetration tests conducted by CREST certified independent supplier: ; • Bi-Annual web application tests - results published at trust.rewardgateway.com ; • Ad-hoc penetration tests for new products/major features ; • Ad-hoc infrastructure penetration tests for major infrastructure changes ; ; Weekly Vulnerability Scans - Tenable.io:; • Entire external perimeter ; • Web App platform; • Server & Workstation, using agents ; • Server & Workstation audit compliance against CIS hardening standards, using agents ; ; Code Scans:; • Daily SAST of codebase; • Daily analysis of third party/open source dependencies using Snyk ; • OWASP ZAP built into SDLC ; ; Responsible disclosure of vulnerabilities submitted via infosec@rewardgateway.com and tracked to completion.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Robust Incident Management Policy built around our ISO 27001 security standards includes:; ; • Reporting an event or security incident - suspected incidents/weaknesses reported at the earliest opportunity to our Information Security Team. Multiple escalation channels include email, web interface and phone. ; ; Our systems automatically log a range of activities and alerts are raised for any suspicious activity.; ; All events are registered and managed in JIRA. ; ; • Allocating incident priority to determine how the incident is handled, which procedures are followed and response timescales.; A separate procedure with greater urgency is followed for Critical incidents​. e.g. incidents involving Strictly Confidential data.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Robust Incident Management Policy built around our ISO 27001 security standards includes:; ; • Reporting an event or security incident - suspected incidents/weaknesses reported at the earliest opportunity to our Information Security Team. Multiple escalation channels include email, web interface and phone. ; ; Our systems automatically log a range of activities and alerts are raised for any suspicious activity.; ; All events are registered and managed in JIRA. ; ; • Allocating incident priority to determine how the incident is handled, which procedures are followed and response timescales.; A separate procedure with greater urgency is followed for Critical incidents​. e.g. incidents involving Strictly Confidential data.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  We’re committed to fighting climate change and effective environmental stewardship. We promote social value and carbon reduction in compliance with PPN 06/21, 06/20, Social Value Act 2012 and relevant legislation. Our Group pledge is to be net zero carbon by 2050 using SBTi standards. UK Carbon Reduction Plan reports net zero by 2050.; ; We influence environmental protection and improvement via our ‘tech for good’ business model. The Group invested €385m in digital innovation in 2022.; ; We’re Social Value Portal members and completed a 12-week expert led audit to align activities, metrics and reporting to best practice.; ; Via this contract, we’ll deliver extra environmental benefits (MAC4.1 reviewed monthly) via:; • Local environmental activities, e.g., staff volunteering; • Collaborate with retailers to switch to digital; we launched the market’s first eGift; • Promote ‘green’ discounts; ; We influence staff, suppliers, customers and communities to contribute to sustainable initiatives (MAC4.2). We collaborate with customers to co-design community environmental projects with defined KPIs/timelines. We can support existing projects or use our charity relationships with City Harvest, Felix Project and West Cheshire Foodbank where we distribute surplus food to support communities. This support efforts to reduce food waste accounts which accounts for 5% of national emissions.; ; Our annual ‘Ideal Green’ invites customers and their employees, subcontractors and locals to join us in a day of volunteering to collectively improve/protect the environment. Our staff are encouraged to get involved via our B2C e-magazine. We’ll provide comms with photo comps and prizes to drive engagement.; ; Supply-chain due diligence ensures net zero; one provider is net positive. Volunteering extends through supply chain; one provider sponsors cycling events for disadvantaged children.

Pricing

• Price: £0.65 to £1.80 a user a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders-uk@edenred.com. Tell them what format you need. It will help if you say what assistive technology you use.