Infix Theatre Scheduling

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: The service is based upon a very 'open' software stack and deployment model.
System requirements: Infix is a browser based solution. Compatibility is as follows:

Web: Latest versions of Chrome and Edge

Access to the internet

User support

Email or online ticketing support: Email or online ticketing
Support response times: Support is available on commencement of live service and we
offer a variety of support packages. Each support package
includes full details of call priority rankings and the corresponding
response times agreed with the customer.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Options to suit customer's need. Typically 9 - 5.30pm. 24/7 or other daily times possible subject to agreed SLA and commercials. Costings depend on the number of product and user licences required. Support engineers are supplied as part of the Service Desk provision as specified under the Service Level T&Cs for each customer.
Support available to third parties: No

Onboarding and offboarding

Getting started: In a typical onboarding process we would identify the customer needs and demands to create a hospital admin account for each hospital to manage their onboarding process activities. This will allow hospital admin to log in to the system via a registration link shared with his office email address and the login process will be governed and controlled by the username/password credentials. The process will be self descriptive and easy to follow.

The onboarding process will include acquiring a certain percentage of personally identifiable hospital/ patient information and data which will be strictly governed and managed as per the GDPR guideline and healthcare domain best practises.

Scheduled audits will be conducted to validate the accuracy of the data with the respective stakeholders from the hospital.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Infix’s will support automated customer offboarding as well. However as the first step of the process Infix will validate the contractual agreement with the customer to validate and close the loop on the services owed and rendered. As the next step the system will conduct a series of validation to verify the offboarding possibility, without leading to contractual obligation and data privacy issues. Once resolved, we clearly communicate any remaining services or amount owed to proceed with the offboarding.

Once the offboarding is successfully completed the data related to the customer will be encrypted and kept in a specially secured backup storage for a period of six month for auditory purpose before completely removing them from our system.

Additionally the offboarding also will include;

- Transfer data authority back to the hospital
- Removal of granted system related access privileges and rights
- Establish contract for additional offboarding assistance needed

We will remove the data on end of contract after our own retention period for liability purposes has expired.
End-of-contract process: Infix’s will support automated customer offboarding as well. However as the first step of the process Infix will validate the contractual agreement with the customer to validate and close the loop on the services owed and rendered. As the next step the system will conduct a series of validation to verify the offboarding possibility, without leading to contractual obligation and data privacy issues. Once resolved, we clearly communicate any remaining services or amount owed to proceed with the offboarding.

Additionally the offboarding also will include:

- Transfer data authority back to the hospital
- Removal of granted system related access privileges and rights
- Establish contract for additional offboarding assistance needed

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Chrome
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: None or don’t know
Description of service interface: REST based API
Accessibility standards: None or don’t know
Description of accessibility: N/a
Accessibility testing: N/a
API: Yes
What users can and can't do using the API: Integrators with our API can access the API
documentation free of charge and also access the API free of
charge. Our API access falls within the identified usage model due
to the nature of the data being accessed, there would need to be
identified access by this consuming system i.e. identified usage of
the API
API documentation: Yes
API documentation formats: Open API (also known as Swagger)
API sandbox or test environment: Yes
Customisation available: No

Scaling

Independence of resources: Initial set of resources will fit the average user traffic while the increase or decrease of the active user base will automatically scale the underlying service infrastructure smoothly and noticeably without any impact to the connected users.

Analytics

Service usage metrics: Yes
Metrics types: Custom tailorable the metrics to based on the requirements such as

Analytics of surgeries, Surgeon login analysis, Patient analytics,
Usage stats etc.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: We don't import data. We don't routinely export data but can provide this in a CSV format when required. Ensure we also adhere to any information security and data protection guidance.
Data export formats: CSV

Other
Other data export formats: Azure Backup
Data import formats: CSV

Other
Other data import formats: Azure Restore

MDF/LDF

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Infix services are highly available with the service level agreement of 99.95% availability which are powered by the underlying Azure cloud platform.
Approach to resilience: Underlying leading Microsoft Azure cloud platform is highly secure, robust, highly available.
Azure inherently provides a number of mechanisms for resilience and fallback options to continuation of the services. Infix uses multi region (availability zones) with automatically scaling infrastructure to meet the varying user demands. Any service failure will be automatically handled by spinning off new services to take that place with silently routing the users to the functional services.

Since Azure cloud services comply with UK G-Cloud standard it is an evidence of trust.
Outage reporting: All outages are recorded as part of the incident management
process and should a problem be detected, the service desk will
inform the customer as required.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication
Access restrictions in management interfaces and support channels: Infix administration interface is only accessible by a defined administrator account. Administrator account has the ability to set roles to invited users which defines the functionality available to them.
Access restriction testing frequency: At least every 6 months
Management access authentication: Username or password

Audit information for users

Access to user activity audit information: No audit information available
Access to supplier activity audit information: No audit information available
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Bsi / 27001:2013 - IS 614375
ISO/IEC 27001 accreditation date: 18/04/2019
What the ISO/IEC 27001 doesn’t cover: We do comply with our business operations with ISO27001 without exclusions or exceptions. We have third party coverage for processing and storage of data.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: ISO 9001

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: N/a
Information security policies and processes: We comply with NHS standards and best practice guidelines, including NHS Information Governance standards (NHS Confidentiality Code of Practice and Caldicott Principles). Standards / accreditations include compliance with;
• ISO27001:2013 ISO9001:2015
• Data Security and Protection Toolkit
• GDPR

Further the cloud infrastructure service provider (Microsoft Azure) is compliant with large number of standards and controls stated in https://docs.microsoft.com/en-us/azure/compliance/

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: Infix uses an Agile process end-to-end from the business requirements to post go-live support. An extensive list of business features and known bugs are maintained in a task backlog where regular reviews are undertaken by business and technical leads to prioritize the order they are handled. Following is the process to define the release cadence and deployments..

Source code is organised into multiple streams to independently develop, test, bug fix for releases for new application versions and fixes.

Monitoring mechanisms in place for production environment behaviours. Feedback channels optimize the application in forthcoming agile releases depending on past/present behaviours.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Regular source code analysis (daily) to identify vulnerabilities. Infix uses a “Shift-Left” approach to identify any vulnerabilities sooner than later. There are various controls and processes in place to detect vulnerabilities before a change is released to the live environment. Further there are regression tests run regularly and automatically to test the overall performance and security of the application.
Infix leverage industry leading tools (example Azure Security Center) to identify not only vulnerabilities but also any other bugs at various quality gates which are regularly checked.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: Infix system is being monitored both proactively and reactively at various points such as infrastructure, application, firewall, database and network etc. to cover all over monitoring aspects to provide the best protection to the service continuity.
In case of a production incident there are monitoring records available for a period of time to narrow down to the root cause of the issue to provide a faster resolution.
AGILE support and development approach enables rapid triaging and bug resolution.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: Incidents handled through Infix Support Desk. Use of an ITIL compliant practice and tools to manage end-to-end incident lifecycle.
Fully skilled support team is aware of inside-out of the application
is capable of handling first line support to collaborating with the development teams to get application source code level fixes.

Supporting monitoring systems are in place to leverage incident triaging as well as staging environments available to independently test bug fixes.
All incidents will be prioritized based on the criticality and business/user impact and resolved within the agreed SLAs.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Tackling economic inequality: Tackling economic inequality

The following key principles apply to The Company's business and supply chain:
Child labour must not be used.
Any form of forced or compulsory labour must not be used. Workers must be free to leave employment or work after reasonable notice.
Passports, visas and other personal documentation should not be taken from employees unless requested to be held by the employee for safekeeping purposes (and, if held for safekeeping purposes, they should be returned to the employee on request).
All forms of debt bondage are prohibited. Workers should not be subject to contracts that tie them into repaying a loan (other than small loans to cover items such as transport costs), excessive accommodation expenses or other costs that they have no or little opportunity to repay.
Compensation and benefits must comply with local laws relating to minimum wages, overtime hours and other benefits.
The formation of trade unions and powers of collective bargaining should be respected.
Equal opportunity: Equal opportunity

Infix Aims to prevent, reduce and stop all forms of unlawful discrimination in line with the Equality Act 2010.
To ensure that recruitment, promotion, training, development, assessment, benefits, pay, terms and conditions of employment, redundancy and dismissals are determined on the basis of capability, qualifications, experience, skills and productivity.
Wellbeing: Wellbeing

Infix Aims:
To ensure the physical and mental health of all employees;
To promote a healthy, safe and friendly working environment and control and reduce risks to mental health;
To help provide and maintain a supportive and non judgmental working environment;
To provide effective support to all employees in managing stress and other mental health problems, and to encourage better recognition of mental health issues; and
To recognise that the prevention of stress is easier than dealing with it once it has arisen.

Pricing

Price: £10,000 a server a month
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Time limited trails may be available on request

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Infix Theatre Scheduling

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents