SEMPx

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: SEMPx may undergo scheduled maintenance occasionally, with efforts made to minimise disruptions by scheduling them during off-peak hours. Additionally, buyers should note that an internet connection is required to access SEMPx and buyers should consider potential constraints like bandwidth limitations, data transfer costs, and compliance requirements accordingly.
System requirements: A stable internet connection

A SEMPx license

A supported browser

User support

Email or online ticketing support: Email or online ticketing
Support response times: Support is available Monday to Friday during the hours of 09:00 and 17:00, via video conference, telephone and email. At all other times, users can raise a ticket by sending an email to support@sempx.com or by logging the ticket through the SEMP helpdesk system. We acknowledge questions within 1 hour, respond within 2 hours and aim to resolve within 4 hours. All questions are categorised and prioritised.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 A
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: As part of our T&C, we aim to respond to issues:
- No access available to the Subscription Services OR fault in the Subscription Services that impacts all users and prevents them working within their defined processes - within 0.5 Hours
- No access available to some functionality within the Subscription Services (but not all) OR there is a fault within one or more functions within the Subscription Services that prevents users working within their defined processes - within 1 Hour
- E.g. Subscription Services produce an error message - within 4 Hours
- E.g. Subscription Services give a warning message - within 9 Hours
As part of our IT maintenance and support we will allocate technical resources that oversee the running of your system to ensure it performs as intended, including regular maintenance and support tickets. Users will be able to raise support tickets via Jira Support. Technical support will focus on the running of the application. New features and modifications can be developed but are not costed as part of the standard service. We will tailor the level of support and allocate resources accordingly. This will be agreed in advance for a fixed period and monthly fee.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: As standard, upon purchasing licenses all documentation required is provided to the buyer. For implementation additional one-time fees apply which cover onboarding, execution, and team training in line with the size of the organisation and the time required by a SEMPx trainer, this can be found in our pricing document.
Additionally, Requirements Management Professional Services can be provided for an additional cost on an ongoing basis, which are serviced by SEMPx experts, any additional cost for this will be agreed in advance for a fixed period and monthly fee.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Our approach to data export is user-centric and intuitive, ensuring a seamless experience for users. Exporting data from SEMPx is straightforward and can be done within just few clicks. Users have the flexibility to export to multiple formats, including CSV, excel, word, and ReqIF, empowering them to choose the format that best aligns with their requirements. This user-friendly approach enables efficient data sharing and interoperability, allowing users to seamlessly integrate their data with other tools and platforms as needed.
End-of-contract process: At the end of the Term, or on earlier termination of the Agreement, all licences granted to access the Subscription Services will immediately terminate and the following Customer Data deletion provisions shall apply: SEMP will retain any Customer Data held in the Subscription Services at that time for a period of three months following termination. Prior to the date of termination, the Customer may obtain, copy and export its Customer Data itself.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: WCAG 2.1 A
Description of service interface: Our service interface is developed using HTML, CSS, and JavaScript, specifically utilising the Angular framework to ensure robust and responsive design. We prioritise accessibility and strive to comply with WCAG 2.1 Level A standards.
Accessibility standards: WCAG 2.1 A
Accessibility testing: To assess our platform's accessibility, we employ the EqualWeb Web Accessibility Checker among other tools. This software helps us identify and address potential barriers for users with disabilities. Feedback from these evaluations is crucial and systematically integrated into our development roadmap to enhance usability. Our ongoing commitment to accessibility ensures that improvements are continuous, aiming to make our service more inclusive for all users.
API: Yes
What users can and can't do using the API: Yes, our REST API supports multi-tenant use, built on ASP.NET Core with OAuth 2.0 and OpenID Connect. System setup is manually initiated by our team, as automated onboarding for new users or tenants is not currently available.

Users can make API-driven changes within strict limits set by robust Role-Based Access Control (RBAC) and entity-level access management, ensuring that modifications are secure and reserved for authorised users.

Limitations include the lack of self-registration and independent environment creation, requiring direct involvement from our administrators for initial setups and configurations.

We provide comprehensive REST API documentation accessible via Swagger UI and offer several environments like Development, Test, Demo, Staging, and Production. However, we do not offer a publicly accessible sandbox or test environment; access is arranged based on specific project needs and client agreements.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)
API sandbox or test environment: No
Customisation available: Yes
Description of customisation: Buyers can customise several areas within SEMPx including the dashboards and screens to allow visualisation as required by the client. Widgets can also be added, resized, and moved.
SEMP can also customise services to buyers through their license package by adding requirements management professional services to their order.

Scaling

Independence of resources: Our service is cloud-hosted and designed for scalability, ensuring consistent performance across varying loads. We offer dedicated resources per tenant to minimise the impact of other users, enhancing isolation and service reliability. We actively monitor our application to respond to performance demands dynamically. If increased demand is detected, our scalable infrastructure allows for rapid resource allocation. This combined approach of dedicated resources and scalable solutions ensures optimal performance without compromise from other tenants' activities.

Analytics

Service usage metrics: Yes
Metrics types: Yes, we offer comprehensive service usage metrics to provide users with valuable insights into their system’s performance and usage patterns. Users can access real-time dashboards, available via platforms like azure portal, presenting key metrics such as number of (failed) requests per minute, CPU usage, etc.
Additionally, detailed reports on requests are available to facilitate in-depth analysis and optimisation efforts. Furthermore, our integration with Power BI empowers users with advanced analytics and visualisation capabilities for thorough examination of usage statistics.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users can export their data from SEMPx to various formats, ensuring compatibility and flexibility. Exports options include CSV, excel, and word, allowing users to choose the format that best suits their needs.
Additionally, SEMPx supports ReqIF (Requirements Interchange Format) export, enabling users to export structured requirements data to ReqIF-complaint tools or platforms.
Data export formats: CSV

Other
Other data export formats: Excel

PDF

Word

ReqIF
Data import formats: CSV

Other
Other data import formats: Word

Excel

ReqIF

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: We guarantee a high-level of availability for SEMPx, typically exceeding 99.9%. This commitment is outlined in our Service Level Agreements (SLAs), which specify the expected uptime and any compensation measures in case of downtime. These measures ensure accountability and provide assurance to our users regarding the reliability and continuity of SEMPx.
Approach to resilience: Our service is designed for high resilience, utilising Microsoft Azure to ensure robust performance and availability. Here’s how we maintain service reliability:

• Redundant Infrastructure: Hosted on Azure, our datacentres feature redundant power, HVAC, and network connections, allowing seamless failover and minimal service disruption.
• Geographic Diversity: We leverage Azure’s global network of datacentres across diverse regions, safeguarding against regional disruptions by enabling dynamic traffic rerouting.
• Regular Backups: Critical data is regularly backed up with Azure Storage, stored in multiple secure locations for high availability and rapid recovery.
• Scalable Architecture: Built on Azure, our architecture can automatically scale resources in response to real-time demand, maintaining performance under varying loads.
• Security Measures: Enhanced by Azure’s comprehensive security tools, we implement strict protocols, including regular updates, to protect against cyber threats.
Detailed information on our datacentre setups and resilience strategies is available upon request, maintaining security and confidentiality.
Outage reporting: In the event of an outage, our team manually sends email alerts to all subscribed users. These emails detail the nature of the outage, its estimated impact, and anticipated resolution timelines. Updates are sent as the situation evolves, until full resolution is achieved.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels: Access restrictions in management interfaces and support channels are implemented through robust authentication mechanisms such as multi-factor authentication (MFA), role-based access control (RBAC), and least privilege principles. MFA adds an extra layer of security by requiring users to provide multiple forms of identification. RBAC ensures that users only have access to the resources and actions necessary for their roles. Additionally, employing strong encryption protocols and regularly auditing access logs helps monitor and mitigate unauthorized access attempts. Continuous training and awareness programs further reinforce security protocols among employees.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: Our security governance is not certified to a standard. However, we adhere to the Cyber Security Essentials framework to establish and maintain robust security measures. This includes comprehensive risk assessments, regular security audits, employee training, and incident response procedures. By aligning with Cyber Security Essentials, we ensure that our security governance practices effectively mitigate risks and safeguards our systems and data against potential threats.
Information security policies and processes: Our information security policies and processes are designed to ensure the confidentiality, integrity, and availability of our systems and data. We have a comprehensive set of policies covering areas such as data protection, access control, incident response, and regulatory compliance. These policies are regularly reviewed and updated to align with industry best practices and evolving threats.
To ensure policies are followed, we employ various mechanisms, including:
• Access controls – role-based access controls and least privilege principles are implemented to restrict access to sensitive data and systems.
• Monitoring and logging – we utilise monitoring tools to track user activities and system events, enabling us to detect and respond to any unauthorised or suspicious behaviour.
• Audits and reviews – regular internal audits and external assessments are conducted to evaluate compliance with security policies and identify areas for improvement.
• Enforcement and accountability – violations of security policies are taken seriously and may result in disciplinary actions. Additionally, employees are encouraged to report any security concerns through established channels.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Our processes involve comprehensive tracking of service components throughout their lifecycle. Changes undergo rigorous assessment for potential security impacts, including vulnerability analysis and risk evaluation. Testing and validation in controlled environments ensure changes meet quality and security standards before deployment. Documentation of changes and communication with stakeholders are integral to our approach, promoting transparency and accountability. Through this, we mitigate risks, maintain service integrity, and safeguard against security vulnerabilities. Our cloud datacentres are secured with multiple layers of physical security. They comply with a broad set of international and industry-specific compliance standards (ISO/IEC 27001 and CSA CCM v3.0).
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Our vulnerability management process begins with continuous assessment of potential threats to our services. We utilise threat intelligence feeds and penetration testing results to identify vulnerabilities. Upon discovery, vulnerabilities are prioritised based on severity and exploitability. Critical patches are deployed swiftly ensuring timely protection. Regular monitoring and proactive measures enable us to mitigate risks effectively, safeguarding the integrity and security of our services.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Our protective monitoring processes begin with continuous monitoring of network traffic, system logs, and security events to identify potential compromises. We utilise log analysis tools and security information and event management systems to detect anomalous behaviour and security incidents in real-time. When a potential compromise is identified, our team responds promptly, following predefined procedures and escalations paths. We prioritise incidents based on severity and impact, taking immediate action to mitigate the threat. Our goal is to respond to incidents swiftly to minimise potential damage and restore normal operations efficiently.
Incident management type: Supplier-defined controls
Incident management approach: Our incident management processes include pre-defined procedures for common events and clear reporting channels for users. Upon receiving a report, our team assesses and contains the incident swiftly, maintaining communication with stakeholders throughout. Post-incident analysis informs process improvements, and incident reports detail actions taken. This systematic approach ensures timely response, containment, and resolution of security incidents, minimising impact and enhancing security posture.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Social Value

Tackling economic inequality

SEMPx has been specifically designed to allow organisations to apply a systems engineering approach without the requirement for team members to have extensive experience and knowledge of systems engineering. This enables organisations with recognised skills gap to build highly sought-after systems engineering capability within their teams and become competitive in high-growth areas such as urban passenger rail. With respect to Tackling Economic Inequality, SEMP recognise that we operate in a high growth industry with known skill shortages. We are therefore working not only to help upskill and develop people already working within the industry, but also to encourage the next generation to pursue STEM careers. We offer all our employees scope for progression, which is set out as part of their individualised professional development plan. Through diverse experience across projects, mentoring, training, and support in achieving professional qualifications (such as C.Eng), we help them progress through consultancy grades from Graduate to Director level. Hiring, training, and upskilling recent graduates and junior consultants is an established part of SEMP’s resource growth strategy, in response to a lack of systems engineers in infrastructure. We also take on apprentices across different disciplines, helping recent graduates to obtain work experience at the beginning of their careers. We work with academic and professional institutions (Bristol University, Imperial College London, ICE) to develop solutions that will bridge the gap between government policy, academia, and businesses. SEMP is also conscious of the underrepresentation of visible minorities and women in the STEM workforce. As a result, we support various initiatives that are actively working to facilitate the entry of underrepresented demographics into the field. We are signatories to the Women in Rail and Railway Industry Association EDI Charter, which champions equality, diversity, and inclusion and to work together to build a more balanced, fair and high performing sector.

Pricing

Price: £300 a user
Discount for educational organisations: Yes
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

SEMPx

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents