Zodiac Media Ltd

Council Platform

Council Platform is a cloud-based solution for creating and running UK council websites from. It allows you to easily create an accessible, content managed website for your council that allows your customers to complete their goals entirely online.

Features

• Provides everything needed for a typical UK council website.
• Uses a best in class WYSIWYG content editing system.
• Capable of running multi-sites.
• Editorial publication workflow with notifications sent to end users.
• Scheduled publication and expiry of content.
• WCAG 2.2 AA accessible with inbuilt accessibility testing tools.
• A range of existing integrations e.g. CAN, Bartec, ModernGov.
• Default look and feel uses the GDS GOV.UK design system.
• Multilingual via full translation or Google Translate 'light' option.
• Features best in class site search functionality.

Benefits

• Empower customers to complete their goals entirely online.
• Greatly reduced resource requirements compared to a bespoke build.
• Much lower risk compared to a one-off bespoke build.
• Product will be continually developed with new functionality.
• Ensure your website meets UK Government accessibility legislation.
• Built by an ISO27001 certified company and GDPR compliant.
• SEO optimized and performs well in search engines.
• Join a community of customers who share knowledge.
• Well-documented so new staff can independently learn the platform.
• Conoslidate disparate websites onto a single platform.

£350 a licence a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

222018742740308

Contact

Billy Davies
0203 813 8430
info@zodiacmedia.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any support inquiries have the following response times based on their severity:; ; * Critical - 2 hours; * Major - 4 hours; * Minor - 2 working days; * Trivial - 4 working days; ; We split the working week up into ‘Normal Working Hours’ (09:00-17:00 Mon-Fri for UK working days) and ‘Antisocial Hours’ (all other times including weekends and UK bank holidays).; ; Only Critical inquires are responded to during Antisocial Hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: The same level of support is offered to all Council Platform subscriptions, with only the amount of support time allocated per month varying. Additional support time can be purchased in 1 day increments at a rate of £805 ex VAT per day.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We can provide online training and have done so in the past for existing clients. We offer full online documentation with references and step-by-step illustrated guides.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data extraction is possible either via RESTful APIs or CSV export.
• End-of-contract process: Prior to the end of contract, clients will need to extract any data they require using the product's RESTful APIs, or it's CSV export functionality. At the end of contract, the servers are terminated, and all client data held by us is deleted as per our ISO27001 policies.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Functionality is identical. Appearance changes depending on screen size to be accessible.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: A backend Admin system allows authenticated users to add, change, and delete content and settings for the website.; ; The frontend is accessible to all users and allows them to navigate and view content, and submit information via webforms and comments.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We operate an accessibility scanning service called Publica11y (https://www.publica11y.org/). This service offers free scans on demand for all Council Platform clients and is used to test the site for WCAG AA 2.2 compliance issues. The service is built on software that received the highest Guidance rating in the government’s Accessibility Tool Audit. Further testing is done using SiteImprove and Axe accessibility tools.; ; All sites are WCAG 2.2 AA compliant at time of handover.
• API: Yes
• What users can and can't do using the API: The product contains a RESTful API that is enabled on request. The API can be used to Create, Read, Update or Delete any entity type within the product.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Nearly all functionality and appearance can be customised.; ; We provide a state-of-the-art front-end development framework as part of the standard Council Platform subscription. This framework can be used by clients to build custom HTML components and customize all aspects of their site's styling. Alternatively, clients can contract us to make the changes.; ; New functionality can be added on request, with a wide array of modules available. These modules can be further customised if needed.; ; Council Platform is being continuously developed and new functionality is offered out to all existing subscribers free of charge, with only a small amount of support time being required to enable the functionality.

Scaling

• Independence of resources: We always use a dedicated VPS or physical server for each client implementation of Council Platform. Staging environments are also provisioned on separate servers from the production environment. This ensures that sites are kept physically separate, removing the possibility of client sites having a negative impact on one another.

Analytics

• Service usage metrics: Yes
• Metrics types: Council Platform comes with its own analytics platform as standard. Integration with third party analytics platforms such as Google Analytics is also possible. All data collection and processing is GDPR compliant.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data export is possible either via RESTful APIs or CSV export.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • JSON
  • Custom migration using Council Platform's RapidStart functionality

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer a 99.9% uptime guarantee, evaluated on a monthly basis. If we fail to meet this SLA service credits are offered as follows:; ; - Less than 99.9% but equal to or greater than 97% - 20% credit; - Less than 97% but equal to or greater than 96% - 40% credit; - Less than 96% - 60% credit
• Approach to resilience: Available upon request.
• Outage reporting: Service outages are reported via a shared private dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Server access is restricted via SSH key in conjunction with password protection and is only available from whitelisted IP addresses across uncommon port numbers.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 02/03/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow an ISO27001 certified Information Management Security System. This includes policies for: employees, clients, suppliers, physical security, network security, secure development, teleworking, access control, data classification, how to store, access, and retain data depending on its classification. It also includes an information asset register and a regularly updated risk treatment plan.; ; An internal security audit is conducted every quarter, and an external audit by an accredited 3rd party body every year.; ; Employees are onboarded with the reporting process and are instructed to report any issues to the Director or Information Technology Security Officer as soon as they are aware of them. The Director and ITSO hold regular security management review meetings to deal with reports. A formal incident response process and contact links with the relevant authorities are maintained.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Council Platform stores its configuration in the site’s codebase, which is under version control. We also control the server provisioning of Council Platform’s servers using the automated scripting language Ansible, and these scripts are also under version control. All changes are assessed for potential security impacts via a peer review prior to acceptance into the codebase.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: A formal Risk Treatment Plan is maintained and updated periodically with identified risks treated, transferred, or terminated. All Information Assets are categorised based on the impact and likelihood of its confidentiality, integrity, or availability being compromised with the resultant category dictating how it can be stored, accessed, and retained.; ; Links with professional bodies are maintained with security notifications automatically dispatched in group Instant Messaging channels. Security releases are deployed within 2 weeks of release.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Production site servers are integrated with our enterprise performance and security monitoring systems. Critical level notifications from these systems are instantly published to channels in our internal Instant Messaging system for immediate address. Data from these systems is regularly reviewed by our Information Technology Security Officer (ITSO) as part of our ISO27001 security framework. Response times vary between immediate and two weeks depending on the severity of the reported issue.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Employees are instructed to notify the designated staff members. If applicable, a compromised user account will be blocked and all associated login info changed. If applicable, the affected client will be notified. Should the data breach involve protected data, the breach will be reported to the Information Commissioner’s Office within 72 hours in compliance with the GDPR. Evidence of the breach will be gathered and, if applicable, will be reported to the police. With reference to the Risk Treatment Plan, the impact of the incident will be assessed. Contributing weaknesses in company policy will be identified and rectified.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  The data centres used for this service run on 100% renewable energy.

  Tackling economic inequality

  All employees are paid above the living wage regardless of role or experience.

  Wellbeing

  We hold frequent recreational team-building activities. All employees have the option to work from home, enjoy flexible hours, and are entitled to 24 days of annual leave.

Pricing

• Price: £350 a licence a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Prospective buyers can be provided with admin access to a fully featured demo version of the product so that they can evaluate it prior to order.
• Link to free trial: https://demo.councilplatform.com/

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.