GRM MAPPING LIMITED

Cloud-based TransXChange Bus Open Data creation, editing and publishing tool

Cloud-based software allowing importing, creating, editing and publishing of v2.4 TransXChange open bus data for upstream use in journey planning, Bus Open Data and live vehicle tracking. Compliant with Traveline National Data Set, Bus Open Data and major bus scheduling and ticketing systems.

Features

• Importing of existing v2.1 and v2.4 TransXChange data
• Visualisation of snap-to-road routes and stop locations
• Edit and save routes between pairs of stops
• Creation and editing of timetables and stopping patterns
• Daily updating of bus stop NaPTAN data
• Compliant with Electronic Bus Service Registration
• Maintenance of serviced organisations, eg schools
• Publish compliant TransXChange data
• DfT certified for use with TNDS and BODS
• Available as fully managed product or Software as a Service

Benefits

• Compliant with Bus Services Act legislation
• Ability to import and edit current data
• Ability to manage service patterns in the timetable
• Ability to export to BODS or EBSR versions
• Ability to allow sub-licenced access to smaller operators
• Consistent network management
• Consistent approach to serviced organisations
• Better use and visualisation of existing local authority data
• Ability to enhance safe home to school transport
• Real-time NaPTAN bus stop location data

£2,500.00 to £8,500.00 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@grmmapping.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

230285024226783

Contact

Mark Knowler
020 8242 6169
enquiries@grmmapping.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements:
  • Understanding of geographic area required
  • Understanding of internal data sources available
  • Understanding of key contacts in maintaining site accuracy

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: An initial response to issues raised within one hour Mondays to Fridays office hours and a commitment to monitor contact and respond as quickly as appropriate outside of these times.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our commitment to all clients is to acknowledge and initially respond to issues and questions within one hour of contact on Mondays to Fridays 0900-1700hrs. Outside of these times we would regularly monitor any contact and respond as soon as is required or appropriate. The cost of support would be included within the contract price and would initially involve a nominated technical account manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The key buyer representatives would be fully involved throughout the design and commissioning stages to ensure full transparency on data sources and accuracy and to be able to confidently navigate the site and produce compliant TransXChange data for upstream third party use,.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: As the software uses only publicly-available open data and operates in real time, there would be no data to extract when the contract ends. Any user or performance logs and analytics would be available up to the end of the contract.
• End-of-contract process: The contract would include full site maintenance, processing and support for the live site until the specified end of contract and this is included within the price quoted. Any additional work required to hand over to a new supplier, or to extend temporarily until a new solution is live would be an additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Dedicated web-based service dashboard with appropriate access controls for required users.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: User interface testing conducted with several local authorities anbd smaller bus operators to promote confidence and ease of use.
• API: No
• Customisation available: Yes
• Description of customisation: The buyer may customise the user interface and mapping in terms of geo-referenced data scope and content and in determining which specific geographic areas and operators are included..; ; End users may also customise their data exports by determining whether the TransXChange files are to be used for the Traveline National Data Set, Bus Open Data, Electronic Bus Service Registration or for populating vehicle tracking and ticketing systems.

Scaling

• Independence of resources: The entire product is hosted on our own dedicated web server, and as such the number of individual users or tasks being performed will not affect the performance experienced.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The exporting of data is limited purely to the end public user retaining the results of their journey query, and there is no need for any separate export by the buyer organisation themselves. End user export would include the ability to export as PDF and to be able to convert a screenshot to a suitable PDF or JPEG format to be able to store or print for future reference.
• Data export formats: Other
• Other data export formats: PDF/A
• Data import formats: Other
• Other data import formats: XML

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our SLAs are tailored to each client, and would describe the roles and responsibilities of all parties and stakeholders. As a standard, we guarantee 100% uptime of all software products within the core hours required by any client, and the scheduling of any planned maintenance or upgrades to take place outside of these hours. ; ; Any disruption to service, planned or otherwise, would be responded to within one hour of discovery or contact by the client during our office hours, and on agreed timescales during out-of-hours periods. Escalation procedures and compensation for failure to meet key performance targets would be agreed with the client at beginning of contract and regularly reviewed during the contract lifetime.
• Approach to resilience: Detailed information on the location, functions and resilience of our datacentre setup is available on request.
• Outage reporting: We have 24/7 access to a public dashboard for our datacentre operation which provides real-time indication of any service outage or security threat. This is then passed on to the end client within the terms of the Service Level Agreement, and updates towards resolution provided at frequent and timely intervals agreed with the client.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: We utilise Role-Based Access Control (RBAC) to restrict access to management interfaces and support channels based on internal and external users' roles, responsibilities, and privileges.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We have conducted a comprehensive risk assessment to identify potential security risks and vulnerabilities, including evaluating the likelihood and impact of cyber attacks and data breaches. Based on this, we have clear and concise security policies and procedures on access control, data protection, incident response, and compliance.; ; We maintain a robust incident response plan to mitigate security incidents when they might occur. This establishes clear roles and responsibilities and defines escalation procedures.; ; We regularly review and update our security policies and procedures, investing in new technologies and staying informed about emerging security trends and best practices
• Information security policies and processes: Our nominated Director oversees and ensures compliance with our security policies and processes which are tailored to ensure our bespoke software solutions remain secure and compliant at all times for ourselves, our clients and end users.; ; We maintain and regularly review our Access Control Policy, Data Protection Policy, Incident Response Policy, Network and Physical Access Security Policies and Compliance Policy. ; ; The latter is regularly reviewed and ensures that the organisation complies with relevant laws, regulations, and industry standards related to information security and privacy. It includes procedures for conducting regular compliance assessments, audits, and reporting requirements to demonstrate adherence to legal and regulatory obligations.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We maintain an inventory of all hardware, software, and network devices deployed within our workflows. This includes servers, workstations, routers, switches, firewalls, storage devices, and software applications. We regularly audit and review these configurations to ensure compliance with our security and resilience policies. ; ; Within our formal processes for reviewing and approving change requests for IT systems and infrastructure, we obtain formal approval from relevant stakeholders before implementing changes with a guarantee to maintain the highest standards on security and availability. After implementing changes, post-implementation reviews evaluate their success, which enables us to extend any specific improvements to other clients.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Together with our dedicated server supplier, we conduct regular vulnerability assessments to identify weaknesses, misconfigurations, and security vulnerabilities across our IT infrastructure. We use automated scanning tools to detect vulnerabilities and security misconfigurations.; ; We actively implement a patch management process to address identified software and hardware vulnerabilities in a timely manner. This involves regularly applying security patches and updates provided by software vendors to reduce the risk of cyber attack.; ; We constantly monitor new vulnerabilities, emerging threats and changes to our IT environment. This includes monitoring security advisories and vendor announcements for information about new vulnerabilities and potential security risks.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our continuous real-time monitoring processes collect and analyse security data for signs of unauthorised access, malware infections, data breaches, and other security incidents.; ; Within our agreed Service Level Agreement with our dedicated datacentre supplier and our clients, we have clear incident response procedures to respond to security incidents detected through protective monitoring within the shortest possible timeframe.
• Incident management type: Supplier-defined controls
• Incident management approach: Once an incident is detected, it is classified into categories such as malware infections, unauthorised access, data breaches, denial-of-service attacks, or system outages. Users will be able to report such concerns directly through our established direct communication channels.; ; Once the incident is contained, a detailed investigation is conducted to determine the root cause, impact, and scope of the incident. Recovery is then undertaken to restore affected systems and data to a secure state.; ; Throughout the process, stakeholders are kept informed about the incident, its impact, and the ongoing response efforts as part of our Service Level Agreement.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  The provision of accurate, timely and reliable TransXChange data to populate upstream third party systems on which the public depend to plan their journeys.

Pricing

• Price: £2,500.00 to £8,500.00 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@grmmapping.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.