DEF Software Limited

MasterGov Strategic Consultation

The module has been designed to deal with an authorities to response to neighbourhood plans and other strategic consultations. The module allows users to book in the consultation, including any supporting documentation, and then disseminate the information to stakeholders who use the web front end provided to respond.

Features

• Full application life cycle
• Integrated workflow
• GIS and Gazetteer integration
• Fully integrated with Planning, Building Control, Local Land Charges
• Mobile and remote working
• Online public facing components
• Industry standard technologies
• Built-in Document Management (DMS)
• Auditing tools
• Real time reporting (including statutory)

Benefits

• Intuitive interface
• Device agnostic
• APIs available
• Microsoft Azure hosting
• Single source of truth
• Self-service online public interface
• Reduces internal IT costs
• Kept abreast of legislative changes
• Part of a suite of land & property software
• Developer led support putting customers first

£22,325 an instance a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gc@def.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

250089786240744

Contact

Graeme Cooke
01915358400
gc@def.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: The platform is restricted by IP range white list to secure from attack. Users also have to use multi-factor authentication via an app such as Microsoft Authenticator.
• System requirements: HTML5 compliant browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support will be made available to the client under an annual agreement. This support will be made available via the published helpdesk contact routes and will be available: Monday-Friday, 8.30am – 5:30pm. UK working hours, excluding UK Bank Holidays.; ; Response times depend upon severity of the issue and are as follows:; Urgent - 4hrs; High - 4hrs; Medium - 2 working days; Low - 1 working week
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: DEF operate a single support model. ; ; DEF shall provide rectification of faults found in the Software. Faults shall be defined as deviations from the agreed specification. Where no specification pertains to a given identified fault, a discussion shall be entered between the authority and DEF where an agreement shall be reached on whether this is an enhancement or a fault.; ; The authority shall notify DEF of any problems found, using an agreed procedure. This shall involve the written logging of problems on a standard form. Any verbal notification (for example in urgent or out of hours cases) shall be confirmed in writing as soon as possible.; ; Should DEF become aware of faults affecting the operability of the installed Software, DEF undertakes to inform the authority as soon as possible, and to provide a resolution within the agreed timeframe for the identified faults consistent with the categorisation specified within this SLA. Faults that are identified but do not affect the operability of the software will be listed at the next maintenance release of the software that addresses these faults.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: DEF will deliver a show and tell session to all users initially to encourage buy in of the solution. Onsite admin training is provided via several workshop sessions to allow the customer to gain the skills required for customisation. Full end user training will be provided to all users ahead of go live.; ; Training will be delivered either in person at the customers premises or via Microsoft Teams.
• Service documentation: Yes
• Documentation formats: Other
• Other documentation formats: Wiki
• End-of-contract data extraction: At the end of the contract DEF will provide the customer with a SQL Server BAK file and file extract of all associated documents from the DMS.
• End-of-contract process: At the end of the contract DEF will deliver data and associated documents back to the customer. Upon doing this all data documents held by DEF will be destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The API is mainly used as conduit for the traffic between the back office MasterGov system and public facing online components. Customers can use it to update the back office database with data captured from their own e-forms. It can also be used by CRM solutions to display system data.
• API documentation: No
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customers can:; - add merge fields; - build templates for document production; - create custom fields; - add user roles; - update all drop down lists; - create workflow processes; - add layers to GIS; - create mobile working job templates; ; The above customisation is all managed within the MasterGov client without the need for IT skills.; ; System admin users would manage customisation.

Scaling

• Independence of resources: DEF operate a load balancing system with enough server resource to ensure that if all expected users were on a once there would be sufficient capacity.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Never
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported in a variety of formats using either the Query Builder or using MasterGov reporting (SSRS).
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • SQL Bak file
  • Shape file
  • Microsoft Excel
  • XML
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • SQL Server Bak file
  • Shape file

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The solution has a guaranteed availability of 99.9%.
• Approach to resilience: The data centre is provided by Microsoft and this information is available on request.
• Outage reporting: DEF use email alerts to notify users of any outages.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are restricted based upon permissions configured within the MasterGov system. Support channels are restricted on user ID and password. Access to MasterGov is restricted using IP range white lists which are enforced with firewall and Microsoft Azure network security group rules.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company
• ISO/IEC 27001 accreditation date: 03/01/2022
• What the ISO/IEC 27001 doesn’t cover: The Microsoft Azure platform which is used.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 19/06/2020
• CSA STAR certification level: Level 3: CSA STAR Certification
• What the CSA STAR doesn’t cover: Anything not provided by Microsoft.
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: DEF has an Information Security & Data Protection Policy which details the policies and processes for the business. The policy document outlines the key processes and reporting channels. All staff have to sign to indicate that they have read and understand the policy. Any breach of the policy must be reported to a director. Any employee, or subcontractor, found to have breached the policy will be subject to disciplinary action.; ; The policy covers GDPR, sensitive personal data, information security, access requests and data security. The policy also covers the communication path for any losses of data.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: As the hosting platform is managed by Microsoft they manage changes to core infrastructure. DEF however manage changes to operating system updates. This is done on an agreed schedule with maintenance periods communicated to customers.; ; In terms of the DEF authored software, every change is logged in a source code management system and all changes detailed into comprehensive release notes which are sent to customers.; ; Only infrastructure changes impact security and each change is accessed on a case by case basis by our technical architects with, where applicable, input from Microsoft.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: DEF follow recommendations from Azure Security Centre on performing vulnerability assessments on the Azure virtual machines, container images, and SQL servers.; ; DEF use third-party solutions for performing vulnerability assessments on network devices and web applications. When conducting remote scans, DEF do not use a single, perpetual, administrative account. Credentials for the scan account are protected, monitored, and used only for vulnerability scanning.; ; DEF use Azure "Update Management" to ensure the most recent security updates are installed on Windows VMs. Although these are applied in schedule maintenance windows, DEF will provide urgent updates as required.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: DEF ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, DEF use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.; ; DEF enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.; ; If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it.
• Incident management type: Supplier-defined controls
• Incident management approach: Security Centre assigns a severity to each alert to help prioritize which alerts should be investigated first. The severity is based on how confident Security Centre is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.; ; Security incident contact information will be used by Microsoft to contact DEF if the Microsoft Security Response Centre (MSRC) discovers that the data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Wellbeing

  Fighting climate change

  DEF Software and Holdings are committed to reaching Net Zero emissions by 2050 and already two years into this process. Policies such as the promotion of remote working for all staff, the use of EV and hybrid vehicles, and a drive to move over to sustainable energy, have all contributed to a further reduction in carbon emissions in the most recent reporting year. Progress can be viewed in DDEF's carbon reduction plan as published on the DEF website.; ; Furthermore, DEF have taken part in a significant tree planting scheme in Sunderland. Working with the local authority a team of DEF staff help plant over 1000 trees in the Silksworth area of the city.

  Covid-19 recovery

  As part of DEF’s Covid-19 recovery efforts, all staff are now able to work from home at least four days per week with some more vulnerable members of staff working fully remotely. Using technology, we have been able to maintain regular communications whilst ensuring staff are safe and protected. This has also allowed the working areas in the office to be better spaced for when staff are in the office.; ; This has also helped with DEF’s carbon reduction plans.

  Wellbeing

  As part of DEF’s continued drive for better health and wellbeing with their workforce they have recently implemented three new schemes.; ; The first is that DEF enrol all their staff into a private health care scheme with a major UK provider. This scheme entitles them to a range of benefits including dental. The scheme covers a significant proportion of any treatments required.; ; The second provision is a mental health help line that staff can use to seek professional and confidential counselling for any mental health issues.; ; The third and final provision is a cycle to work offering whereby staff can purchase cycles and associated equipment through salary sacrifice. This scheme encourages staff to be more active both on their commute and outside of work.; All three schemes are actively promoted to all staff members.

Pricing

• Price: £22,325 an instance a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Basic access to a demo instance of MasterGov to allow customers to check communications and evaluate the product.; ; No data migration, training or other DEF services are provided.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gc@def.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.