RLDatix PolicyStat

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: RLDatix DatixCloudIQ
Cloud deployment model: Public cloud
Service constraints: None that affects primary use of the product. Every two weeks on Sunday for a 4 hr period, the application goes into read-only mode for maintenance; all data is still retrievable.
System requirements: Please see Service Definition for full details.

User support

Email or online ticketing support: Email or online ticketing
Support response times: The PolicyStat Service Desk is available 9.30am to 5.00pm UK Time, Monday to Friday, except UK public holidays. email acknowledgement within 3 working hours from receipt of request
Critical = 1 working day
High = 2 working days
Normal = 5 working days
Low = 10 working days

Please refer to the Terms and Conditions attached to this service.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: We use Zendesk Chat to provide a service. Zendesk is not currently compliant with WCAG but does support US accessibility standard Section 508.Web chat accessibility testing
Web chat accessibility testing: We use Zendesk Chat to provide the service, and details of their assistive technology compliance and testing is available at https://www.zendesk.com/company/policies-procedures/section-508-accessibility/
Onsite support: Yes, at extra cost
Support levels: Please refer to the Terms and Conditions attached to this service. Typically, as an RLDatix product, RLDatix have a single support level for all customers, defined in the RLDatix Service Level Agreement. The cost of this is incorporated in the annual charge. The Service Desk is the customers primary contact for technical help in the event of the customer encounters any faults in the licenced programmes that prevent it running as intended. It is also available to customers who require quick fixes or how to help in the event of a gap in knowledge. Success Plans can be purchased to provide additional administration support.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: We provide a full onboarding service to take your current policies and documents. The conversion team will cleanse and upload the documents to ensure that they are standardised and ready to be accepted by the customer.
Remote training is included in the implementation to allow the organisation to cascade the information to all service users. Along with intuitive videos and helpful articles via the learning centre.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Bulk pdf backup service can be utilised by customers to ensure that all information can be download as a hard copy if required. Automated Data Backup Service could be paid for by the customer if required.
End-of-contract process: Upon conclusion of the contract, all data is exportable from the application as PDF documents. Reports are exportable as CSV files. Should other file formats be required and/or long-term storing of data be required, additional costs would occur dependent on scope.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Because users want to do different things on their mobile devices compared to their desktop machine, we optimise support for searching, viewing, approving, collaborating and reporting on the following browsers:

Mobile Safari- The latest version supported on the 3 most recent major versions of iOS
Android browser- The latest version supported on the 3 most recent major (codenamed) versions of Android
Chrome Browser for Android- The latest stable version
Service interface: No
User support accessibility: None or don’t know
API: No
Customisation available: No

Scaling

Independence of resources: PolicyStat uses robust localisation to support content delivery networks increasing the likelihood that a user will have the media cached. Further, PolicyStat utilizes data partitioning and load balancing to ensure demand needs are met.

Analytics

Service usage metrics: Yes
Metrics types: Policy Activity / customer totals are presented, showing active users, active subdomains and policy areas,
Searches, logins, approvals and editing sessions will provide a graph for each of metrics over time series
Search results to show top searches by search term and number of searches alongside top searches without producing results to support documentation. and finally the policy selected after searching
All policy views based on number of views
policy access over time via graph looking at viewing stats, print stats, editing, email and download to word stats.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: Other locations
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: Less than once a year
Penetration testing approach: In-house
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Documents can be exported to word to edit outside of the application if required

Reports exported to Excel

CSV reports can be downloaded throughout the application
Data export formats: CSV

Other
Other data export formats: PDF
Data import formats: Other
Other data import formats: Text Based (e.g. Word, PDF, .txt, .rtf)

Image Based (e.g. .png, .gif, .jpeg, etc.)

Attachments can be any file type

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: We will use commercially reasonable efforts to make the PolicyStat Service available with an Annual Uptime Percentage of at least 99.95% during the Service Year.
Approach to resilience: We utilize industry-leading AWS as its hosting provider. Additionally, redundant backups and fail-overs are in use.
Outage reporting: Reports of outages are provided via email alerts

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Available is LDAPS and/or SSO via SAML 2.0 support for in-product access. Support channels are generally open to all customers.
Access restriction testing frequency: At least every 6 months
Management access authentication: Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: SOC 1 Type II

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: The Open Web Application Security Project is an international community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted, publishing a Top10 of most critical vulnerabilities found in applications, with mitigation strategies/advice. PolicyStat has specific tools/processes to mitigate/eliminate the potential for each.
Information security policies and processes: PolicyStat has a Director of Product Development who reports up to the CTO. Policies and change control procedures are clearly outlined/managed in our own product (nearly 40 policies) that are closely monitored and followed. These include items such as Vulnerability Alert Review and Prioritization Process to Product Enhancement Workflow to Operations plan for system outages.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: PolicyStat uses a rolling development schedule, leveraging all the benefits of git with regards to versioning and change control. When improving a component of the PolicyStat software, the primary developer creates, a secondary developer does a code review, and then testing is performed as well. Only at that point will any enhancement be pushed for client use. Additionally, rolling backups are kept such that if a change ends up having a bug and roll-back is required, that is available.
Vulnerability management type: Undisclosed
Vulnerability management approach: The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

The National Vulnerability Database provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.

Critical vulnerabilities (greater than 9.0 for CVSS v3.0) should be mitigated within 10 days of release, and must be mitigated within 20 days.
High vulnerabilities (greater than 7.0 CVSS) should be mitigated within 30 days, and must be mitigated within 60 days.
Protective monitoring type: Undisclosed
Protective monitoring approach: Includes: GitHub Security Alerts - Whenever there is an security alert regarding one of our third-party dependencies, GitHub automatically sends us an alert (email) and updates this page. Conveniently, the alert will be automatically resolved when a pull request is merged in that either updates or removes the offending dependency.
AWS EC2 AMI Alerts - Whenever a new Linux AMI is released, the team is notified by email of the new image. As a follow-up to a release of a new image, we manually review the Latest Security Bulletin to determine how to prioritize the AMI update.
Incident management type: Supplier-defined controls
Incident management approach: PolicyStat uses Five Whys Root Cause Analysis as a tool to extract the maximum amount of learning from incidents and to then apply a proportional investment in corrective action to improve the organization as a whole. The stakeholders, usually engineering, client services and administration, meet to understand why an event happened at a deep level. Five whys is about finding the root process/system/culture problem that precipitated the adverse event. Users can report events via UserVoice. Incident Reports are provided via email.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

Fighting climate change and supporting Net Zero RLDatix recognises that it has a responsibility to the environment beyond legal and regulatory requirements. We are committed to reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods. To achieve this, RLDatix has completed the following: • RLDatix has an Environmental Policy that is reviewed on an annual basis to ensure it is relevant to the business • RLDatix has engaged our travel partners to ensure travel is as carbon efficient as possible, i.e., recommends trains rather than flights • Throughout all RLDatix offices we provide waste receptacles for recycling and general waste, supporting the reduction of waste to landfill • We encourage the reduced use of water and electricity and actively encourage the staff to consider the environment whilst printing • Many of our solutions assist our customers in reducing their own carbon footprint, i.e., assisting with route planning for community-based staff • RLDatix is working to be carbon neutral in the next few years and achieve ISO 14001 accreditation Many of these environmental proposals help us and will help you in your path to Net Zero. We are firmly committed to carbon reduction, as demonstrated by our Carbon Reduction Plan, published here: https://rldatix.com/en-uke/corporate-responsibility/

Pricing

Price: £5.75 to £60.62 a licence a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

RLDatix PolicyStat

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents