Consent Kit

Consent Kit - Research CRM and Panel management

A CRM and participant management platform built specifically for user research, design research and Research Ops.

Focusing on inclusive and accessible participant experiences

Create powerful workflows to automate your research (research panels, communication, informed consent, data governance and scheduling)

The infrastructure you need to run your own research at scale.

Features

• Research panels - build your own panel
• Real-time project dashboards
• Screener surveys
• Consent forms & NDAs - Digital signatures
• Scheduling automations
• Bulk and 1-to-1 email
• Participant audit trails, automated data governance
• Online portal - Panellists edit their own data
• Powerful workflows to automate your research
• Research CRM

Benefits

• Easy to manage and grow your own research panel
• Create powerful workflows to automate your research process
• Track research progress in real time
• Standardise your recruitment process across teams
• Fully WCAG 2.2 AA compliant for participants and researchers
• Significantly reduce operational risk from GDPR / data protection
• Save 45 mins per participant in research admin time
• Empower participants with agency over their own data
• Precision screening and segmentation
• True informed consent with granular permissions and dynamic consent

£384 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ben@consentkit.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

307350165357666

Contact

Ben Aldred
07563563579
ben@consentkit.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: Modern web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond to all issues within 24 hours.; ; Over the past 12 months, our average response time has been ~20 mins.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Usability testing with members of the A11y community in Manchester
• Onsite support: Yes, at extra cost
• Support levels: Tier 0: Self serve support - free; Tier 1: Email / in-app chat with ticketing support; Tier 2: Priority support. Cost dependant on needs. ; We can provide a technical account manager or cloud support engineer at additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Good UX and a set onboarding process for new team members.; Quickstart guide and help documentation.; Onboarding emails; Very responsive customer support via in app chat; Dedicated concierge setup for account administrators (for 10 seats or above).
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Download all data on request.
• End-of-contract process: At the end of the contract, we send out email reminders with clear guidance about how to close the account down, including downloading research data and informing us it is ready to be closed.; ; We generate and send PDF copies of any live consent agreements to the participants with updated forwarding contact details set at the point of account closure.; ; Finally, we delete all of the account information and provide a certificate of deletion to the main administrator or Data Protection Officer (DPO).

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The service is responsively designed. Some elements are hidden / repositioned, but there is no difference in functionality.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: A series of forms and dashboards accessed through a web browser.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We have automated testing built into our development process, alongside manual, human testing as part of QA and for larger developments.; ; We undertake third party testing at least yearly. The most recent was with the Royal National Institute of Blind People (RNIB) who completed a review of our participant facing interfaces.
• API: Yes
• What users can and can't do using the API: The consent Kit API uses standard REST practices. Resource-orientated URLs, returns JSON encoded responses and uses standard HTTP response codes, authentication and verbs.; ; Users can view and create Events, Participants, Consents and Links via the API. For more information see our API docs at https://consentkit.com/docs/api
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Panel recruitment, screeners, consent forms can be customised in lots of ways and can be included in custom workflows to create powerful research automations. ; ; The forms and workflows can also be templated to make them re-usable and conform to your governance process.; ; Administrators can define their own data retention policy.; ; Administrators can create and manage teams across their organisation.; ; Researchers can invite collaborators to their projects.; ; We have various out of the box integrations with services like Calendly. We also have a Zapier integration that enables a wide range of integrations with tools you already use.; ; Custom integrations can also be written to connect to any external, bespoke, systems through our API.

Scaling

• Independence of resources: Our architecture is designed to scale elastically to meet demand. Performance monitoring is in place to ensure our internal performance metrics are being met.; ; As part of new customer onboarding, we review capacity and increase the capacity to anticipate the new expected load if needed. ; ; Each account runs on its own instance of our mail server, so deliverability is not affected by bad actors beyond your control and your reputation is preserved.

Analytics

• Service usage metrics: Yes
• Metrics types: Project metrics: Who has given consent / status of agreement; Admin metrics: How many participants have given consent / How many recordings have been linked to consent / How many recordings need to be deleted.; Panel metrics: panelist numbers over time / panel utilisation metrics / panel demographics
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: More sensitive data like passwords and signatures are stored within our database encrypted.; ; We have expirable links for uploaded assets so it would not be possible to take copies of these assets or share them.; ; Physical access is controlled by our cloud hosting provider AWS (via Heroku)
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Depending on support levels either: Self serve through the Administrator Dashboard or exports can be requested via support channels
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • JPG
  • PNG
  • GIF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We aim for 99.95% uptime.; ; We aim to respond to and fix all high and urgent issues within 2-4 hours; ; Consent Kit is to provide support Monday through Friday 9:00 - 17:00 GMT/BST; ; https://consentkit.com/legal/service-level-agreement
• Approach to resilience: Our cloud hosting providers ensure we have quick failover points with redundant hardware. We perform encrypted backups data daily and (on Heroku) have the ability to restore data from any point within that past 4 days.; We take care to architect our systems to eliminate single points of failure.; ; More information is available on request.
• Outage reporting: A service status page reports the status of the service and any outages (planned or otherwise). These can also be subscribed to is a user wishes.; Email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: We also offer SSO / SAML with services like Okta, Google and Microsoft
• Access restrictions in management interfaces and support channels: Access to management interfaces is restricted by roles. Permissions are assigned to roles and access is restricted by moving people in or out of those roles.; Multi-factor authentication is required where possible
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 13/7/2020
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: As a 100% remote company, we do not have any company offices or office infrastructure. We also operate a BYOD policy on all devices and do not require employees to install software to monitor and control these devices.; Controls regarding the above are required policies written within our employee handbook.; Our full listing is here and features a high level of detail in the notes - https://cloudsecurityalliance.org/star/registry/consent-kit/
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We follow parts of ISO:27001 (but are not yet certified) and have achieved the CSA STAR level 1 self assessment. https://cloudsecurityalliance.org/star/registry/consent-kit/ ; ; We implement the philosophy of “security by design” where security features are embedded in the product design to ensure, to the best of our abilities, that existing and new functionalities are free of vulnerabilities. We have a suite of automated tests that is run on every deploy
• Information security policies and processes: CSA STAR Level 1. Parts of ISO:27001.; ; We have more details with comprehensive notes here - https://cloudsecurityalliance.org/star/registry/consent-kit/; ; We have the following policies and checks in place in our Information Security Policy or Employee handbook:; ; Mobile Devices and BYOD Policy; Employee Policies, Access Control, Password Policy and Data Management; Change Management, including Code Reviews and Automated Testing; Acceptable Use of Assets Policy; Information Classification Policy; Security Incident Response and Risk Management; Risk Assessment methodology; Incident Handling; Use of Cryptographic Controls Policy; Clear Desk and Screen Policy; Backup Policy; Policy for Supplier Relationships

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a documented change management process based on peer review and Green Build.; ; assess changes to components by reviewing the risk (both financial and potential consequences and how they might impact our service) before engaging.; ; After the change is made a peer review process happens then it needs to pass (Green Build) or Continuous Integration stage with features automated integration, unit, security and other tests.; ; High-risk components are manually tested on a dedicated QA enviroment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: All vulnerabilities are managed and tracked through a defined set of stages. ; ; Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system.; ; We have an internal SLA that stipulates deadlines for fixing vulnerabilities. If necessary, a post-mortem is arranged as a learning exercise for our whole company to improve security.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We have a number of protective monitoring controls in place.; ; At the development level, we have automated dependency and static code analysers built into our Continous Integration workflow.; ; We have real time monitoring and protection for our infrastructure and application from various threats and to log when these attacks occur.; ; We have real-time application monitoring and protection to detect PII leakage, suspicious user behaviour and account takeover attacks.; ; Our response time is dependant on the severity, ranging from less than 1 day to 30 mins.
• Incident management type: Supplier-defined controls
• Incident management approach: Users can report incidents to our help desk either by email or through in-app chat. We will assign a ticket number immediately and rate the severity of the issue. Our response times are defined in our SLA. We are able to provide security related incident reporting via email on request.; ; We have a vulnerability disclosure policy for reporting security vulnerabilities.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Wellbeing

  Fighting climate change

  We donate 1% of gross profits to carbon capture initiatives.

  Wellbeing

  We have a 4 Day week program and unlimited holiday. Employees and contractors have a flexible work schedule. Can work whenever and wherever they want.

Pricing

• Price: £384 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 14 days full access
• Link to free trial: https://consentkit.com

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ben@consentkit.com. Tell them what format you need. It will help if you say what assistive technology you use.