Skip to main content

Help us improve the Digital Marketplace - send your feedback

TSO - The Stationery Office

Regulatory Publishing Platform

TSO has built a fully managed publishing platform. Its software components can vary to meet different specific requirements and budgets. It is compatible with the requirements of regulators and providers of best practice professional guidance. The platform can be delivered through different commercial models i.e. SaaS and subscription-based model.

Features

  • Ability to create tailored and use standard APIs
  • Single source publishing
  • Adaptive infrastructure
  • Accessibility Compliance
  • AI enabled search capability
  • OCR capability
  • Comprehensive Metadata Management
  • Intuitive and collaborative editing environment
  • Print ready outputs
  • User centred design and service development

Benefits

  • Content delivered in formats that users' require
  • Improve data quality and reusability
  • Enhance user experience
  • Consistency of information for users and machines
  • Improve searchability
  • NLP & AI friendly
  • Enhanced user engagement through clearer communications
  • Autoscaling and Elastic Load Balancing
  • Enhanced visibility of your content
  • Easy to use

Pricing

£180,000 an instance a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tsobidteam@williamslea.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

3 3 4 9 1 8 2 8 3 8 7 0 5 1 6

Contact

TSO - The Stationery Office Bid Team
Telephone: 07548372034
Email: tsobidteam@williamslea.com

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
N/A
System requirements
Modern Web Browser

User support

Email or online ticketing support
Yes, at extra cost
Support response times
To be decided with buyer.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AAA
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Yes, at an extra cost
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
WCAG 2.1 AAA
Web chat accessibility testing
To be decided with buyer.
Onsite support
No
Support levels
A standard set of service level agreements exist for the platform, however these are customisable based upon customer need and costing specific to the scale and usage of the service.

Any contract would be supported by both an account manager, technical lead and our technical support teams to support the client.

Customer support teams can also be provided for public enquiry's where this is appropriate, particularly around authentication and transactions.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Online training can be provided where required to ensure that content editors have full confidence in their understanding of the interface.

User documentation will additionally be provided to help
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data will be provided in one or more of the structured formats within the service either as the standard data formats or any bespoke formats created during the contract.
End-of-contract process
An exit plan will be included with any contract

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
System is built as mobile first responsive website.
Service interface
Yes
User support accessibility
WCAG 2.1 AAA
Description of service interface
The service is displayed via web technologies and can be access with any standards compliant web browser
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Automated user testing is carried out and verified by third parties
API
Yes
What users can and can't do using the API
Retrieve documents in different representations
Carry out searches
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
The visual design of the interfaces can be fully customised to user requirements, through a comprehensive theming layer.

Editing of regulatory content editing can be customised based upon document analysis to provide a structured interface.

Appropriately permissioned users can edit website content.

For all content bespoke editing and approval workflows can be created and optimized.

Scaling

Independence of resources
The service is designed to scale with demand to ensure that user requests can be answered in a timely manner, the service is performance tested to ensure that the system will remain responsive within the expected demand of the service, with the architecture designed to be simple to scale beyond these levels as required.

Analytics

Service usage metrics
Yes
Metrics types
Service Uptime
Usage Analytics
Transaction reporting (where appropriate)
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be made available through APIs to allow for direct access for the users. In addition any non-public data such as reporting can be made available in a variety of formats for the client.
Data export formats
  • CSV
  • Other
Other data export formats
  • HTML
  • XML
  • JSON
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • JSON
  • HTML
  • PDF

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
A standard SLA of 99.98% is offered for the availability of public facing services. Service credits would be given where availability does not meet this standard
Approach to resilience
Horizontal scaling used to ensure that there is a high-degree of fault tolerance. Redundant systems in place to allow for short RTO and RPOs.

More details available on request.
Outage reporting
Email alerts to support and operations teams, with escalation via email to key individuals.

API endpoints showing overall service availability

Identity and authentication

User authentication needed
No
Access restrictions in management interfaces and support channels
Access to management interfaces is contolled with secure authentication processes including MFA, where possible Single Sign-on is used.
Support channels are access through Industry standard secured service management portals.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Different elements of the service use specific technologies to restrict the access including all of the above checked options for different elements of the service.

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
UKAS
ISO/IEC 27001 accreditation date
02/04/2025
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
ISO 22301

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
ISO/IEC 27001:2013: Information Technology – Security Techniques
– Information Security Management Systems.
ISO/IEC 27017:2015: Information Technology – Security Techniques
– Code of Practice for information security
controls based on ISO/IEC 27002 for cloud
services.
CYBER ESSENTIALS PLUS: Cyber Essentials verified self-assessment with an additional technical audit, an on-site or remote assessment, and internal and external vulnerability scans conducted

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We align to ITIL v3 processes
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We use third party monitoring 24x7 to notify any vulnerabilities we use the provided information to apply patches and updates.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use third party monitoring 24x7 to notify any vulnerabilities we use the provided information to apply patches and updates.
Incident management type
Supplier-defined controls
Incident management approach
Via Jira helpdesks which align to ITIL processes

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

Fighting climate change

TSO, as part of the Williams Lea Group, has an ESG (Environmental, Social and Governance) programme. The Beyond Business programme ensures ethical and environmental accountability, thoughtful actions in the community and opportunities for development.
Our climate change commitments include:
Developing and establishing sustainable, inclusive and digital practices for the future.
Using cloud hosting solutions for more efficient use of computing resources.
Annual social value reports.
Robust supplier onboarding policies and procedures.
Aligning our ESG strategy to the UN Global Compact Sustainable Development Goals: Good Health and Wellbeing (3); Diversity, Equity and Inclusion (5, 10); Decent Work and Economic Growth (8); Climate Action (13)

Equal opportunity

TSO, as part of the Williams Lea Group, has an ESG (Environmental, Social and Governance) programme. The Beyond Business programme ensures ethical and environmental accountability, thoughtful actions in the community and opportunities for development.
Our equal opportunity commitments include:
Employing a User-Centred Design (UCD) approach to service development.
Ensuring accessibility of our products and services.
Robust supplier onboarding policies and procedures.
Policies that explicitly prohibit discrimination and initiatives that encourage diversity.
Mandatory Diversity, Equity and Inclusion and Anti-harassment and discrimination training
Modern slavery statement and policies.
Diversity data monitoring.
Disability confident employer.
An Employee Assistance Programme and Employee Benefits Scheme to provide support for employees.
Flexible working arrangements.
Aligning our ESG strategy to the UN Global Compact Sustainable Development Goals: Good Health and Wellbeing (3); Diversity, Equity and Inclusion (5, 10); Decent Work and Economic Growth (8); Climate Action (13)

Wellbeing

TSO, as part of the Williams Lea Group, has an ESG (Environmental, Social and Governance) programme. The Beyond Business programme ensures ethical and environmental accountability, thoughtful actions in the community and opportunities for development.
Our wellbeing commitments include:
An Employee Assistance Programme and Employee Benefits Scheme to provide support for employees.
Flexible working arrangements.
Positive promotion and reward for socially beneficial and responsible behaviour.
Employing a User-Centred Design (UCD) approach to service development.
Aligning our ESG strategy to the UN Global Compact Sustainable Development Goals: Good Health and Wellbeing (3); Diversity, Equity and Inclusion (5, 10); Decent Work and Economic Growth (8); Climate Action (13)

Pricing

Price
£180,000 an instance a year
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tsobidteam@williamslea.com. Tell them what format you need. It will help if you say what assistive technology you use.