B-SAFE Occupational Health Management System

B-SAFE – a web-based Occupational Health Management software for health surveillance, referrals, pre-placements, vaccinations&immunisations etc. Online forms and reports. Appointment booking/management. Automated letters, emails, texts and reports. Interfaces with audiometry & spirometry equipment. Appointment self-check-in. HR specific dashboards. Manage GDPR responsibilities. Powerful MI&dashboards. Available on desk/laptop, tablet, mobile phone.


  • Integrated Online Occupational Health Software
  • Supports PSN and HSCN code of connection
  • GDPR features to support record retention and requests
  • Online appointment and clinic appointment booking
  • Automated correspondence, letters, emails, reports, text messages
  • Integration with audiometers and spirometers
  • Integrated dashboard reporting
  • An appropriate security structure to prevent data breaches
  • Comprehensive real time insights and dashboards
  • Support a high number of concurrent licence holders / users


  • deliver an alert notification system for all relevant staff
  • access anywhere with web connectivity, mobile working, business continuity
  • demonstrate compliance with GDPR, supports SEQOHS, ISO accreditation etc.
  • reduce frequency and volume of unplanned absence episodes
  • manage all 3rd party suppliers related to employee health
  • enable roles and groups for faster deployment
  • publish content from multiple devices/locations
  • quickly manage content on the move, use dashboards, audio/video/photo capturing
  • highlight tasks by urgency/importance using a Red, amber, green flagging
  • update tasks with progress and completion reports, get realtime reports


£4 to £3,500 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

3 6 2 2 0 3 8 5 9 4 9 2 1 8 1


BONDAP LTD Pavel Novikov
Telephone: +447458148897

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
B-SAFE is a modular software. This means each B-SAFE module can work as a standalone module but can be seamlessly integrated with others to provide organisations with one system for solving ER/HR, Health Cases, Health Surveillance, Governance, Risk and Compliance Challenges. Please refer to the G-Cloud Catalogue.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Access to the internet and a modern internet browser.
System requirements
Browser: IE 11/Edge/Chrome/Firefox/Safary/Opera/Chromium based

User support

Email or online ticketing support
Email or online ticketing
Support response times
Priority 1 (urgent) - up to 30 minutes;
Priority 2 - up to 1.5 hours;
Priority 3 - up to 4 hours;
Priority 4 - up to 9 hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Yes, at an extra cost
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Automated accessibility test
Onsite support
Yes, at extra cost
Support levels
Basic support - free:
*Standard maintenance (including bug-fixing, system upgrades, software updates, secure updates, etc.)
*Access to video-tutorials for users
* Access to all relevant documentation and User Manual in an electronic format.
* User support using ticket system or email support weekdays between 8am and 6pm

Advanced support - 1000 GBP /year:
* All the Basic support +
* Support by phone weekdays between 8am and 6pm
* 2 online training session (3 hours each) for system users (up to 10 users) with “train the trainer scheme”:
-system configuration and settings;
-user roles and rights;
-system general functionality;
-specific modules functionality;
-user control (change-log);
-reporting capabilities, interactive charts;
-customisation capabilities;
-ticket system usage.

Around the clock ticket system or email support - 10000 GBP/ year:
* All the Advanced support +
* Support by ticket system or email support 24/7

Around the clock phone and chat support - 20000 GBP/ year:
* All the Advanced support +
* Support by phone and chat support 24/7

Onsite support - 1000 GBP/ visit:
It can be a training session or any other onsite support customer requires

Additional online training sessions - 100 GBP/ hour

Chat support - 1000 GBP/ year
Support available to third parties

Onboarding and offboarding

Getting started
All clients receive direct support in on-boarding specific to their requirements. We provide onsite training, online training, user documentation and video tutorials. Training can be arranged as required, however our system is designed with intuitiveness and user-friendliness in mind, and formal training is rarely required.
We also provide migration services and integration with other customer systems.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Users can use built-in export features to extract data any time during the contract.
At the contract end/exit we place the encrypted archive with full Customer’s data extraction on our secure private cloud. The data is transferred/exchanged via secure communication channels which are protected by best practice encryption.
Then the customer can download it using given credentials.
Once the customer confirms successful receiving of its data, we securely destruct all customer's data on all our servers.
End-of-contract process
Services included in the price at the end of the contract:
- Customers data export in sql and/or csv format as an encrypted archive and data fields and dependencies description
- Placing archive on our own private secure cloud
- Sending credentials to the customer to download and extract archive
- Date of customer data destruction agreement
- Customer data destruction
Additional services can be provided by customer's request at the additional cost.
Additional requirements for delivery of the data in non-standard file formats or with transformations applied will be chargeable per the standard rate card.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Other
Designed for use on mobile devices
Differences between the mobile and desktop service
All the system functionality available equally for mobile, desktop and tablet devices
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
Description of service interface
HTML5 responsive design
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Automated accessibility test
What users can and can't do using the API
Read and Write data to the system, subject to permissions.
For example:
-users can create and manage users and permissions through the API, -create and manage entries in all core system modules (incidents, audits, assessments, offsites, SSoW, work permits, etc.) through the API,
-pull entries from each module using filters through the API.
API keys can be created with different permission levels and restriction of access to any module/any function.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
  • Other
API sandbox or test environment
Customisation available
Description of customisation
B-SAFE has an outstanding level of customisation available to customers – permissions, forms, workflows, fields, reports, dashboards, chart filtering, branding, system messages and emails templates, reports templates, etc. All modifications are available inside the system without need to communicate with the service provider.
Configurability can be assigned to general or admin users of according to our client's requirements.


Independence of resources
We use load balancer (for HA subscription - high availability multi-cloud) and automatic scaling of backend services are used to ensure demand is met for each client.
For each installation we deploy dedicated secured containerized instance/virtual machines which are guaranteed a minimum level of resources from the physical host and ensures customers are logically separated at the application/OS/Hypervisor layer. We continually operate with 100%+ spare physical capacity in our hosting capability.
We provide component redundancy Full N+1 or Fault tolerant (2N or 2N+1) dependent on subscription level.


Service usage metrics
Metrics types
Metrics supplied are based on client requirements.
For example: Logins, session length; changes; number of users, active users; number of entries added by module; number of entries logged per user; number of cases and assessments closed in time; cases, assessments outdated; percentage of cases investigated in time.
The system provides an effective summary analysis and reporting capability, including straightforward reporting tools for cumulative summaries, identification of trends, hot-spots, areas of concern etc.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Built-in export functionality with an option to extract filtered entries so data can be exported directly from the website in a variety of formats from any module.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • TXT
  • JSON
  • Excel/Word
  • PDF
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • TXT
  • JSON
  • Excel/Word

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
WireGuard VPN
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Standard subscription: 99,9% System Availability (but we regularly achieve 100% uptime)
HA subscription: 99,99% System Availability
Approach to resilience
We use load balancer (for HA subscription - high availability multi-cloud). We provide component redundancy Full N+1 or Fault tolerant (2N or 2N+1) dependent on subscription level.
We utilise multiple resilience arrangements, including availability zones allow us to provide redundancy across phisically separated loacations, and regularly practice disaster recovery scenarios. For security reasons, full details are available on request.
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Management access is limited based on client requirements using pre-defined roles based access.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Certification Assurance International
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
  • Independent Annual Attack and Penetration Testing
  • Independent Vulnerability test

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
Production information never replicated and stored in non production environments. Administrator access to production environments is limited to a handful of senior, named individuals.
All data is encrypted in transit and at rest.
We have a Segregation of duties policy.
B-SAFE has a documented ISMS policy which is continually reviewed and redistributed to employees on an annual basis. Information Security events are recorded in a central database and reviewed by board-level management with actions and follow-ups implemented as required.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All changes are requested through the Access/System Change Request process, requiring authorisation from senior IT management.
Configuration, change management, incident response and protective monitoring are all demonstrated in our compliance with the ISO-27001 information security standard and CSA CCM v3.0.
In addition to our ISO-27001 compliance, and our use of independent 3rd party penetration tests, we operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of our Operational Security Assurance (OSA).
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We use software such as: Oracle Vulnerability Scanning Service that routinely checks:
- Compute instances (hosts).
- Containers.
using the following vulnerability sources:
- National Vulnerability Database (NVD).
- Open Vulnerability and Assessment Language (OVAL).
- Center for Internet Security (CIS).
It can identify:
- Ports that are unintentionally left open.
- OS packages that require updates and patches.
- OS configurations that hackers might exploit.
- Industry-standard benchmarks published by the Center for Internet Security (CIS).
- hosts compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We use Real Time Monitoring (RTM) on cloud level:
Metrics related to the activity level and throughput of compute instances, to the up/down status, health, observability, log, configuration, capacity.
Execution level:
We collect user activity logs such as access log.
Backup log level:
We backup logs to avoid overwrite buy 3-rd party.

Once a serious compromise is discovered we applying the maximum set of emergency strict rules.
The most serious compromises will be resolved within 12 hours, others will be resolved approximately within 72 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have an Information Security and Data incident reporting policy.
We make use of our own software platform for incident reporting using an online form. Incidents are then automatically escalated to a fortnightly director meeting for review.
We register all the discovered incidents including minor.
If a major incident occurs: information about the incident will be sent via e-mail (or other specified contact) to the Data subject (Customer or third party) and to the corresponding authority when applicable (ICO).
Incidents impacting clients will be communicated on an ad-hoc basis if and when they occur.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

We care about the environment and our own carbon footprint.
We practise an employment model that delivers a positive impact on local communities, the economy and environment of the world, decrease resource use and as a result carbon footprint, waste and emissions.
We have been able to achieve Carbon Neutrality, moreover we achieved “net zero” in one of our recent projects through the following:
ISO 5001 certified data centers, 100% green energy
reduction of devices and resources used;
full avoiding of work trips: all the contacts between team members and the customer were remote, including implementation and training;
use of renewable energy;
control of our supply chain to use products that produced by companies caring about the environment;
planting trees.
And our plan and a strong intention is to become “carbon negative” in the next 10 years.
Covid-19 recovery

Covid-19 recovery

We Help local communities to manage and recover from the impact of COVID-19:
We are opening several vacancies for programmers and managers and provide training for new staff and sometimes candidates
We are developing a plan for returning back to work for staff after COVID-19, including those worst affected and requires changes in a workplace / schedule etc.
We provide consulting and implement solutions for businesses to enable remote working, e-commerse, etc.
We provide access to psychological help prophylactic for our staff free of charge
Remote working was implemented for the whole staff

We create new businesses, new jobs and new skills:
We are developing partnership programms, incuding possibility for our products reselling and integration
As we practice remote work, we provide employment and training opportunities for those who are located in deprived areas
Relevant staff gets training in cyber security, data protection, ISO 9001, ISO 27001, health and safety, etc.
Tackling economic inequality

Tackling economic inequality

We have a Diversity and Equality policy in place.
As a company own and driven by woman, we understand the importance of the issue and we are committed to encouraging equality and diversity among our workforce, and eliminating unlawful discrimination, including inequality in employment, skills and pay. And our employment policy helps to gain it: we have two almost anonymous opportunities for job candidates:
1. People who have good working experience and education can immediately apply for a job and pass an interview through our corporate chat (it is anonymous because interviewers do not know who is applying and in the case of successful interview applicants’ documents will be checked just to confirm they exist - no additional evaluation).
2. People who do not have good working experience can take part in our remote training program - it’s free and at the end of the program successful participants receive a job offer from our company. Exam is anonymous and consists of two parts: computer test (pass/fail) and chat interview.
All our staff has equal access to the training opportunities. We monitor pay roles and identify any inequalities by gender, race, etc.
BONDAP LTD is committed to engaging suppliers that consistently operate in accordance with our values, comply with national laws and regulations and meet the company’s requirements for health and safety, quality management, environment, ethics, anti-corruption and social responsibility, including human rights and labor standards.
Equal opportunity

Equal opportunity

Support for the unemployed (including disadvantaged or minority groups) to gain access to employment opportunities. As described above our company provides huge opportunities for unemployed to gain a job through our special training program, that is absolutely free and at the end of the program successful participants receive a job offer from our company.


We take a positive approach to rewarding workers at a level that can help tackle poverty - our company commits to paying at least the living wage for all employees in this contract. We do not exploit workers (e.g. in relation to matters such as the inappropriate use of zero hours contracts or “umbrella” companies). We support employee volunteering.
We have a Health and Safety policy in place to:
Ensure the business complies with all legislation relating to health and safety
Eliminate or minimise all workplace hazards and risks as far as is reasonably practicable
Provide information, instruction and training to enable all workers to work safely
Supervise workers to ensure work activities are performed safely
Consult with and involve workers on matters relating to health, safety and wellbeing
Provide appropriate safety equipment and personal protective equipment
Provide a suitable injury management and return to work program


£4 to £3,500 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
7 days Free trial version can be provided by request. It includes all core modules and is fully functional.
Free trial access does not allow for customisation and roles management, no administrator access and only email notifications (no sms, voice, push notifications).

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.