CULTURESHIFT COMMUNICATIONS LTD

Culture Shift

A safe and simple tool empowering people to report culture-damaging behaviour directly to their organisation. Our full-suite reporting, analytics and case management platform puts data at the heart of organisational culture change.

Features

• Customisable online reporting for bullying & harassment, option for anonymity
• User tested best practice reporting questions
• Real-time data analytics dashboard
• Community of practice events & annual learning conference
• Enterprise level data security
• Awareness-raising campaign assets and strategy
• Advanced case and content management system
• Expertly drafted support articles
• Name matching and free text search
• Risk assessment forms

Benefits

• Removes barriers for anyone who has experienced bullying & harassment
• Empowers organisations to support people when they need it most
• Allows customers to monitor, track and manage individual cases
• Real-time data analysis to gain deep understanding of culture
• Build trust and confidence in your reporting processes
• Benefit from shared experience and best practice through events
• Targeted communications and campaigns to encourage engagement
• Early indication & warning signs of culture-damaging behaviour
• Increase employee sense of belonging & reduce attrition
• Activate positive and lasting cultural change with more proactive measures

£13,200 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ash@culture-shift.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

367731085956114

Contact

Ash McDowell
07908814006
ash@culture-shift.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Requires a web browser
  • Opera and browsers deprecated by their vendor are not supported
  • Web browser versions with greater than 0.2% of global usage

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have an online support desk which notifies a number of people within the Culture Shift team who are able to respond to issues Monday to Friday between the hours of 9am to 5.30pm. Our response times are as follows: ; 1 hour response to acknowledge the ticket;; 1 business day to investigate and provide a plan and resolution to the issue. ; You will also have a dedicated Customer Success Manager who will be your main point of contact at Culture Shift for all queries.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: We have an online support desk included in your package which notifies a number of people within the Culture Shift team who are able to respond to issues Monday to Friday between the hours of 9am to 5.30pm. Our response times are as follows: 1 hour response to acknowledge the ticket, 1 business day to investigate and provide a plan and resolution to the issue.; ; You will also have a dedicated Customer Success Manager who will be your main point of contact for all queries and will schedule regular meetings to discuss queries, best practice, support and guidance.; ; For the Advanced and Expert packages, as well as a dedicated Customer Success Manager you will also be part of our community of practice. Combining the knowledge of all our partners. Our partners frequently come together to learn from each other, share challenges, collaborate in workshops, contribute to blogs and case studies, all to facilitate the collective learning of our Community. ; ; As a partner you have a dedicated Customer Success Manager who will then direct all queries to the relevant contact for example if the query is technical, they will direct the query to our development team.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Onboarding can take as little as 4-8 weeks. This time is divided between Key Meetings, Required Actions & Technical Requirements.; ; KEY MEETINGS; ; Welcome Meeting with your key contacts from Culture Shift. (30 minutes). Prior to this your site will be created with our Best Practice Questions as default. During this we will also agree on a ‘go-live’ date for your system.; ; Kick-Off Meeting: Discuss the Required Actions + Technical Requirements to go live (1 hour); ; Dashboard Training (1 hour). The software is intuitive and easy to use, after this training the team will be able to complete the majority of customisation themselves.; ; Weekly touchpoint with your key Culture Shift contact (15 minutes).; ; REQUIRED ACTIONS; ; Review reporting questions. Culture Shift will configure the reporting routes based on the information submitted. We will give you feedback on the questions based on our years of experience in creating Best Practice reporting forms. All amendments can be reviewed in advance of the site going live.; ; Review support articles. The Culture Shift team can provide recommendations and share examples.; ; Complete privacy notice; ; Provide logo and branding for the site; ; Confirm dashboard users and teams; ; TECHNICAL REQUIREMENTS; ; Confirm dashboard access preference (SSO/MFA); Configure DNS settings
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Monday
• End-of-contract data extraction: 7 working days before a licence expires, all data will need to be exported from the system.; ; The data needs to be stored in a safe and secure environment, the encrypted password received from the Report + Support export must be kept somewhere safe. Usually IT departments will have systems in place that they would recommend for the storage of such important data.; ; Once the data has been exported, Culture Shift need to be informed that the export has been completed and it has been verified that the data is all out of the system.; ; It is also important to ensure that the data exported stays consistent with the organisations privacy policy and that information is redacted in line with the organisations retention policies.; ; The data held within Report + Support is extremely sensitive. Once the shutdown process and database deletion has started, there is no way to retrieve it. To ensure there is mutual understanding of this, Culture Shift requires your Data Protection Officer to sign a declaration confirming this.
• End-of-contract process: Upon the end of an agreement, there are 3 steps to formally shut down the Report + Support site.; ; 1. Unpublishing the DNS Settings:; ; 2. Exporting your data: 7 working days before a licence expires, all data will need to be exported from the system.; ; The data needs to be stored in a safe and secure environment, the encrypted password received from the Report + Support export must be kept somewhere safe. Usually IT departments will have systems in place that they would recommend for the storage of such important data.; ; 3. Site deletion:; ; On the day a licence expires, Culture Shift will delete your site, once the site has been deleted, we will have no access to your site, if necessary we can restore backups for 35 days for an additional fee. Past this date, no retrieval will be possible.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The layout of the reporting site will vary to fit the different screen size of mobile devices (responsive design is used). There are no functionality differences between the mobile and desktop services.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: There are two user interfaces, one for reporters to access support or make a disclosure, and another for caseworkers and administrators to manage the requests that come in and analyse those. Both are provided as web applications.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We perform in-house testing using assistive technology tools, and have previously worked with partners who have undertaken their own user acceptance testing with users of those tools and fed that feedback back into the product.; We also engage with a third-party supplier to perform an accessibility test for us every year, we then assess the results and take action to remediate any issues where possible
• API: No
• Customisation available: Yes
• Description of customisation: The front facing Report + Support website is based on a common template but some aspects such as colours, fonts, logos, images and text can be customised to match your corporate identity.

Scaling

• Independence of resources: We utilise a serverless architecture which scales automatically to respond to demand.

Analytics

• Service usage metrics: Yes
• Metrics types: We can provide reports on number of logins and active users, as well as feature usage, such as how many users have accessed support and how many named and anonymous reports have been received. Some of these are exposed in the product as a dashboard, with others available on request.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There is in-product data export functionality.
• Data export formats: Other
• Other data export formats:
  • Encrypted PDF
  • HTML files in encrypted zip
  • Encrypted XLSX files
• Data import formats: Other
• Other data import formats: None

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Minimum target availability = 99%, 24 hours per day, 7 days per week. ; ; Availability metrics are the targets for the time that services will be; available, sometimes referred to as “uptime’: The availability figure is a; minimum target level and does not imply that services would be limited; to the availability outlined; e.g. services may operate at higher levels than the target.; ; On; receipt of written notice of any Service Fault from; the Customer, the Supplier will, at its expense,; use all reasonable commercial endeavours to; correct any such non-conformance promptly, or; provide the Customer with an alternative means; of accomplishing the desired performance.
• Approach to resilience: We operate in multiple availability zones and are designed to sustain the failure of a single availability zone with rapid failover away from a failure zone. We use a server-less deployment model to enable rapid scaling and response to failure.
• Outage reporting: In the event of an outage, your Customer Success Manager or the Head of Success will contact the nominated lead for the partner by email to inform them of the outage and keep them up-to-date.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to management interfaces is controlled using a username, password and second factor TOTP token. In addition, for enhanced access levels the customer must grant access to a support worker within the customer's access management screen.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: CFA
• ISO/IEC 27001 accreditation date: 06/06/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: We have an IT Security Policy and handbooks which are followed. Manuals include an Information Security Manual Management Policies & Procedures, Information Security User Facing Policies & Procedures, Information Security Technical Policies & Procedures. ; ; We perform annual reviews on our Information Security Policies and ensure they are in line with our ISO Accreditation and Cyber Essentials. We also ensure that there is a range of communication methods so that policies are easily accessible and that information is shared consistently within the team. All employees are empowered to raise concerns if they were to see a policy not being followed and we would seek to pro-actively and informally tackle behaviours at the earliest opportunity.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We implement a continuous delivery change management process, where a continuous stream of small changes are made. Before entering the deployment chain, each change is first reviewed by an engineer and then accepted into a test environment. Each change is then verified in this environment by a QA engineer before being promoted to the production environment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We use automated vulnerability scanning as part of our pipeline. Once a vulnerability is flagged then further changes which include that vulnerability are blocked until the vulnerability is assessed and deemed not in scope, a mitigation is in place, or an upgrade made (when available) to a version which removes the vulnerability. Vulnerabilities are treated as the second highest impact issues within the system after outages.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We capture logs relating to access and changes made to the infrastructure. If any changes from the expected configuration or unexpected access are found then an alert is raised for investigation.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: When an incident is detected, an incident lead is appointed who is responsible for co-ordinating the incident based on our incident management policy. This starts with collecting data to diagnose the root cause of the incident and then taking immediate steps to close off the incident, including communications or bringing in third-party specialists where needed. Once this is done and the immediate incident is resolved, a retrospective is undertaken which analyses the root cause and develops a comprehensive fix, including in any similar areas.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Tackling economic inequality

  There is some evidence to suggest that people with lower socioeconomic status are at increased risk of bullying and harassment at school, university and work. This is partly because an individuals socioeconomic background often contributes to the positions they are able to get to in the workplace and power dynamics are often at play in cases of bullying and harassment. Culture Shift delivers against this social value theme by providing all people within an organisation with a safe and secure platform for speaking up about culture-damaging behaviours. Importantly the service gives them the ability to speak up anonymously so they do not have to fear repercussions or worry that their future career will be affected.

  Equal opportunity

  Creating and encouraging a safe work environment and educating employees about culture-damaging behaviour is one of the key ways to ensure equal opportunities in the workplace - both of which can be addressed by implementing the Culture Shift platform. The platform gives all people in the organisation the opportunity to speak up about issues that matter to them, whenever is best for them, so that the organisation can act on the issues reported and creative a safe and welcoming workplace culture for all.

  Wellbeing

  Employee wellbeing is enhanced through the ability to speak out about culture-damaging behaviours pro-actively, as opposed to employees needing to bottle up the issues which often results in presenteeism or time off sick with stress. A culture of trust between employer and employees helps to create a working environment where everyone can thrive and feel like their wellbeing is a priority.

Pricing

• Price: £13,200 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ash@culture-shift.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.