XR THERAPEUTICS LIMITED

XR Therapy for Mental Health Conditions

Our software provides a visual aid for patients when undergoing mental health treatment. It combines elements of CBT and graded exposure alongside tailored, immersive, visual content that can be streamed on a variety of hardware solutions. It is a tool for therapists that makes the treatment effective and efficient.

Features

• Remote access - people can access anywhere
• Quick reaction time
• Device agnostic - can be used across most devices
• Secure - users are given unique links and logins
• Realtime monitoring by our tech team
• Remote technical support available

Benefits

• Efficiency - quicker than standard clinical pathways
• Effective - 94% have experienced significant improvement, 72% have recovered
• Based on 9 years of clinical and academic research
• Tailored to the end-user
• Simple interface and easy to operate
• Doesn't require high Mbps
• Realistic software to replicate real-life scenarios
• Cost effective compared to traditional mental health interventions

£5,849.29 a licence a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at graham@xrtherapeutics.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

377714540184281

Contact

Graham Byrne
07471072032
graham@xrtherapeutics.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: PureWeb
• Cloud deployment model: Private cloud
• Service constraints: Yes - there are pre-planned maintenance arrangements from our hosting platform however these will not take place within our operating hours (Mon -Fri, 9-5).
• System requirements:
  • User has to have an up-to-date browser
  • User needs sufficient internet access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within the hours of 9-5 from Monday to Friday we aim to get back to the client within an hour. If a query is raised on a weekend we aim to get back to the client within 24-48 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We provide an Account Manager (for operational support) and a Technical Support Officer (for technical support) from our team to provide 121 support via phone or email, this is the basic level of support we provide however additional support will be agreed upon within a SLA.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We provide all clinical training related to the intervention. We provide online training for therapists to ensure they are accredited and ready to use the treatment with their clients. The training covers the background research, guiding principles of CBT and graded exposure, an overview of what XR technology is, how to identify clients, how to structure sessions and how to conduct the treatment using the technology. Once they have undergone the training, they are able to access the online learning resources at any time, alongside this we provide visual material for the the therapists to send out to their clients which will inform them of how their treatment will work and what they can expect. We also provide communication channels via Slack so that our team is able to pick up any enquiries regarding the set-up and use of the technology.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: NA
• End-of-contract process: When the contract end date is approaching, XRT will provide 90 days notice to ensure that anyone who has patients on the waiting list are treated ahead of the contract end date. On the 14 days leading up to the contract ending, XRT will contact the customer to see if all treatment will be complete on time. Any patients that have not completed their treatment ahead of the contract end date will be able to finish their treatment out of contract however this will be at an additional cost. The customer will need to pay an out of contract cost for these patients, the price for this is £100 per individual that would be classified as a mild to moderate case and £500 per individual that would be classified as a moderate to severe case. On the contract end date, providing all treatment is complete, the customer will no longer be able to access the online platform with their login details.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: It will work just as efficiently it will just be on a smaller screen so may not feel as immersive.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: If there is an issue with someone's internet there may be a difficulty with streaming the scenes as effectively.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: We've tested our technology with end-users and with internal team members.
• API: No
• Customisation available: No

Scaling

• Independence of resources: Pre-booking and load balancing.

Analytics

• Service usage metrics: Yes
• Metrics types: We only observe time spent on the platform, this is the only data we monitor, this does not include any identifiable data for clients.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: All customer model data is encrypted while it's in block storage, and decrypted when it's provisioned into a runtime environment. This is the case for both our dedicated and on-demand providers. All database records (i.e. metadata) regarding customer models are also encrypted at rest.
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We don't collect or hold any data using this platform.
• Data export formats: Other
• Other data export formats: They can't import or export any data into the system.
• Data import formats: Other
• Other data import formats: Users can't input or export their data using this platform.

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We are dedicated to responding to enquiries or requests for individuals within the time range of 24 hours from the moment their request is received. For more urgent enquiries, we aim to respond within 1 hour. ; ; Availability: Therapist have access to the software 24/7, there are no limitations on this. ; ; Support hours by XR Therapeutics follows the schedule below: ; - Phone Support: 9am – 5pm Monday through Friday, excluding bank holidays. ; - Email/Slack Support: 9am – 5pm Monday through Friday, excluding bank holidays. ; ; Any scheduled maintenance or planned outages will be conducted during off-peak hours, typically during the night or on weekends. This timing is chosen deliberately to minimise impact on daily operations and to ensure that critical business activities are not interrupted during core operating hours. If the system is down for more 75% or more against their contract, the customer will be entitled to additional credit, this can be used against their monthly fee. This credit will be equivalent to a percentage of their monthly fee.
• Approach to resilience: It's available on request.
• Outage reporting: We will send email alerts to our customers to communicate any service outages or planned maintenance. We aim to give customers a minimum of one week notice with regards to planned maintenance.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: To access any element of our software, the user will have a unique login and password. All clinicians are unable to access the intervention until they have completed their training. Training is conducted on an e-learning platform that is directly linked to XRT's main site. The platform only allows users to access the front-end of software, no users will receive admin access, they also only have access to use the technology at a specified time and date linked with their session booking.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • DTAC
  • SOC 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: At XR Therapeutics, effective information management is paramount. Our Information Governance (IG) framework ensures a balance between transparency and confidentiality.; We adhere to key principles:; • Protection against unauthorised access.; • Assurance of confidentiality.; • Maintenance of information integrity.; • Support of high-quality data.; • Compliance with regulatory requirements.; • Establishment and testing of business continuity plans.; • Provision of IG training as needed.; • Reporting and investigating breaches.; Procedures:; Clear procedures exist for handling queries and liaising with the media.; Legal Compliance: We comply with Data Protection Act 1998, Human Rights Act 1998, and Common Law Duty of Confidentiality. Policies ensure controlled information sharing and annual compliance assessments.; Information Security: Policies focus on secure information management, promoting confidentiality and incident reporting.; Information Quality Assurance: Policies and procedures ensure information quality and effective records management.; Responsibilities: Billy Webber (CEO) leads Information Governance, supported by Shaun Allan (CTO). Responsibilities include policy definition, staff training, compliance monitoring, and record integrity

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All of our processes related to configuration, change and development are documented and stored in our technical file and quality management system that was developed for Class I medical device registration. All processes conform to ISO 62304. Design changes, or any significant change relating to the functionality of the device are all controlled through through our Product Design Change Control procedure which meet the requirements of BS EN 62304. Requests for changes are submitted using the product design change note, authorised change requests are raised in Jira (project management system). The results of the review and actions are recorded.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our technical team run penetration tests alongside a third party digital consultancy (CyberWhite) to conduct external penetration tests, we repeat these on an annual basis. The results from our previous test which was carried out on the 25th August 2023 demonstrated that during the test, a security consultant utilised several techniques in attempts to gather information from the platform and none of the methods used were successful in gathering information useful to an attacker. Passive reconnaissance was carried out against the XR Therapeutics’ domain name and no instances of leaked credentials were identified against the domain.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We do this by conducting our annual penetration test with a third party supplier. We regularly review our security measures and monitor any potential compromises using a hazard log. With regards to incidents, if they are urgent, our Technical Support Officer will aim to respond to these within an hour. If the incident is deemed to be non-urgent, this will be responded to within 24 hours. We implement TSL procedures on an ongoing basis.
• Incident management type: Supplier-defined controls
• Incident management approach: We hold regular clinical safety meetings where we analyse all potential hazards relating to the technology, these are monitored on a hazard log to prevent incidents/accidents occurring. We have an incident reporting policy for XRT staff. Any non-employee who experiences an accident/incident must report it immediately to the person responsible for their premises. ; ; All injuries must be reported on our incident log. All non-employees should notify their own employer where applicable. The Company takes the responsibility for notifying reportable accidents under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995, therefore XRT Clinical Safety Officer must be informed immediately.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Its a mental health intervention to support people with anxiety disorders, it can help people to overcome their anxiety and to learn tools that can support them with their mental health in the future. It's a highly effective treatment with 94% of people having experienced significant improvement in their symptoms and 72% having made a full recovery.

Pricing

• Price: £5,849.29 a licence a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at graham@xrtherapeutics.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.