The Access Group

Dutysheet: Online Volunteer Management Software

DutySheet is the UK's leading volunteer management software. DutySheet enables volunteers to manage shifts, record duties, sign up for events, communicate and collaborate with teams and keep user records updated. Used by 100% of England and Wales Police volunteers. Designed intuitively and accessible via any internet enabled device

Features

• Emergency service software to connect volunteer teams and retain volunteers
• Event managment, send and receive event invitations, report event analytics
• Communications via Email, Internal Messaging, SMS, Announcements, Event Feedback
• Skills Database: find and deploy the volunteer skills you need
• Document Library: document hub to store and share important documents
• Expense management: easily submit expense claims and keep audit trail
• Personal Development Plan (PDP)
• Personal Development Review (PDR)
• Working Time Regulation Compliance
• Remote access, software available anytime, anywhere

Benefits

• Increased volunteer engagement and retention
• Accurate reporting and analytics on volunteer activities
• Streamline volunteer management using proven workflows
• Self service allows volunteers to keep details up to date
• Plan and manage volunteer deployment
• Central repository of all volunteer based data
• Identify areas of improvement through inteligence
• GDPR compliant: know your data is always safe and accessible
• Mobilise volunteers with ease and speed
• Comprehensive technical support team to rely on

£45.42 to £66.46 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tendernotifications@theaccessgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

405058740484985

Contact

Access UK
01206322575
tendernotifications@theaccessgroup.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: DutySheet is created with continuous delivery (deployment) practice meaning that upgrades are usually happening in smaller increments. This reduces the need for downtimes for upgrades. However, downtimes for system maintenance/upgrade is sometimes unavoidable and wherever possible, DutySheet will always give at least four weeks’ notice for any sort of planned maintenance. Depending on the risks, duration and complexity of any upgrades/maintenance, downtimes are usually planned for periods of least usage which is identified by analysing usage statistics of our systems. Any planned maintenance will be delivered to organisational administrators via email.
• System requirements:
  • Internet Connection
  • Web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 09:00 – 17:30 Monday-Friday.; ; Urgent: 15min.; High: 1 hour.; Normal: 4 Hours .; Low: 8 Hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Access to our UK Telephone helpdesk. We back our 99.95 uptime guarantee with a robust SLA. Maximize your technology investment;; Support from DutySheet experts to ensure early success;; Wealth of knowledge from UK police forces;; DSSG - DutySheet Steering Group Access.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We’ve developed a tried and proven approach for delivering quality and on-time deployments regardless of where you are in your journey or the complexity of your organisation. DutySheet Professional Services will be on hand throughout the implementation to provide assistance and guidance based on best practices we have developed working alongside our clients. DutySheet provide as part of any implementation a comprehensive range of services which can include discovery, project management, configuration, consultation, testing, onsite training, and documentation.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: When requested in writing, DutySheet can provide a full export of all user data in Excel format.
• End-of-contract process: Renewals can be initiated 60 days prior to the end of the contract term.; ; If a customer chooses to close their account or their subscription expires, DutySheet will store customer data for 30 days (the retention period) to give customers time to extract the data or renew their subscription. All data associated with the account can be exported into Excel or similar format and transferred securely over to the customer.; ; After this 30 day period, DutySheet will disable the account and commit to deleting all data under their control, including any encrypted file back-ups. Once this has been performed, DutySheet will confirm in writing with the organisation contact that their details have been removed

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Admin and management functions are only available to users via the DutySheet web app. All DutySheet core functionality is available via our iOS and Android Mobile app.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The API is not accessible by end users of the system and is only used for mobile App and other external integration processes with DutySheet.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Administrators for the organisation have access to tools that allow them to configure most of the settings of the system. They have access to their own help centre section which details how to configure the system.

Scaling

• Independence of resources: Our DRS enabled VMWare infrastructure allows us to dynamically increase resources to our service if there is a large surge of activity. This is automatically handled by Vmware.

Analytics

• Service usage metrics: Yes
• Metrics types: Authorised users have access to real time usage statistics how many users have logged in to the system along with a live view of number of users currently logged in.; ; DutySheet publish realtime and historical SLA metrics on our public website.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: Sensitive data is encrypted at rest using AES 256 salted hashing.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: There are built in export tools.
• Data export formats: Other
• Other data export formats: Excel
• Data import formats: Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: We also follow ISO 27001: 2013 Annex A policies and controls 13 for communications security and 14 System Acquisition Development and Maintenance that address data in transit.

Availability and resilience

• Guaranteed availability: We understand that any interruption to service is too much. So we've set the bar high because we believe that you should be able to depend on the service you need to run your volunteers. This is why we offer an SLA to organisations that guarantees 99.95% monthly uptime. If you’ve read software SLAs before, you’ll know that they can be pretty confusing. So we made ours simple and transparent.What happens if we fail to hit our target in any given month?; ; If we don’t meet our 99.95% monthly uptime guarantee, we’ll refund you 5x whatever you paid us for that period of downtime.; ; If our uptime falls to 99.94% in a given month, that results in about 26 minutes of Downtime. We’ll give you service credits equivalent to 5x your organisations cost for that period of time. Service Credit can’t be exchanged for cash (monetary compensation); it is added as a credit on your account and, as always, we use any credits you have first, before charging you.; ; Service credits are capped at a maximum of 30 days worth of paid service for your organisation.
• Approach to resilience: DutySheet runs a MySQL cluster which uses synchronous replication through a two phase commit to guarantee that data is written to multiple nodes upon commitment. Database updates are synchronously replicated between the cluster members to protect against data loss and fast automatic fail over in the event of node failure.
• Outage reporting: We report outages via Twitter and realtime publicly available status updates on our website -; https://www.dutysheet.com/company/system-status/

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are tied to the company network and/or use two factor authentication.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISO 27001:2013 Certification was awarded by Alcumus
• ISO/IEC 27001 accreditation date: 31/01/2022
• What the ISO/IEC 27001 doesn’t cover: Nothing. The scope reads, "The delivery of DutySheet & Assemble software solutions to our clients, their development and in-service support"
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Police Approved Secure Facilities (PASF)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We are ISO 27001:2013 certified so follow all the security policies and controls based on our Statement of Applicability. The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also a senior leader. Regular audits are undertaken along with improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our secure development, change management, testing and asset management polices are comprehensively documented as part of our ISO 27001:2013 information security management system including in line with Annex A 8 (assets) and 14 (secure development) of ISO 27002 .
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic. We respond with; blocking of source IP addresses, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences via SIRT. Real time monitoring takes place with immediate response for suspicious alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: DutySheet has a comprehensive internal information security incident management policy and its practices follow Annex A 16 for ISO 27001: 2013. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.; Our processes are ready for EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Access UK Limited is a Software author and provide associated services, including Hosting, Payroll Bureau and Payment services. We recognise that although we do not undertake manufacturing, our day to day operations will have impact on the environment at global, national, and local level. We are committed to the care of the environment and the prevention of pollution. •Access ensures that all our operations are carried out in with the minimum adverse effect on the environment but implementing many available resources and approved processes •We protect the environment by striving to prevent and minimise our contribution to pollution of land, air, and water •We keep wastage to a minimum and maximise the efficient use of materials and resources, and manage disposal of all waste in a responsible manner •We use energy, water, and natural resources wisely and prevent pollution by minimising waste, recycling whenever possible and properly disposing of waste that cannot be recycled. •Our management processes are developed to ensure that environmental factors are considered during planning and implementation •We raise employee awareness and encourage best practices for sustainability at work

  Equal opportunity

  AWe want everyone to feel at home at Access, knowing that they are valued for what they do, not who they are. We want people to feel that they truly belong here regardless of their age, gender, race, sexual orientation, or anything else that makes them individual; after all, if we were all the same it would be a pretty dull place. We love the fact that we’re all different. Having more diverse perspectives at work improves how we run our business, helps us support our customers, and when you think about it, it's just more fun. For us, this all starts with helping everyone feel part of the family and being at their best every day, making Access a place where everyone can love what they do and do what they love. We all have regular check-ins with our leaders, take part in monthly employee surveys, have lots of chances to share our views and ask for help, and with our own learning system, 'Access Shine', we really can make things even better each and every day. At Access we'll always hire the best candidate but we're continually looking for creative ways to increase the mix of diverse candidates into our recruitment process. On the basis that you ‘have to see it, to be it’, one thing we're doing is sharing more stories to celebrate the wonderful diverse range of talent we have at Access. It is important for us that our employees understand and reflect the customers and communities we support, and we want everyone to feel at home here, knowing that they are valued for what they do, not who they are. We want people to feel that they truly belong here regardless of their age, gender, race, sexual orientation, or anything else that makes them individual.

  Wellbeing

  Access places specific emphasis on the health and wellbeing of its staff and provides a “Well-being” hub in workspace that provides support for Mental Health, Finances, Social, Physical, Emotional and purpose. Assistance from Health Assured is available for all staff and there are training resources for “working in the new normal” and “Mental health and wellbeing” . Access also has “well-being” champions throughout the organisation. This is supported by monthly employee “check in” surveys and offers of flexible working for staff to meet caring commitments.

Pricing

• Price: £45.42 to £66.46 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tendernotifications@theaccessgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.