OPTIMAL CITIES LTD

Optimal Cities

Optimal Cities is a geospatial mapping and Spatial Decision Support System helping users to analyse, prioritise, plan and monitor urban and rural areas using up-to-date geospatial intelligence derived from trusted sources, satellites and domain experts.

Features

• Digital Urban Planning
• Remote Access
• Interoperable geospatial analytics
• Interactive GIS mapping and analysis
• Open Geospatial Consortium-compliant APIs and data outputs
• GeoAI-powered
• Satellite-powered geointelligence for Urban Analysis, Management and Planning

Benefits

• Active Travel Planning & Monitoring
• Transport Planning for Decarbonisation
• Quickly Analyse, Plan & Monitor Compliant Active Travel routes
• Quickly Plan & Monitor Public Transport routes and infrastructure
• Quickly Plan & Monitor Air Mobility corridors and infrastructure

£120 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at silviu@optimalcities.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

448087773967447

Contact

Silviu Pirvu
07897520921
silviu@optimalcities.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: No
• System requirements: Desktop or tablet-based internet browser preferred

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim for 24hours or less
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Technical and usability assistance is included for all subscribers up to 2hours per month.; ; Specific and tailored calibrations start from £5,000.; ; All subscribers have a dedicated technical account manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training and user documentation in written and video format.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: They can just download their data from the dashboard they login to.
• End-of-contract process: In the event of any expiration or termination of the Agreement other than termination due to breach of the Agreement by the Customer (including breach attributable to non-payment of any undisputed amounts), Optimal Cities shall provide to the Customer transition services enabling the Customer to continue using the Optimal Cities SaaS Solution for up to 30 days after the effective date of such expiration or termination of this Agreement or any Order Form (the “Transition Services”), provided that the terms and conditions of this Agreement shall remain in effect during the term of such Transition Services, including Customer’s payment obligations. The Customer will be required to sign an Order reflecting the Transition Services period.; The Customer has a 30 day grace period to download their data after which customer data shall be destroyed.; Customer purchase history is retained for a 10 year period. System diagnostic log data is retained for 1 year period.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: On mobile the interface will be responsive to adapt the interactive tools to fit the screen well and be usable on smaller screens. It is recommended to use a tablet or desktop screen as it is an interactive mapping application.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: Interactive mapping and geospatial analysis tools
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: We tested with our target users, i.e. planning and design experts and adapted colours and tools to be easy to understand and view, including for people with colour blindness.
• API: Yes
• What users can and can't do using the API: Users can include a link to the CSV or JSON data via API in their own software such as QGIS, Esri ArcGIS or mapping applications.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: All users can create their own mapping calibrations, save on their devices and share with others.

Scaling

• Independence of resources: The code for the tools and the datasets are under 200MB per interface and do not require server processing, all memory and processing is done in the user's front end thus demand is not affecting other users.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: They have a download button where they can export their data in CSV, GeoJSON or JSON format.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • GeoJSON
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • JSON
  • GeoJSON
  • GeoArrow

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: The system should be accessible 24/7, with pre-agreed scheduled maintenance times.. Availability should be maintained at 99.5% uptime.; In critical situations where the system is down or severely impaired issue updates shall be issued hourly within one hour of detection or notification with a fixing target of 1 hour.; In high priority situations where key functionality is unavailable with no known workaround the first response shall be within 5 hours of detection or notification and issue updates shall be posted every 4 hours with a fixing target of 8 hours.; Time awaiting user responses is excluded from the above targets. Access problems arising from the users’ network, Internet Service Providers or outside Optimal Cities control are excluded from determination of the Service Level.; If guaranteed levels of availability are not met the user shall be refunded with service credits calculated as a percentage of the total charges paid by the user for the monthly billing cycle in which the Monthly Uptime Percentage fell within the following refund rates:; 10% Service Credit for less than 99.5% but more than 99%; 25% Service Credit for less than 99% but more than 95%; 100% Service Credit for less than 95%
• Approach to resilience: At Optimal Cities, we prioritise the resilience and security of data across all aspects of operations:; ; Geolocation and Compliance: We the legal jurisdictions of the data centres we use, ensuring adherence to UK legislation, including GDPR and the Data Protection Act 2018. We provide a clear list of where service data is stored and processed, and the legal frameworks governing these activities.; Data Centre Security: We only use facilities that are secured against unauthorised access and threats, certified against internationally recognized standards such as ISAE 3402 and CSA CCM v3.0.1, ensuring data is protected under stringent controls.; Encryption Practices: We employ advanced encryption methodologies for data at rest and in transit, utilising NIST-approved algorithms like AES-GCM, to protect against unauthorised access and data breaches.; Data Sanitisation: We adhere to strict data sanitisation protocols for equipment disposal and when erasing data, employing methods such as crypto shredding to ensure data privacy and compliance with security regulations.; Operational Resilience: We test our infrastructure against various disruptions, and use multiple redundancies across geographically diverse data centres, ensuring high availability and consistent access to services.; Our continuous improvement approach to business continuity ensures that data is not only secure but also resilient.
• Outage reporting: At Optimal Cities we classify service outages as:; 1. Planned Outage - part of routine maintenance schedule or service upgrade action;; 2. Service Degradation - where functionality is partial, slow or intermittent - classified as a high priority situation;; 3. Outage - service unavailability - classified as a critical situation. ; ; Planned Outages are communicated via email and posted on the Service Portal calendar.; ; Optimal Cities Incident Management uses monitoring tools to check services availability and performance as well as user notifications and posts Service Status on the Service Portal. Improvement of service degradation detection is a continuous improvement process.; ; Base tier subscription service level outages are posted on the Service Portal publicly.; Outages to custom modules and their incident response is communicated to users privately via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: We ensure privileged users carry out administrative duties in a clean trusted environment accessible by phishing-resistant authentication mechanisms.; We expose our management interfaces to privileged access workstations employing a combination of rule based auto approval and multi-party approval. We implement Privileged Access Manager for insider threat deterrent.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: We intend to implement Privileged Access Manager by only allowing permitted devices, only allowing permitted users with logged justification of administrative intent and role based approval.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Optimal Cities is in the process of certifying ISO 27001. We maintain an incident management process to detect, report, and respond to security incidents. The process includes procedures for managing the containment, investigation, and resolution of security incidents. Within the organisation, access to information assets is controlled based on the principles of least privilege and need-to-know. Optimal Cities continually improves the effectiveness of its ISMS through regular reviews, audits, and management reviews.
• Information security policies and processes: The CEO serves at Risk Management Officer and is responsible for business continuity management, risk management and crisis management arrangements. The CTO also serves as Infosec Management Officer and is responsible for information security, cybersecurity and privacy protection. Department heads are responsible for what sensitive information they hold or process, why they hold or process that information, where the information is held, which computer systems or services process it and the impact of its loss, compromise or disclosure.; In order to uphold the Information Security Objectives the management and operations are responsible to enforce and maintain the Exploit Risk Management Policy, the Access Control Policy, the Incident Management Policy, the Business Continuity Policy the End User Service Access Policy as well as comply with all applicable legal, regulatory and contractual requirements related to information security.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: For our services we use an issue tracking system conceded to a version control system that enables us to hold all deployment history as well as maintain the integrity of product specifications. Our issue tracking system manages versioning of upgrades and enhancements when they are released and holds configuration management documents.; Based on these we maintain a configuration management plan that helps us maintain the version control of our services. Security testing is ran before the new configuration is pushed to production and based on the plan we update the threat model, test cases and risk assessment to our system.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Optimal Cities runs a continuous looped vulnerability management process consisting of performing the following steps:; FedRAMP employee training - data asset inventory - configuration standards check - vulnerability scan - dynamic applications security test - static applications security test - risk assessment - penetration testing - vulnerability treatment by remediation and mitigation - FedRAMP employee training.; We also monitor infosec forums and patch our systems as soon as we are made aware of vulnerabilities.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We use internal monitoring as well as external third party services in order to identify potential compromises. ; After incident detection Optimal Cities aims to put mitigations in place immediately. When a permanent fix can not be applied immediately, then temporary mitigations shall be put in place while a permanent fix or security update is tested and deployed to our service.
• Incident management type: Undisclosed
• Incident management approach: Optimal Cities has a pre-planned 7 step incident management process in place: 1. Incident Identification via automated alerts, employee reports, user tickets and routine system checks; 2. Incident Categorisation based on severity and impact; 3. Incident Prioritisation based on impact; 4. Incident Response; 5. Incident Resolution with response strategies such as backup restoration, vulnerability patching or incident effect mitigation; 6 Incident Reporting - sharing with stakeholders, management and regulatory bodies as necessary; 7. Incident Review in order to identify the areas for improvement in the incident management process and improve Optimal Cities’s overall security posture.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery

  Fighting climate change

  Optimal Cities base offering enables Public Authorities to Analyse, Plan and Monitor Places with bespoke tools and indicators for environmental impact of developments, biodiversity gain, sustainability assessments and decarbonisation.; Optimal Cities GapFinder G-Cloud module is used for decarbonising local transport networks and build resilience against more extreme weather events.

  Covid-19 recovery

  Optimal Cities Optimal Public Health module enables Public Authorities to asses Public Health Risk and Health Impact Assessment for various health profiles.

Pricing

• Price: £120 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Included: All geospatial tools and analytics for a small area in the city selected; Not included: Functionalities and analytics outside the small area in the city selected; Limited to one month.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at silviu@optimalcities.com. Tell them what format you need. It will help if you say what assistive technology you use.