Think Learning

Totara TXP Learn LMS (Learning Management System)

Totara TXP Learn: a functionally rich, mobile-responsive platform for elearning, VLE, compliance, CPD, blended learning, seminar (including virtual), multitenancy. Integrated performance appraisal, talent management, e-Commerce, e-Forms, education funding, Content Marketplace. LXP features, social learning and Competencies with Totara Engage, Totara Perform. Healthcare, NHS, ESR, Government, University, Higher/Further Education specialist experience.


  • Personalised, role-specific learning pathways and user experience
  • Securely cloud hosted, scalable and includes multitenancy
  • Fully responsive theming (with Mobile App options)
  • Mandatory training and compliance tracking
  • Blended learning with seminars and elearning (SCORM, AICC, xAPI)
  • Report builder, dashboards, BI integration, ESR Interface
  • Single Sign-On (SSO), HRMS (e.g. ESR) integration, e-Commerce features
  • Custom workflow processes (Onboarding, Applications, Apprenticeships, e-Forms)
  • Social learning and LXP features, Workspaces, Microsoft Teams integration
  • Performance appraisal, talent management, succession, CPD, Revalidation


  • Personalised learning paths for different staff groups and roles
  • Data is 100% secure, UK cloud hosted, fully-maintained, backed-up
  • User interface responds seamlessly to all device browsers
  • Customisable mandatory training refresh periods for real-time compliance data
  • Manage different types of learning within a single course
  • Interactive and colour-coded reports to help managers proactively manage compliance
  • Single sign-on creates a streamlined experience to facilitate employee onboarding
  • Custom workflow for more advanced, versatile, performance and business processes
  • Improved staff engagement through social, adaptive learning and LXP features
  • Powerful processes to track annual performance appraisal and review cycles


£9,433 to £155,947 an instance a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

5 4 2 0 4 4 6 4 5 1 5 7 6 4 9


Think Learning Think Learning Commercial Team
Telephone: 01273 025078

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Totara TXP Performance (Talent Management Platform), Totara Engage LXP (Learning Experience Platform)
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Planned downtime for scheduled updates/upgrades, pre-agreed with clients for maximum convenience/efficiency, and minimum disruption to end-users.
System requirements
  • PC or Mac: Windows 7+, Mac OS X 10.5+
  • Client-side JavaScript required for some administration features
  • Tablet or Smartphone: Android, iOS

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard response time within UK business hours:
- Critical: 1 hour
- High: 4 hours
- Medium: 8 hours
- Low: 16 hours
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard online 2nd and 3rd line support to client administrators (£90-£110/hr dependent on issue complexity). This covers off-site support, helpdesk responses, booked webinar appointments, and other activities requested by client (e.g. site configuration, user guide creation, etc). We track time used against the Support budget in our timesheet system at our standard rates of £110/hr (£825/day) for problem-solving and consultancy, or £90/hr for administration tasks, explanations, and straightforward configuration work via our helpdesk. 20% of the overall support budget is not formally tracked by our teams, and is accounted for by quick, adhoc query responses, access to our online Helpdesk, and further Support-based reporting and analysis. We take a proactive, collaborative approach to Support, working hard to ensure that support queries receive long-term solutions (with detailed responses designed to prevent issue recurrence). We track/report Support budget usage for clients, so that you can make informed, timely decisions about whether or not extra budget is required during the contract. You do NOT pay anything for us to fix confirmed bugs with the system or confirmed technical issues with our hosting services. We offer client portal/forum access, and involve clients with roadmap development and platform strategy. Premium support services are available.
Support available to third parties

Onboarding and offboarding

Getting started
Prior to launch, as part of our robust Implementation Service, system administrators go through rigorous training and hands-on familiarisation programmes which are delivered via live, interactive online training sessions (which are recorded for refresher training purposes). Additional cost where onsite training/workshops are specifically required. In business-as-usual, system administrators have access to online training via the Totara Academy certifications, and a comprehensive online Help documentation portal. In addition, system administrators have ongoing support via the Think Learning Helpdesk (utilising their Client Services & Support budgets), and via optional further training and consultancy from our Operations and Development Services teams. We also facilitate client networks (sector- and topic-specific), events, and forums to promote networking, sharing and collaboration.
Service documentation
Documentation formats
End-of-contract data extraction
When the contract ends, we will provide you with a copy of all user and site data . We do not provide a copy of the Totara TXP code, nor copies of any bespoke software code developed in the course of delivering the Service, because each Totara partner is responsible for their own Totara code, and code created by the Supplier is for use by the Supplier’s client community only. We can provide additional help in migration, either using remaining support budget or for an additional support fee. We purge all client data from servers and all historic backups.
End-of-contract process
The off-boarding process is included in the price of the contract (provide client/new supplier with all data, purge client data at agreed timescale), any additional actions would be at additional cost.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Totara is written in-line with industry web standards including XHTML, HTML5, and ECMAScript 5.1 (commonly referred to as JavaScript). Totara Learn displays in the latest browsers that supports these standards. We aim to ensure that the product is equally usable both on desktop and mobile devices. Areas such as navigation, expandable/collapsible sections, and actions should all work with both desktop and mobile controls. There are also responsive themes provided with Totara that will re-flow for smaller resolutions to give the best possible user experience. We also supply native Mobile Apps (optional).
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
What users can and can't do using the API
REST, SOAP and XML-RPC can be utilised within our platform and implemented on request by the technical team to integrate external systems such as payroll and HR systems. SCORM, AICC and xAPI can be utilised for elearning and set by the user within external authoring technologies.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Our Totara user interface has high configurability built into the system administration menu and this includes the user interface colours, language, navigation and layout, and a wide range of additional theming areas. Totara is a permissions-based system so anyone with the appropriate level of permission can make the customisations. Customisation can be at site level, at category/course level and across a wide range of other platform functionality areas (dashboards, theming, user journeys, CPD evidence, competencies, reports, system access rights, and many more). At the course level, there are a range of course creation options and activities that are customisable including the layout of the activities, and the design of online assessments. There is a report builder where the appropriate users can customise reports and dashboards.


Independence of resources
Our platforms are hosted on scalable cloud servers that are monitored 24/7 using performance monitoring software.


Service usage metrics
Metrics types
The report source for service metrics includes a 'Site Logs' audit trail for site-wide user activity logging. This system logging gives administrators the ability to see which pages a learner has accessed, time/date they accessed, the IP address, and site actions (view, add, update, delete). These logs can be displayed on a page or downloaded in text, ODS, Excel.
We also provide free site activity tracking reports (from a web analytics application) to provide rich data around LMS in-page time spent, bounces, geographical access and device/browser intelligence.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
Encryption at rest for virtual environments is available on request.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Totara Learn is GDPR compliant and has the ability for an individual user to export all data linked to them. The format of each item of exported data is equivalent to its storage method in the application's database (e.g. course names/completion dates, or numerical values that represent status). Totara Learn also provides capabilities for export in the application (e.g. Report Builder, Record of Learning). This approach can be useful for an individual wanting, for example, to take their completion data (courses, competencies, certifications) with them to a new employer.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats
External system or database integration

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We work to make your System available for use over the internet 24 hours per day, 7 days per week. We commit to no more than 0.1% of the year of unscheduled downtime (total inaccessibility to your production site), with service credits if we don’t meet this commitment (based on additional free weeks of hosting/maintenance service). Planned maintenance is excluded from the calculation. At least 5 working days of notice will be provided for any maintenance taking place between 5pm and 8am. At least 10 working days of notice will be provided, for any maintenance taking place between 8am and 5pm (or as agreed with clients). Your Totara site will be monitored via health checks at the server and application layers.
Approach to resilience
We provide clients with access to high performance, secure, entirely UK-based platform services (with ISO27001, ISO9001, ISO27017 certification). A tier 3 data centre in London, and 100% network uptime guarantees. Includes a hot spare blade, so that in the event of a blade failure, a fresh blade is provided and restored. Daily backups are provided and stored on a separate SAN located on a separate physical location. Firewalls are provisioned in a High Availability (HA) pair and are fully managed. The DDoS defence system is based on detection/diversion/verification/forwarding, and inspections are performed in real time, including the provision of IDS server monitoring for any malicious activity.
Outage reporting
We report outages through Think Learning Helpdesk notifications, email alerts, and by phone, as relevant.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Platforms utilise role-based access control for named system administrators, and all other role types (i.e. managers, employees, trainers, etc). The individuals, system administration and management roles, and specific configuration access are specified and agreed as part of the Implementation process. The named system administrators also have access to technical support via the Think Learning Helpdesk. This is routinely audited, as part of ISO27001 accreditation.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO Quality Services Ltd
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our data centre partners have separate ISO27001 certification for the UK data centre. Certificate available on request.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
IT Governance Ltd
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
Information Security Management System policies and processes, certificated and audited bi-annually by ISO Quality Services Ltd. Audit reports available on request. The Information Security Manager is a board level Director.
Our Cyber Security and Information Security policies are communicated to, and signed by, all Think Learning employees. Staff training around GDPR is a key element of our onboarding process. We have regular audits of the controls listed above in terms of ensuring that all devices used by staff are fully compliant. All staff are updated at internal company meetings about ongoing cyber and information security requirements of personal devices and internal systems. As consultants, they can also advise on the Infosec capabilities of our cloud-hosted platforms.
Think Learning also has an ICO registered Data Protection Officer (DPO).

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Code is managed by the Technical Services team utilising Git. Service and feature changes follow secure software development practices, and risk reviews prior to launch, including pen test processing. Access to production environments is limited. All changes are reviewed and tested before approval and promotion. Stages include design, documentation, implementation and/or rollback, testing in staging and dev sites, peer review, and approval by authorised parties. Exceptions to change management processes are documented and reviewed. All changes and upgrades are tested within a client specific development environment to ensure functionality and security before moving to the live environment.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management is a control within our Information Security Management System (12.6.1). We monitor for vulnerabilities, and where vulnerabilities are identified, system asset lists are examined to assess the impact of the vulnerabilities on the security of the system. Where a software update is deemed necessary, then the change control process is initiated. Critical patches are deployed as soon as reasonably possible.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our cloud-hosted platforms are monitored 24/7 at the application layer via health checks and performance monitoring. In the event of a potential compromise the technical team are alerted by text to resolve the issue within the stated SLA. Our security suite and defence system is based on detection/ diversion/ verification/ forwarding.
Incident management type
Supplier-defined controls
Incident management approach
Users report incidents via the Think Learning Helpdesk, which triggers the internal incident management process, involving Classification and initial support; Investigation and analysis; Resolution recording, closure and reporting via the Helpdesk.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

Think Learning is a Carbon Audited Organisation, to support ours, and our customers', social and environmental objectives as we move towards a net-zero carbon economy. Audited by We are committed to carbon reduction in light of the global climate emergency. Through an annual carbon audit we understand the impact of our operations and we minimise this through a long-term investment into carbon offsetting using a combination of ethical carbon removal methods and annually achieving less than 'net zero'. We apply our environmental policies to the activities of all our offices and wherever possible to our consultants when operating on client sites. We will support our clients’ environmental policies when we are operating on their sites. The company applies the principles in a number of ways:
• Our hosting partner is fully ISO14001 compliant at their London data centres, and are very committed to environmental sustainability. They work to actively reduce the impact of all of their data centres on the environment, through energy efficiency programmes.
• We undertake an annual company carbon audit.
• We encourage consultants to work from home whenever possible to reduce impact on the environment.
• We encourage our consultants to use public transport when travelling, and we operate a car hire scheme which reduces the need for employees to own cars.
• We conserve natural resources by reusing and recycling materials such as paper and printer cartridges, purchasing recycled materials or with a high recycled content, and using recyclable packaging and other materials wherever possible.
• We use electronic communication such as email, intranets, voice over IP and P2P software to reduce the amount of paper used.
• We undertake regular internal audits to ensure ongoing compliance with this policy, including where they impact our Cyber Essentials Plus, ISO9001 and ISO27001 accreditations.
Covid-19 recovery

Covid-19 recovery

During the pandemic, we've strengthened and improved our technological and service infrastructure, and we are able to offer a very robust, entirely virtual service. We’ve responded quickly to pandemic-related pressures, helping Healthcare clients to schedule mass-staff vaccination appointments, creating a Risk Assessment solution, and configuring PPE-related workflows and e-Forms. We've built increased resilience and capacity so that we can continue to provide high quality, uninterrupted services to our (predominantly Healthcare) client base. We're privileged to have been able to support a wide range of public sector organisations during the pandemic, but especially a large NHS Healthcare client base, who have achieved incredible results in very difficult circumstances, and who have been pushed to deliver more, faster, better, with learning technology. Our platforms have allowed the NHS to rapidly onboard thousands of volunteers and medical staff returning to work to deliver the vaccination program during the pandemic. This was achieved not only by the flexibility of the platform, but also with Totara’s waiver of subscription threshold charges to support NHS efforts in the fight against COVID-19. Throughout the pandemic, Totara was adopted by an additional 44 healthcare customers (in 2020 alone) as organisations sought agility in their learning platforms to rise to the challenges posed by COVID-19.
Tackling economic inequality

Tackling economic inequality

The majority of our clients are not-for-profit organisations in the public and tertiary sectors. With extensive experience in Non-profit and Health sectors (25% of England’s NHS staff use our Totara Learn platform), we place a high priority on values-based working, and aim to engender a professional culture which recognises and supports the public-spirited ethos of our range of clients.
The company applies the principles in a number of ways:
• We donate to NHS Charities Together, in order to recognise the extraordinary work of healthcare workers.
• We donate to (and sponsor) NHS employee award ceremonies and presentations, to recognise their contribution to society and their communities.
• We support our employees to volunteer in their local community, as part of their Think Learning salaried time. This enables them to donate paid time to charities/community projects up to 8 hours per year.
Equal opportunity

Equal opportunity

Think Learning is committed to building an organisation that makes full use of the talents, skills, experience, and different cultural perspectives available in a diverse community, and where people feel they are respected and valued, and can achieve their potential regardless of age, gender, sexuality, disability, religion, race, colour, nationality, national or ethnic origins. We follow the recommendations of the CRE’s statutory Code of Practice on Racial Equality in Employment in all its employment policies, procedures and practices. The aims of our published Equal Opportunity Policy are to ensure that:
• no one receives less favourable treatment, on grounds of age, gender, sexuality, disability, religion, race, colour, nationality, or ethnic or national origins, or victimised for taking action against discrimination or harassment, or instructed or put under pressure to discriminate against, or harass, someone;
• the organisation is free of unwanted conduct that violates the dignity of workers or creates an intimidating, hostile, degrading, offensive or humiliating environment;
• opportunities for employment, training and promotion are equally open to all candidates; and
• selection for employment, promotion, transfer and training, and access to benefits, facilities and services, will be fair and equitable, and based solely on merit.


We provide integrated health cover for all staff including an Employee Assistance Programme and a trained Mental Health First Aider. To help relieve pressure on NHS services, we provide health insurance to employees, which includes benefits such as: Fast track GP appointments, Counselling through 'Stronger Minds', and the 'Be Supported' EAP portal.


£9,433 to £155,947 an instance a year
Discount for educational organisations
Free trial available
Description of free trial
The free trial site enables you to explore Platform functionality and try out features such as dashboards, site navigation, course content, compliance features/reports, blended learning, appraisals, competencies, 360 feedback. Contact for access. Site configuration and data is refreshed periodically.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.