Head Light

Talent Cloud

Talent Cloud® is our award-winning Software as a Service Talent Management suite of products, available in both SaaS and on - premise deployment models. The modular suite includes Performance Appraisals, 360-degree feedback, Engagement, Succession Planning, Career Pathways, Skills Audit & Certification.

Features

• Continuous Performance Management
• 360-degree Feedback
• Succession Planning
• Employee Engagement
• Career Pathways & Planning
• Skills Audit & Management
• Development Planning

Benefits

• Enhance employee performance
• Improve employee retention
• Improve Succession planning
• Enable employee career mobility
• Improve leadership capability
• Better HR Management Information
• Better skills management and development planning

£3 to £100 a person a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ian.lee-emery@head-light.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

554824003877690

Contact

Ian Lee-Emery
01344 63 63 36
ian.lee-emery@head-light.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: HRIS, LMS
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: None
• System requirements: Adobe PDF Reader to open PDFs

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Typical response is within 1 hour. Only site outage-related queries are processed during weekends.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Helpdesk & Support Levels; Support tickets may be raised on a 24x7 basis using the online web-based Helpdesk system. Theses tickets will be responded to between the hours of 9.30am and 4:30pm GMT on Monday through Friday (excluding Bank Holidays and other recognised holiday periods in the UK). Our target response time for tickets is as follows:; Priority Impact Description Target Response Time Target Resolution Time; 1 Critical Catastrophic – Overall software access is inoperable, resulting in total or major loss of functionality to users 70%+ of which are affected software unusable without any workaround possible. 1 hours +2 hours; 2 Major Severe – limitations to use of software, major dysfunction with only a difficult workaround 30%+ of users affected. 2 hours +4 hours; 3 Medium Component module down, loss of functionality, limited user operations. No simple workaround. Could be a “bug”. Where a workaround has been applied no impact on operational environment. 24 hours +24 hours; 4 Minor Software functionality intact, assistance required in configuration or use of product. Minor feature is dysfunctional but has workaround or cosmetic defect. Could also be an enhancement request or a request for information. 48 hours +48 hours (if applicable)
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training requirements will vary according to many factors, including the type of training, role being trained for, and the number of people to be trained.; Several training options are available for Talent®, including both free and paid options:; • On-line training webex training – recorded courses are at no additional charge.; • Classroom training - classroom training is available on a fee basis.; • Course manuals - course manuals for classroom training offerings are available for free download.; • Customised training - customised training based on your customisations are available on a fee basis.; • Ongoing training - available on a fee basis.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Through csv exports, or bespoke data synchronisation
• End-of-contract process: Nothing additional

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None other than those imposed by the form factor or mobile browser version and OS
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: Employee record updates only based on programmatic access. Based on web services.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The platform and the individual modules are extensively configurable by customer'sAdmins themselves. This includes, but is not limited to:; e-mails, screens, terms, definitions, scales, lookups, competences, questionnaires, skills, qualification, certifications, roles, career paths links, talent categories, locations, divisions, regions, administrators, password properties, branding, colours and images, report introductions, deployed features, tab names, mandatory settings, thresholds, anonymity, analytics, development activities.; ; End-users can customise language settings and content.

Scaling

• Independence of resources: Through capacity planning based on user size, scaling of servers and resources once utilisation rises, designing resource intensive tasks to take place during typically 'quiet' hours and designing services that run asynchronously within defined resource parameters.

Analytics

• Service usage metrics: Yes
• Metrics types: Through on-demand audit logs, event history logs, on-demand analytics, active user counts, disabled account totals
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Csv, excel, custom xml
• Data export formats:
  • CSV
  • Other
• Other data export formats: Xml
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Optional specific IP address authorisation for login access
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Head Light expects the system to be available 99% during business hours. This equates to total unplanned service outages not exceeding 19.5 hours in any one calendar year. ; This is calculated as follows:; 52 weeks, 5 days per week, 7.5 hours per day = 1,950 hours per year, 1% therefore being 19.5 hours. ; Should the total unplanned outage exceed this, then a Service Credit will be offered at a rate of 1% for every 19.5 hours that the service is unavailable. Service Credits are applied as discounts to subsequent Annual Fees for that affected product or products. Should any outage last longer than 3 hours, we will offer a single 1% Service Credit.; For example, in any one year should service outages equal 25 hours, then 1% discount would be applied to the next year’s fees. If a single service outage lasted 4 hours, then an additional 1% discount would be applied. Total Service Credits are limited to 25%.
• Approach to resilience: On Request
• Outage reporting: E-Mail Alerts and Helpdesk notices. Additionally via Incident Management Procedures.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: Password strength and expiry policy is set by Client Admins. Two-factor is achieved through dedicated IP address configuration. ADFS and Azure AD SSO are supported.
• Access restrictions in management interfaces and support channels: Each support user has their own support account on the site that they must activate before they can use it. They request a new password to be generated. It expires after 2 hrs. The support user logs in and it then requested to change the password for the period of the support ticket. The support user then investigates the problem by taking on the persona of the issuer of the ticket. This activity is tracked. Once the problem is resolved, the support account is deactivated until it is required.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 29/10/2018
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our Information Security Policy is designed to comply with the requirements of GDPR and ISO27001. We are registered with the ICO as a data Processor. A designated Security Officer is appointed with responsibility to ensure all employees and contractors are aware of the Data Classification and Data Handling regulations. All employees sign a 'Security Aspects Letter' to ensure they are aware of their individual and collective responsibilities and the rights of Data Subjects. In brief, all Personal data is to be encrypted in transit and not sent via e-mail, passwords are to be 'strong' and not guessable, Administrative accounts are not to be shared. Copies and archives are to be disposed of in the correct manner. Checks are made periodically to ensure compliance. Training/re-training is conducted annually.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We keep an inventory of the 3rd party components used as part of our service that are in addition to the managed OS platform provided by Rackspace. On each new release of a 3rd party component, we validate its security credentials with the provider and stage it in our operating environment. We then routinely challenge the platform with automated test tools to ensure that no vulnerabilities are created. We then include the new component as part of the next release and update our inventory.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our managed virtualised environment provided by Rackspace ensures that the hosting environment, OS and IIS are hardened and any vulnerabilities are identified and applied. We monitor Microsoft Developer Network boards and other boards such as Stack Overflow for any additonal suggestions of new threats. We also review communications from Qualys, a provider of penetration test tools.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our activity logs record items such as login failures, password resets cross-site forgery attacks and so on. We also record any source IP addresses and check those with reputable sites that record suspect activity. The site has automated monitoring to disable user access and take the site off line in the event of a detected Advanced Persistent Threat. Hypervisor deals with attacks such as DDOS. Any events are sent to our support desk.
• Incident management type: Supplier-defined controls
• Incident management approach: We have an Incident Response Policy for any events that have the potential to affect Service Availability or Security. If users suspect any activity, they can call, e-mail or raise calls on our HelpDesk using the 'Critical' priority. This ensures that it is progressed within 15 minutes of any suspected incident. Any events raised at Critical are updated each 30 minutes on the Helpdesk. Any additional communications targets are added to the Helpdesk so that they received the incident updates. Once a Critical item is closed, a formal response report is created.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  The delivery of services without the requirement to consume fossil fuels in transportation or raw materials in activities such as print.

Pricing

• Price: £3 to £100 a person a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ian.lee-emery@head-light.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.