CRB Cunninghams

iPayimpact

iPayimpact is an online payment, income management and dinner money administration solution for schools, local authorities and caterers.

iPayimpact enables parents to make payments to school online or in cash through PayPoint for anything from school meals and trips, to uniform and music lessons.

Features

• Online payments for schools
• Parental communication
• School dinner money management
• Real-time comprehensive reporting
• PayPoint payments
• MIS integration
• Encrypted secure database and payments
• Web browser access
• Permission based access
• PCI compliance

Benefits

• Reduce cash brought into schools and the cash handling errors
• Manage allergens and avoid potential health risks
• Manage school trips, shop and dinner monies
• Enhance the dining-room experience and speed up the catering service
• Accurate management information and improve auditing
• Save administration time by automating many payment processes
• Allow parents to pay online
• Increase office admin efficiency
• Reduce debt levels
• Accept all payment methods

£199 to £299 a unit a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@crbcunninghams.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

572454484954226

Contact

Gareth Hunter
0333 0143065
info@crbcunninghams.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: IPayimpact can tie into school and further education cashless catering systems. ; ; This enables parents to top-up cashless catering accounts and view transaction data via iPayimpact. The funds are then transferred to the cashless catering system, enabling students and staff to spend available balances.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Service is available 99.99% throughout the year. Any scheduled maintenance work is performed on Thursday afternoons from 2pm until 5pm, with notification banners being displayed ahead of these planned outages.
• System requirements: Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support is available Monday to Friday between the hours of 7:30am - 4:30pm,; ; Software support response times Critical Failure = 30 minutes response time | 6 working hours workaround time and 8 working hours resolution time.; ; Further support response times are detailed within the standard SLA submitted.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: CRB Cunninghams central call centre has a fully computerised call logging and tracking system. All calls are handled by a team of 40+ dedicated experienced support engineers who efficiently deal with support calls via telephone or remote diagnostics, available between 7:30am and 4:30pm. One of our 25 field engineers will attend the site if the support ticket cannot be resolved remotely. ; ; Our support package includes remote, phone and onsite support. There are no different levels to our support. All support types are included within our support contract. The support costs do vary and this is determined by the software and hardware in situ.; ; Each customer will have their own area account manager, responsible for managing the account and providing an escalation route for any support issues.; ; Support response times are detailed within the standard SLA submitted.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide remote training at the start of the contract, with user documentation available online.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can extract data directly via built-in reports or request additional extracts via support.; ; Data is deleted and financial transactions are anonymised and stored for at least 6 years.
• End-of-contract process: We will send our renewal notices out 60-90 days prior to the expiration of maintenance, to ensure appropriate time is given to validate the use of licenses, seek the necessary purchase approvals and to complete the procurement process.; ; A renewal prior to expiration ensures continuous support services and avoidance of the additional costs related to lapsing on support.; ; If the contract isn't renewed, we need to be notified 60 days prior to the contract ending. Once the contract expires, the data is deleted & financial data is anonymised and held as required for 6 years.; ; This would provide access to our: -; • Software for life, all new releases and patch fixes are included within the SLA upon request.; • Helpdesk and onsite support, 07:30 – 16:00 Monday to Friday.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Pages within the site are responsive, so the same information is displayed on both platforms, but in a slightly different format based on screen size.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: No

Scaling

• Independence of resources: Load balancing servers are used with enough capacity to cope with spikes in demand. ; ; Physical hardware is privately managed and is not shared with any other tenants.

Analytics

• Service usage metrics: Yes
• Metrics types: Platform uptime, support tickets and SLA response times can be provided on request.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Built-in reports are provided that allow for exporting of data to Excel (and other standard formats) to be downloaded as required.; ; For custom scenarios, bespoke work can be requested but there will be a charge for this.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.99% guarantee uptime with planned maintenance advertised 2 weeks in advance.
• Approach to resilience: Available on request
• Outage reporting: Email, web site, social media and telephone calls to clients.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are restricted to access to senior R&D personnel only and IP addresses for their devices are whitelisted. Support channels are restricted (and audited) by username and password with IP addresses whitelisted. Support channels only have access to the Virtual Machines running the service and not to the management portal for the service.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International Ltd
• ISO/IEC 27001 accreditation date: 30/03/2017
• What the ISO/IEC 27001 doesn’t cover: This certificate covers the design, sales, supply, service and maintenance of cashless catering systems, integrated solutions, access control, and the maintenance of EPOS system.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: NCC Group
• PCI DSS accreditation date: 01/04/2020
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO9001
  • Cyber Essentials
  • ISO27001
  • ISO14001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001 policy is distributed to all employees and we are externally audited on an annual basis to ensure that the policy is being enforced. We are also PCI DSS compliant and perform quarterly reviews internally on compliance, and are externally audited on an annual basis to ensure that the policy is being enforced.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The hosting environment is anticipated to be available 99.99% of the time, however the service also relies on infrastructure (network and internet access) provided by third parties and/or clients.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Available on request via our Cloud Security Principles document
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: CRB Cunninghams and Microsoft hosted services have intrusion detection systems in place. As standard, Cisco firewalls are in place and pro-active monitoring is in place across our dedicated servers. Detection of abnormal activity, including FTP/ping/SMTP/HTTP/POP3 are alerted to CRB Cunninghams via email/SMS. CRB Cunninghams have internal monitoring systems, which alert us to spikes in activity/usage of system, failed login attempts, performance, backups and other operational actions to allow us to notify clients in advance of them being aware of issues. Logs are retained for as long as required to complete an investigation. These are accessible to senior personnel within R&D
• Incident management type: Supplier-defined controls
• Incident management approach: Part of our ISO27001:2013 information security, data management and Cyber Essentials processes, a documented procedure exists to monitor, record, report, investigate and resolve security incidents. Internal staff undertake and sign off company polices and procedures, in relation to security incidents. There is a defined process for clients to report security incidents. In the first instance, this is via the manned help desk (7:30am–5:00pm, Monday-Friday, 51 weeks of year). Client access via the support portal at www.crbcunninghams.co.uk is available 24 hours a day, 365 days a year. Regular updates via email or telephone take place during the investigation with the client/consumer.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Other
• Other public sector networks:
  • https://www.seemis.gov.scot/
  • https://www.mygov.scot/

Social Value

• Fighting climate change:

  Fighting climate change

  .
• Covid-19 recovery:

  Covid-19 recovery

  .
• Tackling economic inequality:

  Tackling economic inequality

  .
• Equal opportunity:

  Equal opportunity

  .
• Wellbeing:

  Wellbeing

  .

Pricing

• Price: £199 to £299 a unit a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@crbcunninghams.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.