YUDU Sentinel

YUDU Publisher

YUDU Publisher is a cloud-based tool to help local government and public services publish fully accessible documentation online - turning PDF reports and documents into fully-accessible HTML to comply with WCAG 2.0 standards.

Features

• Convert PDF publications and reports into HTML
• Comply with AAA WCAG 2.0 accessibility standards
• Compatible with screen readers for users with visual impairments
• Keyboard navigation for users with visual & motor impairment
• Flexible text sizes for improved readability
• Enhance content with video and audio to complement content
• Web URLs, phone numbers and email addresses automatically linked
• Keyword search to easily find related content
• Protect sensitive content with robust login protection
• Stats and analytics unlock insight into reader behaviour

Benefits

• Deliver content across all modern devices and browsers
• Improved reading experience for all users
• Fast load times using our content delivery network
• Easily update reports and publications worldwide in minutes
• Fully branded - custom domains to build trust with users
• Engage readers by including video or animation
• Measure engagement with Google Analytics integration
• Secure - ISO 27001 compliant
• Reduced workflow and increased productivity in your department
• Our on demand service provides peace of mind

£500 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.stephenson@yudu.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

573502637716098

Contact

Charlie Stephenson
+44 1200 420 871
charlie.stephenson@yudu.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Hybrid cloud
• Service constraints: No relevant constraints
• System requirements:
  • None.Access through any modern browser
  • Optional Apps- a licence from Apple (iOS) or Google (Android)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: These are responses to questions or general support and not outages or malfunctions. Tickets are answered within 24 hours excluding weekends and UK bank holidays. Zen Desk ticketing.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: This response applies to support and not outage of the system that are monitored 24/7 and responded to in accordance with our SLA.; First level support response is provided during UK working hours via email and phone, with an assigned technical account manager, at no additional cost. Tickets are managed using ZenDesk.; ; Support tickets are escalated to second-level development staff where required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A welcome pack is provided to new customers providing all the details they need to get started. ; A customer support engineer is assigned to assist the client. ; We provide extensive guidance and support resources at https://help.yudu.com/. ; Online training is provided via webinar and/or onsite training are also available at an additional cost.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data consists of i) content that the users have published through the service, and ii) records of the users as used for authentication etc.; ; Published content is typically already available to users since they provided it in the first place. Users may download the published version of the content if they wish, though since it uses a custom publication format that is of limited use without the rest of the platform.
• End-of-contract process: The contract price includes access to the publishing platform and support by email and phone, as well as all hosting and bandwidth costs for published content.; Bureau publishing services, additional support such as on-site training, design projects etc. are available at an additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Standard viewing of documents on mobiles differ from desktops as they the user can fit the view to the viewing screen width and scroll or tap to zoom. If available, the PhoneView version is automatically served to the user when a mobile device is detected ensures that documents are smoothly fitted to any screen size.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The interface allows you to upload, manage, enhance and publish your digital documents to web, iOS, Android or Windows apps.
• Accessibility standards: None or don’t know
• Description of accessibility: The interface has been assessed against WCAG 2.1AA using online tools and changes will be implemented to address any accessibility issue identified. Content published through the platform can be provided in a responsive HTML format allowing font resizing and text to speech using mobile devices' built in support.
• Accessibility testing: Content published to iOS apps with a responsive version of the content can generally be accessed using the device's built-in accessibility features. Preliminary testing with Windows-based assistive technology for text to speech indicates that further development would be needed to make the content accessible. Accessibility testing has not been performed on the publishing platform itself.
• API: Yes
• What users can and can't do using the API: Using the API clients can upload and publish or depublish content, as well as control which users have access to which pieces of content.; ; The API provides a subset of the functionality available through the main publishing UI, but includes all of the most important publishing options.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: A full suite of tools is available for Users to enhance and customise documents. Documents can be customised with live external links, email links, page links and tables on contents, videos, animations, information pop-ups, sharing options and many more settings are available to customise the document. ; Users can customise using the Overlay Editor for adding content and links and the settings can be accessed via the console.

Scaling

• Independence of resources: Intensive operations are queued for asynchronous processing by a separate set of servers, meaning site responsivity is unaffected by heavy usage.

Analytics

• Service usage metrics: Yes
• Metrics types: Built-in metrics show aggregate viewing statistics for published items, such as visit count, page views and interaction counts.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Data is stored on AWS s3 storage instances. Encryption at rest is supported as an add-on option.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The nature of the service is that users already have their content, and the platform allows them to publish it in a custom format to a defined audience, so data export is not normally required.
• Data export formats: Other
• Other data export formats: N/A
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We will use commercially reasonable efforts to make Publisher available 99.95% of the time. In the event YUDU does not meet the goal of 99.95% availability in a given calendar month (“Monthly Uptime Percentage”), you will be eligible to receive a Service Credit.; ; The credit shall be calculated as five (5) percent of the Customer’s monthly spend with the us for each of the SLA targets unto a maximum of a ten (10) percent credit, where the monthly spend is defined as the total invoiced amount for the calendar month period of the month affected by downtime.
• Approach to resilience: We use multiple datacentre locations, using load balancers to span across datacentres using Amazon Web Services (AWS). Databases are similarly configured for multiple availability zones and automatic failover using AWS RDS. Filestores (S3) use multiple storage locations to ensure no data is lost, with CloudFront's CDN acting as a near-ISP high speed cache for serving of content in the United Kingdom and around the world, as required.; ; Each server type (web, task, etc.) has at least two (and often 3-5) instances running constantly to ensure no single point of failure.
• Outage reporting: Any planned out-of-hours downtime is shown ahead of time in a message screen shown to users logging on to the platform. In the event of an outage, updates are sent to clients and users via a Twitter account.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Admin level users with access in the system to data from more than one client are subject to more stringent password requirements, and 2FA with admin accounts are subject to periodic review.; ; Higher level access such as to the database or server configuration is only available to the development team, and requires connection via a secure VPN.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: Originally accredited on 6th September 2019, and renewed in 2020 and 2021
• What the ISO/IEC 27001 doesn’t cover: A.10.1 Cryptographic controls:; A.10.1.1: Policy on the use of cryptographic controls; A.10.1.2: Key management; ; A.11 Physical and environmental security:; A.11.1.5: Working in secure areas; A.11.1.6: Delivery and loading areas; ; A.14.2 Security in development and support processes; A.14.2.7: Outsourced development; ; A.18.1 Compliance with legal and contractual requirements; A.18.1.5: Regulation of cryptographic controls
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 01/01/2016
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: We are with AWS, who are CSA STAR accredited.
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Security policy is managed by the CTO, Head of Security and CEO, based on reference to relevant standards such as ISO27001 wherever it's practical to follow those guidelines.
• Information security policies and processes: Security policies are enforced by an assigned Security Officer for each office/department of the company. These report to a single Head of Security, who in turn report to the CTO and CEO.; ; All employees agree to the company security policy on joining, and are required to report any lapse of the policy to the appropriate Security Officer so that it can be addressed. Security Officers also monitor and periodically review to identify any points of concern.; ; We are currently working towards our ISO22301 certification.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change requests from customers, internal and external stakeholders are assessed by an internal review team at least once per quarter, with non-trivial development items discussed (including any impact of the change to other components of the system), reviewed and accepted for the following quarter, with all subsequent development being peer-reviewed and tested before release.; ; Separate internal teams are maintained for development items that are less than a couple of man-days, reviewed and implemented as time allows from the support developer team resources.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Potential threats are assessed from multiple documented sources, from commonly used resources like the OWASP project (https://www.owasp.org/index.php/Main_Page), as well as mailing lists and security updates (typically critical, high) for the client-facing software we use.; ; Speed of deployment is usually within a week for assessed critical vulnerabilities, but depends on individual assessment of the issue - for example, the recent Intel hardware issues (Spectre and Meltdown) had fixes that crippled the servers they were deployed on, requiring more extended deployment timescales and further testing.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Internet facing servers are hardened to use only essential ports, with penetration testing against the public interfaces. Clients are free to arrange external penetration testing by appointment.; ; Any compromise detected is dealt with as a Tier 1 support issue (most urgent), with the entire development and support team being involved. ; ; In the event of a security breach as defined by the Data Protection Legislation or any such event that may impact on the customer's data, we will upon discovery notify the customer without undue delay and in any event within 48 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: Major incidents are managed following the YUDU Incident Management Process document which is kept updated quarterly. ; Clients may report incidents via telephone, email or a support/ticket system (Zendesk), which will keep them up to date of the progress of their support tickets. This information is permanently available to clients for their internal reports.; ; Support items are classified according to impact, urgency and sorted either into a dedicated support team member or, if requiring developer level support, assigned into a queue system for that support.; ; Common events typically have documented processes for support staff to resolve without developer level support.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  YUDU are pursuing strict environmental standards beyond the provisions of legislation.; ; In 2015 we migrated our infrastructure to Amazon Web Services (AWS), one of the world's leading data centre providers both in uptime and commitment to 100% renewable energy.; ; YUDU’s production offices (in Clitheroe) are powered by wind and solar energy, and we plan to broaden the scope of renewable power at our premises.; ; In addition to this, YUDU Publisher enables our clients to scale back their circulation of printed materials - creating substantial benefits for the environment.
• Covid-19 recovery:

  Covid-19 recovery

  YUDU Sentinel division has been successfully deployed throughout the COVID-19 pandemic to provide the vital link between the vulnerable house-bound and sheltering member of the public and volunteers and Council support groups. Digital Textbooks have been a vital service to allow children to learn from home and YUDU has seen a huge rise in demand during CODID which is continuing.
• Tackling economic inequality:

  Tackling economic inequality

  Consuming content on phones is a low cost way to make knowledge available to the widest possible community over all economic groups. Accessibility for those with motor or visual impairment can improve economic chances and YUDU is committed to ensure that accessibility applies to content delivered to mobile devices.
• Equal opportunity:

  Equal opportunity

  YUDU has a strict equal opportunities policy as part of our Ethics Policy
• Wellbeing:

  Wellbeing

  YUDU has a proud history of ensuring that the health and wellbeing of our staff is understood and acted upon when staff members experience difficulties at work or in their private lives. Through the pandemic weekly "Samlings" have been held on line for staff to participate and share stories. This has been a vital tool to avoid isolation and separation when working from home.

Pricing

• Price: £500 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 30 day free trail to access the platform for standard projects.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.stephenson@yudu.com. Tell them what format you need. It will help if you say what assistive technology you use.