Mentz GmbH

Hosting of DIVA/EFA/DDIP and related Software including SaaS

The hosting provided is used for operating MENTZ software (DIVA/EFA/DDIP/EMS etc.) and related software. It provides customers a high available, high performance platform for running these applications.

Features

• DIVA/EFA/DDIP/EMS etc. Hosting
• AWS cloud based
• trip planning
• public transport operational planning

Benefits

• Enterprise solution for public transport operators and agencies
• High Available
• High Performance
• Best Practice Cloud Solution
• Available around the world in every AWS region

£1.00 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hosseini@mentz.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

576060133365415

Contact

Nahid Hosseini
0049 89 41868 134
hosseini@mentz.net

Service scope

• Service constraints: SLAs are build based on customer expectation. This includes downtimes, availability restrictions, service and support times.; ; Cloud infrastructure (e.g. hardware) is selected to fit purpose. This includes taking requirements on sizing, performance, availability etc. into account.
• System requirements: Access to the system using Internet

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Guaranteed response time depend on the agreed SLA. In most cases response is within 2 hours during business days.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The hosing solution is designed in a way that usually support is not needed. The system can be setup in a is self healing way. Only outages of the cloud (e.g. outage of an AWS region) will have negative effect on availability.; ; We provide support level depending on the agreement in the SLA. The SLA ist customer specific. We provide what ever support level is needed. Fixed costs are defined based on the expected effort involved.; ; Technical account manager and cloud support engineer can be provided if required.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Onsite/online training is provided for the hosted software (see other lot). Training for hosting is not required and not provided.; ; User documentation for hosting is provided if required. The level of documentation depends on expectation and audience.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The data in the system is public transport data which is valid for a very limited time only. Usually our customers are not interested in this old data.; ; Data can be extracted as a database dump (e.g. PostgreSQL) or a DIVA XML export.
• End-of-contract process: At the end of the contract the cloud account including all data being stored in the account is being deleted. AWS ist ISO27001 certified and guarantees that data is deleted in a way that it is not accessible for anyone anymore.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: The hosting provided is dedicated to one customer. There are no shared cloud resources used.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Database
  • Virtual Machines
  • PaaS Setup
• Backup controls: The setup of backup processes is defined as part of the SLA. Backup processes are being implemented with the implementation of the hosting environment.; ; Backup schedules can be changed (by us) if required by our customer. ; ; On top there is the option to create backups based on DIVA XML exports. This is done by the user only including recovery of this data.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Availability is defined in the SLA. Depending on the required SLA the system can be setup with up to 99,95% availability for most services provided. The required availability is a cost factor.
• Approach to resilience: Details on resilience are available on request.
• Outage reporting: Reporting of outages is defined in the SLA and is a cost factor. We provide the reporting required by our customers including public dashboard, SMS, email and others.

Identity and authentication

• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The system has a rights and role based access management. Defining users, user groups and their rights is up to the administrator of the system which is usually provided by our customer. Accessing the AWS console for any administrative tasks of the hosting platform is only possible for selected MENTZ personnel. Access to support channel is only possible for customer defined personnel.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
• Devices users manage the service through:
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO9001
  • Hosting is provided through AWS who has security certificates

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: No
• Security governance approach: The hosting is implemented at AWS. AWS has several security related compliance certificates (e.g. ISO27001). For details visit https://aws.amazon.com/compliance/programs/; ; MENTZ is ISO9001 certified. Security governance is part of the 9001 processes defined. Details can be made available if required.
• Information security policies and processes: The hosting is implemented at AWS. AWS has several security related compliance certificates (e.g. ISO27001). For details visit https://aws.amazon.com/compliance/programs/

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The hosting service is provided in the cloud based on best practice approaches in cloud environments. This includes a script based very dynamic generation and deletion of all resources (e.g. virtual machines). Tracking of AWS resources being changed, created, deleted is provided based on AWS CloudTrail. See https://aws.amazon.com/cloudtrail for details.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability management for the platform (including hypervisor, network components and all other AWS services in use) infrastructure is provided by AWS as part of the hosting. Security patches are deployed asap.; ; Vulnerability management of the software is provided as part of the software maintenance process (see other lot).
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Hosting is provided by AWS. AWS does respond asap to any security issue detected. ; ; Handling of security issues detected in the software provided (DIVA, EFA, DDIP, EMS etc.) is part of the software maintenance process (see other lot).
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: AWS does have pre-defines processes for common security events. These are not public for security reasons.; ; In case a user reports an incident, we do have AWS business support tp make sure this information can be made available to AWS as quickly as possible.; ; Incident reports are provided by AWS. If required these can be made available to our customers.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Hosting is provided through AWS. AWS is committed to running our business in the most environmentally friendly way possible and achieving 100% renewable energy usage for their global infrastructure. For more details visit https://sustainability.aboutamazon.com/environment/the-cloud

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Environment and energy issues We support public transport by providing software with constantly new and adapted solutions. We use the job ticket or the job bike to travel to work. We travel to our customers and other locations by public transport and avoid air travel as much as possible. We avoid paper as much as possible in internal and external communication. We spend our hiking day in nature, use shared transport and leave nature without any waste. We take care of the environment in our offices by using towels instead of paper towels and energy-saving lamps. We reduce energy consumption by making sensible use of heating, electricity, fans and light. We are involved in the various campaigns and goals that are already being worked on in the area of sustainability or bring in new ideas. We take care of the environment in our offices using environmentally friendly and certified cleaning products, rinse aid, dishwasher cleaner and dishwashing liquid. We use environmentally friendly toilet paper and towels. We analyzed green electricity tariffs together with the management and are now using a green electricity tariff in the Munich office. We analyzed potential savings with the property management when it comes to limiting and regulating the temperature in the office space and had an offer drawn up for digital instead of analog heating thermostats.

  Covid-19 recovery

  MENTZ contingency plan contains following key points: - Pandemie plan - Data protection regulation -Financial security - Theft and office destruction -Fire Prevention Many employees at MENTZ have the possibility of telecommuting from home via protected private log-in which ensures that customer service will be maintained most of time. Especially developers have well equipped home offices from where they usually work some days per week, protected by firewalls. This ensures continuity of our business model. Currently we do not require any additional support.

  Tackling economic inequality

  As part of its entrepreneurial opportunities, MENTZ also combats economic inequality. The employees receive salaries that are well above the minimum wage. Every year, significant amounts are distributed to the staff as bonuses from the annual surplus. In addition, MENTZ donates at least a mid-five-figure amount every year to social institutions for sick or disadvantaged people domestically and abroad.

  Equal opportunity

  MENTZ’s Equality Policy is based on the following legislation: • Basic Constitutional Law of the Federal Republic of Germany, Art. 3 Grundgesetzt (GG) = Principle of equal treatment • Allgemeines Gleichbehandlungsgesetz (AGG) = General law for equal opportunity The principle of equal treatment is mentioned in the Basic Constitutional Law of the Federal Republic of Germany in Article 3. However this regulation only applies to the acting of the German State. Since August 2006 the AGG was enacted to avoid and to abolish disadvantages arising from race, ethnical background, gender, religion, ideology, disability, age or sexual identity. This law also regulates the relation of citizen among each other. Additionally it is duty for every company to guarantee their employees’ access to the AGG regulations within the company. The AGG assures that recruitment policies and procedures will not discriminate or treat unequally any jobs applicants at MENTZ. The AGG designs that job advertisements must be neutral and not favouring any gender, age, religion, race, etc. in advance.

  Wellbeing

  MENTZ supports staff wellbeing, healthiness and physical training to a high extent: flexible working times, flexible employment opportunities for working parents, sabbaticals, ergonomic office equipment, organic coffee, juice and fruits, free accident insurance, excursions, sports activities (skiing weekend, weekly running groups, hiking trip, discounted gym membership, cycle to work scheme), restaurant vouchers, financial support in cases of emergency. To improve staff wellbeing we encourage sporting activities. Company excursions include, skiing weekend, running groups, annual hiking trip,, discounted gym membership, health insurance, cycle to work scheme, or dicounts in form of food coupons, sabbatical with salary sacrifice. MENTZ offers financial support in cases of emergency. MENTZ offers flexible employment opportunities for working parents.

Pricing

• Price: £1.00 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hosseini@mentz.net. Tell them what format you need. It will help if you say what assistive technology you use.