STACK

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: None
System requirements: None

User support

Email or online ticketing support: Email or online ticketing
Support response times: Clients can file tickets through the redmine platform or contact directly their project manager (CSM) by phone or email. CSMs are available Monday to Friday.

The Instant System support team then file the demands based on urgency.

Here are the maximum support times for anomalies :
- Minor anomaly : the fix will take place with the next scheduled service pack deployment
- Major anomaly : within 4 working days
- Blocking anomaly : within 4 hours (monday to saturday)
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Clients can access support in the following ways :
- Through the Redmine platform 24h a day, they can file tickets that will be taken into account by the support teams.
- Through the support hotline, a phone number accessible during working hours to reach support teams directly
- Though their assigned Customer Success Manager by email or phone

All these support modes come free of cost.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: When deploying solutions, a Customer Success Manager (CSM) is assigned to the client. They are the point of contact for any questions. They also provide online training for the various tools that are put in place.
Documentation is also available and provided to the client.
Service documentation: Yes
Documentation formats: HTML

ODF

PDF
End-of-contract data extraction: At the end of the contract, upon request, the user may retrieve its data in a CSV format.
End-of-contract process: At the end of the contract, the service is stopped, Apps are no longer available on the Stores, all data are cleared.
The Store certificates are sent to the client.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: Yes
Compatible operating systems: Android

IOS
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Instant System provides PTOs and PTAs with white label passenger information and Mobility as a Service tools. These solutions are developed as mobile applications available on the Android and iOS stores.
But also for the web with a website focused on the mobility services of a territory, integrating an interactive map of the area allowing for journey planning.
Service interface: Yes
User support accessibility: WCAG 2.1 A
Description of service interface: The service interface or back office (BO) for the client enables the management of the solution. Data can be pushed from the BO to the app/website such as network disruptions or various types of notifications (push/banners/splash...).
Accessibility standards: WCAG 2.1 A
Accessibility testing: The interfaces of our digital products have undergone external accessibility audits. Furthermore, an organisation for the promotion of digital accessibility has tested the platform. Their comments and remarks are taken into account for the future developments of products and features.
Internally to the company, the development teams regularly follow accessibility training.
API: Yes
What users can and can't do using the API: The mobile applications work with APIs for journey planning, integrating mobility services as well as ticketing solutions.
Our APIs for the journey planner, can be opened to third party use.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The mobile applications as well as the websites are customisable. They are developed in white label, meaning that the graphical charter as well as the names and logos are those of our clients.
A big part of MaaS is adapting to the specific territory. In this case, it is possible to customise the various integrations of mobility solutions (bike services, on demand transport, car sharing and others).
Through the applications, it is also possible to redirect users to specific websites in order to access further information on certain topics. These various links are customisable.

Instant System provides the client with the customisable fields, then taken into account for the development of the tools.

Scaling

Independence of resources: Each tenant is allocated specific resources constraints. For each application in the tenant namespace, we guarantee a given amount of memory and cpu based on the application scope and we set a limit that can't be exceeded. We rely on native Kubernetes features to ensure those constraints are enforced.

Analytics

Service usage metrics: Yes
Metrics types: A lot of metrics can be obtained based on the stores (downloads...) but also the applications themselves.
A customisable dashboard displays information regarding the use of the tool and the journey planner. Displaying information such as : mode of transport chosen, origin, destination, average duration of a trip, planned journey with no public transport solution...).
Regular reports can also be shared monthly or on request based on client needs.
This information can also feed a data lake if the client already has a dashboard combining other types of data.
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: CSV exports are available from the back office platform.
Clients can also receive data from the use of the applications. Data from the journey planner (type of trips, modes chosen, origin and destination, journey requests with no mobility solution...). These dashboards are customisable to display the most important information that varies client to client.
Data export formats: CSV
Data import formats: Other
Other data import formats: JSON

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Infrastructure is monitored and can benefit from a high availability level (99,50%) with a 4h guaranteed service restoration time.
Approach to resilience: The system is hosted at Google Cloud Compute Engine (https://cloud.google.com/compute/sla), based on Kubernetes technology (https://cloud.google.com/kubernetes-engine/sla) and provides very high reliability and security.
Disks and databases are managed by Google: they are encrypted, redundant and backed up twice a day to ensure no data loss.
Outage reporting: Various runtime metrics are collected for monitoring purposes, such as cpu and memory usage, latency. When those metrics exceed a certain threshold, ops are alerted and take appropriate measures if needed to bring the services back to their optimal state.

Similarly, we monitor the liveness of both our services and third-party services. When either our service or a partner service become unresponsive, we receive an alert on a private slack channel. If the issue can’t be resolved in a timely fashion, we escalate the problem and notify the client.

Identity and authentication

User authentication needed: No
Access restrictions in management interfaces and support channels: We restrict access in management interfaces and channel support by using user names and passwords. Administrative actions require authentication and office IP address whitelisting.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 6 months and 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 6 months and 12 months
How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: We have a security board and CISO reporting to the CTO.
Information security policies and processes: Instant System has set up a security assurance plan that specifies the common provisions implemented to ensure security regarding:
- software produced by Instant-System teams and operated by Instant-System,

- software produced by Instant-System teams intended to be operated by a third party,
- software used by Instant-System provided by partners or subcontractors,
- data from users of products manufactured by Instant-System,
- of any document or information made available to Instant-System by a third party.

To ensure policies are followed, a security board bringing together the Ops, the CISO, the CTO meets once every 4 weeks and reviews topics directly linked to cybersecurity (CVE vulnerabilities, analysis of reports, evolution of processes, etc.).

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Jira is used to track change requirements. Product features are described and tracked in Jira. Code is versioned in Git (Bitbucket Cloud). We’ve set up webhooks to allow both tools to collaborate efficiently.

We follow Git best practices and implement a variant of Git Flow. For each feature created in Jira, we open a feature branch named after the jira ticket id. Before merging the feature branch in the master branch, change goes through a peer review process and a CI build.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Alerts are reported by a SOC (Security Operational Center). This SOC is based on the SentinelOne EDR. The EDR is on all workstations as well as all production machines. In the event of a compromise, an alert is sent to the SOC, it is qualified and if necessary a crisis process is created. The qualification is completed in less than 2 hours.

A subscription and access to reference sites on CVE (Common Vulnerabilities and Exposures) enables teams to be informed quickly when new security vulnerabilities are discovered.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Alerts are reported by a SOC (Security Operational Center). This SOC is based on the SentinelOne EDR. The EDR is on all workstations as well as all production machines. In the event of a compromise, an alert is sent to the SOC, it is qualified and if necessary a crisis process is created. The qualification is completed in less than 2 hours.
Incident management type: Supplier-defined controls
Incident management approach: A dedicated webapp is provided (self-hosted Redmine instance) through which users can report incidents and requests new features.

Whenever users report an incident in Redmine, a new jira ticket is created. Those tickets are handled by a specific Support team who is responsible for evaluating them and either handling them if possible or redispatching them.

A knowledge base exists in with the support teams in order to respond as quickly as possible to current incidents.
Incident reports are shared by email.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: Yes
Connected networks: Other
Other public sector networks: Public transport networks

Social Value

Fighting climate change
Wellbeing

Fighting climate change

A passenger information/MaaS platform is inherently positive in the fight against climate change.
With the goal of making public transport and micromobility more accessible to all, Instant System's tools are at the heart of improving urban environments.

An independent environmental impact study of the Instant System platform shows :
1. a carbon gain estimated at 1.8kg of CO2 avoided per user per trip.
2. an energy gain estimated at 1.5 kWh avoided per user.
3. a reduction in air pollution in the urban areas where the solution is deployed.

The accurate display of mobility solutions greatly increases the trust users can have towards various transport solutions. Encouraging change from citizens using their personal vehicles to public transport and other modes of greener travel has an impact on climate change.
Furthermore, the Instant System journey planner displays CO2 emissions related to the various trips. Users are informed and can make the decision to take a certain journey based on cost, time, mode of transport but also emissions.

Wellbeing

The platform and tools developed by Instant System take wellbeing into account at every level. The digital products are designed to be accessible by all, no matter possible disabilities.
For example, visually impaired users can activate a vocalising function, sharing the next departures at bus stops around the person.

Wellbeing is a big part of Instant System's company culture, starting from the onboarding process:
- participation in different onboarding presentations where each team (DevOps, Support, R&D...) will show its scope of activity and the potential link with the newcomer.
- assignment of a manager for long-term support (skills, responsibilities, training needs or even salary increases).
- a sport coach is present at the office 3 days a week to encourage and supervise various activities
- fresh fruit available in the office throughout the week
- mental and physical check-ups every 2 years

Pricing

Price: £6,000 a licence a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

STACK

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents