Qwell: Digital Mental Health Platform for Adults

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: As our service is a web-based platform, service users need an internet-enabled device to access support.
System requirements: Service users need an internet-enabled device to access the platform.

User support

Email or online ticketing support: No
Phone support: No
Web chat support: No
Onsite support: No
Support levels: We provide one homogenous level of support for all customers. Our site and workforce are nationally accessible, differentiated only for the service user. The core site is the same. Any reported issues are dealt with by our in-house team of on-call engineers as soon as possible.
Support available to third parties: No

Onboarding and offboarding

Getting started: We provide materials and workshops, in person and virtually, to help users understand how to access and use the service
Service documentation: No
End-of-contract data extraction: Kooth plc has a privacy section service users can access when signing up to the service which details information relating to accessing records, clearly written for all service users. Where appropriate, practitioners can explain to service users that they have a right to see their files, to give further clarity and support with any access request or process, explaining about anonymity being compromised through this process due to having to evidence who they are. This right to see information is known as a Subject Access Request. Subject Access Requests should be made to Kooth plc’s data protection officer at DPO@kooth.com and service users should be informed about the consequences of submitting these requests, as they will be providing email addresses and other identifiable information, compromising their anonymity. Parents/carers do not have the automatic right to see records kept by Kooth plc. under the Educational Records Act 1989. Where adults are unable to exercise control over their records due to not having mental capacity to do so, applications for access can be made on their behalf by an Independent Mental Capacity Advocate (IMCA), appointed under the Mental Health Act, or next of kin where appropriate.
End-of-contract process: Off-boarding is a technically simple process for Qwell as a Commercial off-the-shelf (COTS) web-based platform. If a commissioning authority decides to decommission Qwell, the platform itself can simply be "turned off" for the region and the sign up flow adjusted to no longer contain the related locations and sub-locations for which Qwell was previously commissioned.
For service users, the process requires clinical and safeguarding governance. Initially the site will no longer accept new registrations for the specific locations while existing Service Users are slowly off-boarded to other local services that align with their specific needs. This is done in conjunction with commissioning authority to ensure service user safety. Service User data will also be deleted to ensure compliance with GDPR. This process is conducted in line with the guidelines set out in the NHS Data Security & Protection Toolkit on which Qwell is registered/assessed.
All is included in the price of the contract at no additional cost.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: N/A All functionality is retained on the mobile version of the platform.
Service interface: Yes
User support accessibility: None or don’t know
Description of service interface: Qwell's user interface allows service users to, among other things, join an impromptu or scheduled one-to-one chats with mental health professionals, participate in forums, read and write magazine articles, set goals. All the content users see is pre-moderated to avoid any trigger content.

The whole interface is based on HTML CSS and JavaScript user interface component. We've designed and built a fully WCAG 2.1 compliant library of re-usable User Interface components, leveraging the usability and accessibility research and patterns from the GDS Design System.
Accessibility standards: None or don’t know
Description of accessibility: We're committed to meeting the Web Content Accessibility Guidelines (WCAG) level AA with every page and feature built since January 2020.

There are still a small number of A-level and AA-level WCAG issues on Kooth. We have been working hard at training all team members to recognise and avoid accessibility issues.

Manual and automated accessibility tests are performed every day. An accessibility audit was conducted by a IAAP-certified Web Accessibility Specialist in May 2021, following the WCAG-EM process.

WCAG 2.1 is incomplete. So we're careful, in design, development and testing, to avoid many accessibility issues not covered by WCAG.
Accessibility testing: Over the past two years, most of our accessibility testing has been done directly by the team working on designing and building Kooth.

Our lead frontend engineer is a NVDA (screen reader) Certified Expert, IAAP-certified Web Accessibility Specialist and a keyboard (rather than mouse) user. We also hire an experienced accessibility specialist full time as a frontend developer.

They've trained most people on our product management, design and development team to test Kooth using screen readers, and accessibility features provided by Windows, macOS and web browsers.

As part of our day-to-day release process, new pages and features are tested with macOS VoiceOver, NVDA, and a range of assistive features (page zoom, keyboard accessibility, ..).

At least once a year, we also do a thorough audit of at least 50% of Qwell. At that time Qwell is checked in depth with more accessibility technologies (e.g. JAWS, VoiceControl) to avoid assistive technology support bugs.

Our lead frontend developer worked for a year as part of the W3C ARIA-AT Community Group, to help identify gaps in how well Assistive Technologies support the Accessible Rich Internet Application (ARIA) specification.
API: No
Customisation available: Yes
Description of customisation: Buyer specific landing pages can be provided

Scaling

Independence of resources: Due to the nature of our service, service users all use a single instance of the service.

We regularly perform load testing to ensure that we can handle volumes of traffic larger than historical peak usage.

Analytics

Service usage metrics: Yes
Metrics types: A broad range of service usage and journey metrics broken down by service type and user cohort
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Other
Other data at rest protection approach: All Kooth Digital Health data is stored at rest within Google Cloud Platform (GCP). All disks are encrypted by GCP to protect against loss of disks. Data with higher security levels is stored with a further layer of encryption, using AES-256.
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users can export their data by making a subject access request through their account to a practitioner who will then escalate this via internal processes. This is done so users can maintain their anonymity, in contrast with direct email approach. Users can also email the Data Protection Officer at DPO@kooth.com with such a request, although in doing so will compromise their anonymity as a user.
Data export formats: Other
Data import formats: Other

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Kooth Digital Health does not commit to specific Service Level Agreements (SLAs) for our service. We do however use SLO (service level objectives.) Our SLO for the core service is 99.65% availability across a seven-day period. This is equivalent to a single five-minute outage per day. In practice our availability never falls below 99.95%. During core service hours we maintain higher levels of availability, in practice. Our response time for an alert is 10 minutes for a P1 during service hours and 30 minutes for a P1 during all other times.
We run our services as high availability which ensures that data and other resources are stored across at least two availability zones within the Google Cloud Platform region. Kooth data is hosted in the europe-west-2 region (London) of the Google Cloud Platform. Data hosted at this location is used for service delivery.
Approach to resilience: Kooth Digital Health's service compute infrastructure is run on Google Cloud Platform and provisioned across three availability zones. Each zone runs separate physical infrastructure and is resilient to other zones becoming unavailable. Kooth's data infrastructure is run on GCP (Cloud SQL) and configured to be high availability. Each database runs with an active master and a passive standby in different availability zones. Data is replicated at a disk level between the zones. In the event of the master failing (e.g. due to utility failure) the database would fail over to the stand-by zone and continue running. All services are run in Google Cloud data centres with redundant power supplies and back-up generators.
Outage reporting: Customers will be regularly informed of incidents and outages that have affected the system after the fact. As the system isn't directly utilised by the customer, this is not real time. Instead, the Regional Manager in charge of the contract will reach out to the commissioning authority to ensure they have complete transparency.
For planned outages Customer will receive two weeks notice in advance.

Identity and authentication

User authentication needed: Yes
User authentication: Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: All Kooth staff and contractors must have sufficiently complex passwords. Access to email, documents and service infrastructure is controlled by Google Single Sign On and all staff are required to have enabled two-factor authentication. Source Code is stored in GitHub and engineering staff are required to have two factor authentication enabled. Staff are required to use a password manager for storing passwords and system credentials. System credentials are securely generated according to industry best practice. If access is required, a secure solution using Google Single Sign-On credentials is used.
Access restriction testing frequency: At least every 6 months
Management access authentication: Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: We have a standard set of policies and processes to maintain and review the security of our platform. We operate continuous automated outside-in penetration testing, two levels of firewalls inside our network, and automatically raise alerts for investigation when an attack is detected. We have a set of processes and policies for managing our systems. This includes defining clear owners, the sensitivity of the data managed, the processes to maintain the systems, and processes for periodically reviewing access using audit logs.

Ultimate responsibility for information security rests with the CFO, but on a day-to-day basis the CTO will be responsible for managing and implementing the policy and related procedures.
Line Managers are responsible for ensuring that their permanent and temporary employees, trainee and contractors are aware of: information security policies applicable in their work areas, their personal responsibilities concerning information security, and how to access information security advice.
All Users shall comply with information security procedures including the maintenance and management of Data confidentiality, Data integrity and Data erasure. Failure to comply with policies may result in disciplinary action being taken against one or more individuals.

All of this is encapsulated in DP-04 (A) Data Security & Information Governance Policy.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Changes are agreed and documented in Kooth's quality management system (QMS). References to changed code or configuration are tracked in there. Changes are programmatically applied to test environments managed by automated configuration management. Signed off changes are released to production environments and recorded via an automated process. All changes to production pass through technical quality reviews: code review, quality review, product sign-off and continuous external security review and monitoring. Engineers review OWASP principles as part of design and implementation activities.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We subscribe to notifications of vulnerabilities from all providers. Vulnerability notifications are assessed for impact and are patched by engineers or automatically via our public cloud provider, Google Cloud Platform, which hosts our data and service infrastructure. Most patches can be deployed within an hour. We engage an external provider to test our technical systems for vulnerabilities once per quarter as well as performing larger-scale ad-hoc security tests. We use monitoring to alert the engineering team to any attack taking place.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: In the event a breach should occur, we have a comprehensive data breach policy. We monitor the usage of our enterprise data storage for any potential accidental or malicious leaks of data. We have monitoring for compromises which alerts engineers. We monitor our service for common attacks and block them at the edge of our network. All actions on our infrastructure are logged for auditing purposes. Any employee has a responsibility to report suspected data breaches. An investigation will be started within 24 hours of a breach being discovered, following steps laid out in our data breach policy.
Incident management type: Supplier-defined controls
Incident management approach: During service hours, P1 incidents are acknowledged within 10 minutes. During all other hours, P1 incidents are acknowledged within 30 minutes. A P1 incident is defined as any incident preventing use by a significant number of practitioners or service users. We have comprehensive documentation for on call engineers on how to respond to alerts. Customers can report incidents to their customer contact but most incidents are caught by automated monitoring. Incident reports are routinely created and available on request. We notify customers of major impacts to their services or data after the fact.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Equal opportunity: Equal opportunity

Kooth provides a service that puts diversity and inclusion at its heart - ensuring that we remove barriers to great mental health services for all people regardless of race, age, gender, sexuality or socioeconomic background. We are aware that mental health affects different communities in different ways. Black and Non-White communities face barriers to mental healthcare in the form of language barriers, fear of stigma and a lack of cultural awareness. We are actively creating more content targeted towards minority communities through initiatives to increase usage from Black and Non-White backgrounds through partnerships with external organisations, such as BlackOut UK and Unity FM.
Wellbeing: Wellbeing

Kooth is a trusted and valued employer, with a rating of 4.3 /5 on Glassdoor and an expanding package of benefits for staff, which has been reviewed and enhanced during the past 12 months to support retention of staff, including a staff Health Care Plan, Long Term Incentive Plan (award of shares) and Life assurance. An extensive programme to support staff wellbeing and connection has also been put in place during the pandemic, including weekly events.

Pricing

Price: £56.00 to £63.00 a unit an hour
Discount for educational organisations: No
Free trial available: No

Qwell: Digital Mental Health Platform for Adults

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Qwell: Digital Mental Health Platform for Adults

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents