FINTEK SOFTWARE LIMITED

Chat to Pat - Sexual Health Chatbot

Pat is a sexual health chatbot which can answer natural language questions from users, and provide sexual health advice. It can be deployed on services' websites and provide automated service signposting and 24/7 advice. It is suitable for high-risk applications since it relies on scripted responses rather than generative AI.

Features

• 24/7 chatbot providing sexual health information
• WCAG 2.1 AA compliant chatbot interface
• Interface embeddable on any website
• Reporting and analytics for chatbot interactions
• Bank of over 300 clinically reviewed predefined responses
• Responses customisable for each chatbot instance
• Detection of safeguarding topics such as suicide or sexual assault

Benefits

• 24/7 advice outside of manned service hours
• Reduces load on call centers and in-person services
• Allows users to quickly find services and relevant advice
• Analytics provide insights on sexual health service usage

£650 a unit a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ingrid@japeto.ai. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

611165606021016

Contact

Ingrid Folland
01223968304
ingrid@japeto.ai

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Target website must support adding HTML snippets
  • End user's web browser must have JavaScript enabled

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response within 30 minutes for urgent issues on working days, 9am-5pm. Less urgent issues are responded with at least same business day.; ; Urgent issues on weekends are handled within 30 minutes after 9am the following business day.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Standard support is provided via email or online support portal during UK business days, 9am-5pm UK time. This is at no extra cost.; ; The support engineers assigned to handle support issues are the software developers who build the system.; ; In addition to user-generated tickets, our monitoring and alerting system generates tickets for key issues such as detected performance issues or downtime.; ; Support issues are triaged based on a ticketing system based on 4 levels of priority with the following SLA:; P1 (total loss of functionality): response within 30 minutes, same day resolution; P2 (loss of critical functionality): response within 60 minutes, next day resolution; P3 (Loss of frequently used functionality): response within 4 hours, 3 day resolution; P4 (Loss of low priority functionality or minor bugs): response within 24 hours, resolution agreed as normal development.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The predefined chatbot responses for each topic are provided to the buyer so that responses can be reviewed, and optionally customised to the service. For example, customising signposting for STI testing topics to local services. These responses are provided in Word and Excel format.; ; We provide a sample of the chatbot's appearance and work with the buyer to update the appearance. Our first draft is based on the target website colour scheme.; ; Once the chatbot is ready, instructions are provided to allow the buyer's web team to embed the chatbot onto the target website.; ; The buyer will be asked to provide key reporting contacts, and we provide access to a reporting dashboard. Each contact will be sent an email with access information to the service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We will maintain access to the dashboard for 3 months after the expiry of the contract. A complete set of reporting data can be downloaded from the dashboard in Excel or CSV format.
• End-of-contract process: We disable the chatbot interface on our system, after which it no longer appears on the target website. We then provide instructions for the removal of existing embedding code from the website.; ; User access to the reporting dashboard is maintained for up to three months, or until we receive confirmation that all data has been downloaded.; ; Messaging data is then deleted on our system.; ; All of the above are included in the price of the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: On lower screen sizes such as mobile, the chatbot interface changes in size so that it fits onto the screen. This does not materially affect functionality, although the message history window is slightly smaller so fits fewer messages at a given time.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: The look-and-feel of the interface can be customised. This includes:; - The name of the chatbot; - The colour scheme; - The introductory text the chatbot sends as the first message; - Privacy policy and terms and conditions links; - The avatar image representing the chatbot; ; Note that in order to maintain WCAG 2.1 AA compliance, alternate colour schemes chosen may be restricted to certain contrast ratios. ; ; Additionally, the responses given by the chatbot can be customised from the core script. This includes:; - Customising existing responses to point at local services. For example, the response to a "Get an STI test" question may point to local clinics; - Adding completely new topics to extend the chatbot's functionality; - Disabling pre-defined responses from the chatbot, e.g. disabling responses which point to sexual health services which are not offered locally.

Scaling

• Independence of resources: Our message processing system uses load balancing and auto-scaling. This means that there are multiple instances of each service, and requests are split between each instance. We monitor performance metrics such as message response times to automatically add additional instances, allowing us to scale with message volume.; ; Our database servers are deployed as a cluster of multiple redundant machines which allows us to scale our database capacity in response to increasing demand from other users. We also utilise techniques such as caching and sharding to maintain scalability.

Analytics

• Service usage metrics: Yes
• Metrics types: Service metrics are provided via access to a dedicated reporting dashboard. These include:; ; - The individual chat messages grouped by conversation (with PII redacted); ; - The breakdown of topic categories users are talking about; ; - Summary data about usage of the chatbot, accuracy and other performance metrics; ; - Suggestions on updates for the next round of updates to the chatbot, e.g. common themes in questions users are asking that should be addressed with dedicated responses; ; Dashboard users can download this data in Excel or CSV format.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: End users of the chatbot may download their own message history in CSV format via a download link in the chatbot interface.; ; The buyer's user with access to the reporting dashboard can export data in Excel or CSV format.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: Not applicable, no features use existing data

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our SLA is to meet 99.9% availability of the chatbot or the dashboard by time available. A chatbot is considered unavailable if the chatbot interface does not load correctly on a website due to an issue with the chatbot, or if a message fails to load due to a processing error. ; ; Availability is tracked using automated means (up/down monitoring and alerting for any errors returned by the API), but this metric is also affected by user-reported errors where they are identified as a service issue.; ; Service fees are refunded on a pro-rata basis if this level of SLA is not met.
• Approach to resilience: The chatbot interface is served using Amazon Web Services S3 and CloudFront, which has a 99.9% availability SLA. This component does not store any user data and can be trivially redeployed by our build server in the event of a data loss.; ; The data storage system is a database cluster which is deployed to at least two redundant database instances, in different availability zones, electrical grids and flood plains, ensuring integrity and availability in the even of the loss of an entire data center. Daily backups are taken with a recovery time objective of 4 hours. In the event of a failure of the primary failover instance, automatic failover occurs enabling one of the redundant instances to take over within 60 seconds.; ; The message processing system is deployed usign multiple load balanced instances, similarly in multiple availability zones. Automated failure detection enables the load balancer to detect unhealthy servers and automatically reroute traffic to healthy instances.
• Outage reporting: Automated alerts are configured to raise support tickets, and the purchaser would be copied in on these alerts. These include major incidents such as downtime.; ; We use a status reporting service which provides a publicly accessible web page with the status of each component of the service. Users may subscribe on this page and receive email alerts from active issues.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Management reports are shared via a reporting dashboard. We provide users with reporting access at contract start and they can be managed via support request. Access is via a web page, authenticated by user / password authentication with MFA.; ; Our management interfaces which we use to manage the service are secured by strong authentication with MFA, and are only accessible via VPN connection.; ; Email support channels are secured by the user's preferred email provider's security. Web access to support is via user / password authentication for users, and user / password authentication with MFA for our staff.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: NHS Data Security and Protection Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials; NHS DSPT
• Information security policies and processes: We have an information security management system which follows the controls outlined in Cyber Essentials and NHS Data Security and Protection Toolkit. Our Statement of Applicability is available upon request. We follow ISO 27001 processes in developing this system, including gap analysis, risk assessment and treatment, control selection and documentation and regular assessments. ; ; As we are a small company (5 employees), on an organisational level all employees report directly to the CISO. On a project level, the project manager is assigned the responsibility of ensuring that project-level controls are followed.; ; Quarterly reviews are carried out on our ISMS to ensure policies are being followed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We manage platform changes using our internal change management process. Changes are tracked using an issue tracker, and a continuous integration process involving manual testing, automated testing and security scanning.; ; New releases are managed by raising change requests and require management approval.; ; Changes to the chatbot's personalised responses are managed on a regular quarterly release cycle in which reporting is sent to the buyer and suggestions for changes are made. Accepted changes are then developed.; ; Prior to release, a change request process is made where the key buyer contact signs off on changes with reference to a staging environment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The majority of our service uses managed cloud services through AWS, which is ISO 27001 certified including for vulnerability management.; ; New releases are automatically scanned for vulnerabilities using a scanning tool which includes OWASP top 10 threats.; ; Security updates to core components managed by us (Java, Linux and MySQL versions) are notified to us by automated AWS updates, with critical patches applied within 7 days. Automated security updates are enabled (weekly).; ; Where we use third party libraries, we use a third party vulnerability database (Snyk) to identify new vulnerabilities with patching on the same timeline.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Much of our infrastructure for this system uses AWS managed services which provide protective monitoring controls in line with ISO 27001.; ; Where we are in scope, we can identify potential compomises based on auditing information related to our IAM system and database access.; ; Potential compromises are treated as critical incidents and are therefore addressed immediately (same day). ; ; The immediate response to a credible potential for compromise involves the temporary shutdown of the service and revoking access controls until a forensic analysis, and notifying the buyer within 24 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: There are pre-defined processes for incidents involving confidentiality, integrity and availability of data, with pre-definited priority levels.; ; Users can report incidents using our email / support platform channel. Incidents raised by automated alerting are also raised via this channel.; ; Incident reports are sent to the buyer at the point of first identification, triage, immediate remediation and long-term remediation. These are provided in PDF format using a standardised template.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  By providing a 24/7 chatbot service, our service is able to give end users access to sexual health information they may not otherwise have access to. It also provides similar advice regardless of service area, helping to reduce some regional inequalities in access to sexual health services.; ; The service is a WCAG 2.1 AA compliant text chatbot, which allows people to access services they may not have otherwise had access to. For example, this service can help to provide access to sexual health advice which would be inacessible via the phone or in person, for example people with hearing disabilities, or conditions such as anxiety and autism spectrum disorder.; ; Talking to an anonymous chatbot rather than a person about sexual health advice can help with stigma among some communities around seeking sexual health advice, meaning that it can increase reach among some communities which are currently not served effectively by other sexual health services.

  Wellbeing

  The system provides clear, anonymous sexual health advice without judgement. This can include general information about STIs, or how to access services such as free condoms. Effective sexual health advice and increased access to contraception and testing services can help to prevent HIV, other STIs, issues during pregnancy and other conditions.

Pricing

• Price: £650 a unit a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ingrid@japeto.ai. Tell them what format you need. It will help if you say what assistive technology you use.