THRIVE - The Modern-Day LMS (Complete Learning & Skills Platform)

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: We are committed to delivering a service with as little interruption as possible, and in fact we’ve designed our whole solution around this. This means that we can offer zero-downtime updates for the vast majority of enhancements we release to the platform.

As a result we can offer an availability commitment without any caveats - that’s 99.9% availability of the platform, measured quarterly, with no hidden maintenance time clauses.
System requirements: SaaS solution requires a supported web browser for access

Internet connection

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response time is based on the severity of the issue in accordance with our SLA:

Urgent - 30 Minutes (2 hour containment target)
High - 1 Hour (0.5 day containment target)
Normal - 4 Hours (5 day containment target)
Low - 8 Hours (10 day containment target)
Non-Urgent - 8 Hours (20 day containment target)

Response times based on working hours of 9-5, Monday to Friday.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: Unlimited Admin Support is included in our annual subscription cost:

SECOND LEVEL- Support level provided by our Support team when enquiries prove to be too complex to resolve with available resources or when issues arise within the LXP platform, content or mobile application.
THIRD LEVEL- Support level engaged where there is found to be a defect present in the infrastructure or code-base. This is handled by our support team in conjunction with our development, infrastructure and product teams wherever appropriate.

We acknowledge and resolve issues in line with the priority levels defined below. A first response may include either a direct response to a ticket or a proactive message to forewarn you of an issue before it has been reported. Automated responses do not constitute a first response. The time to containment reflects THRIVE’s intended mean time to recover the functionality of the system or content to a usable state, not to resolve the root cause of the issue.

Urgent - 30 Minutes (2 hour containment target)
High - 1 Hour (0.5 day containment target)
Normal - 4 Hours (5 day containment target)
Low - 8 Hours (10 day containment target)
Non-Urgent - 8 Hours (20 day containment target)
Support available to third parties: No

Onboarding and offboarding

Getting started: We have a pool of resources available to support each customer's implementation. You'll be assigned an on-shore (UK based) team which will be made up of an Implementation Specialist, Project Coordinator and a Customer Success Manager when you join. All three will guide you through the implementation journey, ensuring we understand your success metrics, content plans and how you'll generate engagement - and we'll hold a series of workshops with you to give you all the tools you need to get the most out of your LXP. Alongside your named team, we also have a range of other roles that will be on hand to support you at various points, including learning insight analysts, content specialists and customer support.

We would provide Admin Users with training both during workshops throughout the implementation period and in the form of a comprehensive suite of content available on demand from Thrive Tribe. Your CSM can also support you with product queries throughout your lifetime with us.

"How to" video guides and other supporting resources are available for all Admins via our community site "Thrive Tribe"
Service documentation: Yes
Documentation formats: PDF

Other
Other documentation formats: Video
End-of-contract data extraction: Thrive will, upon request, provide you with access to all available data and information needed to complete this process as efficiently and effectively as possible.

Data can be fully deleted from the live databases and file stores within 3 days of request. As part of this process we would also purge your data from most backup locations, however some information may remain within backups for up to 6 months.
End-of-contract process: We would work with our clients and liaise to support you to move.

We would look to understand the data you required and the future plans for that data in order to suggest a recommended format to transfer the information to you in.

After agreeing this, an initial dump of data and assets would be provided to you securely via SFTP, against which a test migration can be performed.

Once the migration process has been realised and tested, we would liaise with you to agree a final date for the system to be suspended and for the final data to be transferred as per the previous routine.

This information would be transferred if required utilising a secure SFTP method as described above should you choose to migrate to an alternate solution.

There is no additional cost for this service.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: THRIVE is accessible via either a Web-App which is completely device responsive, whether that be mobiles, tablets or desktops, and on both Windows and macOS. This means that any content held within THRIVE will also be responsive to devices.

We also have a Native-App for tablet and smartphone which is iOS and Android compatible. The mobile app allows users to download their learning content to their device to complete offline. When they then reconnect to the internet the app will push the completion report back to their learner record.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: THRIVE is a cloud service built around a micro-service architecture. We utilise Node.JS with Restify.JS to implement a number of logical services, each of which will be made up of one containerised application.

Each micro-service offers a number of GraphQL endpoints and mutations which can then be utilised by the front end applications - usually either written in React.JS or React native.

The solution includes a number of user interfaces: two web applications written in React.JS with Redux back ends, and a native mobile application for iOS and Android written in React native and again using Redux for state management.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: Thrive Learning assessed the accessibility of THRIVE Learning and Skills Platform by the following approaches:

- Regular internal reviews by qualified team members
- Annual external evaluation with accessibility audit performed by Zoonou Ltd

THRIVE Learning and Skills Platform is designed to be compatible with the following assistive technologies:
- JAWS
- NVDA
- Zoomtext
- Dragon Naturally Speaking

Full details of our Accessibility Statement can be found here: https://www.thrivelearning.com/terms-and-conditions/accessibility-statement-for-thrive-learning-and-skills-platform/
API: Yes
What users can and can't do using the API: Support for identity management using SCIM2.

Activity tracking supported by xAPI.

We also offer access to system data for reporting purposes via REST.
API documentation: Yes
API documentation formats: PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: THRIVE is highly customisable. This is easily managed via the admin panel, and does not require any expert skills or knowledge to do so. THRIVE has purposely been designed to mirror consumer-grade experiences so that it is simple, intuitive to use and most importantly familiar to users and how they consume content regularly in their personal lives.

We will upload your chosen logo upon site creation and set your primary brand colours to match your brand guidelines. Updating the colour theme can be done by admins at anytime, as well as allowing the front page to be configured in a way that recommends and pushes content to learners based on what the organisation would like to encourage.

The campaigns banner located on the front page is controlled by the admins and can be configured in a way so that it is brand/aimed at different audiences or for all users.

The Explore page is also controlled by the admins and offers a highly flexible way for categorising content and allowing users to explore topics of content that are important for the customer on a bespoke basis. All of this can be done through simple configurable forms without need to technical expertise.

Scaling

Independence of resources: Most traffic to the platform is handled through Amazons Cloudfront CDN system. This allows users to access the web application and any assets (including video) from local servers, greatly speeding up the responsiveness of the tool compared to traditional monolithic applications.

We stress test our services, including all commonly accessed endpoints, using a load testing tool called "Siege". These tests are conducted on 21 individual services in order to test scaling rules and response times and have been used to handle an equivalent load of 50,000 concurrent users.

Analytics

Service usage metrics: Yes
Metrics types: KPI Dashboard

Detailed info based upon activity logging, system usage and professional development logs.
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Data available in JSON format via REST API.
Data export formats: CSV

Other
Other data export formats: JSON
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: We are committed to delivering a service with as little interruption as possible, and in fact we’ve designed our whole solution around this. This means that we can offer zero-downtime updates for the vast majority of enhancements we release to the platform.

As a result we can offer an availability commitment without any caveats - that’s 99.9% availability of the platform, measured quarterly, with no hidden maintenance time clauses.
Approach to resilience: We use a microservice architecture which has the huge benefit of being able to scale to handle additional load. At any time a minimum of two instances are running for each service, and as additional load is detected this can be very quickly ramped up to deal with increased workload.
Outage reporting: A public dashboard and email alerts.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: Access to support is offered to privileged individuals within the customer's designated project team.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Approachable Certification Ltd
ISO/IEC 27001 accreditation date: 30/09/2019
What the ISO/IEC 27001 doesn’t cover: The scope of our ISO 27001 certification is as follows: "Information security for processes based from Nottingham office in the development, provision, maintenance, support and protection of hosted digital learning platforms, content and tools, mobile application, customer and company data and associated infrastructure." This covers all services offered to customer which involve any form of data processing.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: We have an internal ISMS which is ISO 27001 certified by a UCAS registered auditor.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: We maintain a strong change control procedure in accordance with the ISO 27001 standard. These controls cover changes to process, enhancements to the application and maintenance of infrastructure.

An independent auditor reviews these measures and internal compliance with them on an annual basis.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We maintain a vulnerability manage procedure which covers the key areas of Software & Dependencies and Infrastructure & Configuration.

Software & Dependency vulnerabilities are mitigated using controls around: manual auditing, peer review, automated checks and application penetration testing.

Infrastructure & Configuration vulnerabilities are mitigated using controls around: data loss prevention, configuration management, container scanning and infrastructure review.

Patches are deployed within 30 days.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: Hosted environment protected with AWS Web Application Firewall and GuardDuty. All administrative activities and authentication attempts logged in independent store.
Incident management type: Supplier-defined controls
Incident management approach: Managed in accordance with our pre-defined and documented Security Incident Management procedure which ensures that all security incidents are reported promptly so that:

Any adverse effects can be minimised;
The root causes can be identified and corrective and preventive action taken to prevent future security incidents occurring;
Thrive and its employees comply with legal, customer and other third-party requirements with regards to information security, in particular the Data Protection Act 2018 and the General Data Protection Regulation (EU 2016/679).
Thrive can achieve the aims of its Information Security Policy.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Equal opportunity: Equal opportunity

At Thrive Learning we understand the need to be a good corporate citizen. We want to be a responsible business that meets the highest standards of ethics and professionalism.

Our company’s social responsibility falls under two categories: compliance and proactiveness. Compliance refers to our company’s commitment to legality and willingness to observe community values. Proactiveness is every initiative to promote human rights, help communities and protect our natural environment.

Legality
Our company will:
Respect the law
Honour internal policies
Ensure that all its business operations are legitimate
Keep every partnership and collaboration open and transparent

Business ethics
Our company will promote:
Safety and fair dealing
Respect toward the consumer
Anti-bribery and anti-corruption practices

Protecting people
Our company will ensure that we:
Don’t risk the health and safety of our employees and community.
Avoid harming the lives of local and indigenous people.
Support diversity and inclusion.

Human rights
Our company is dedicated to protecting human rights. We are a committed equal opportunity employer and will abide by all fair labour practices. We’ll ensure that our activities do not directly or indirectly violate human rights in any country.

Donations and aid
We regularly make donations to various local organisations. These donations aim to:
Advance the arts, education and community.
Alleviate those in need.

Preserving the environment
Apart from legal obligations, our company will proactively protect the environment and have a separate Environmental Policy that outlines our actions.

Learning
We will actively invest in R&D. We will be open to suggestions and listen carefully to ideas. Our company will try to continuously improve the way it operates.

Pricing

Price: £11,200 to £304,000 an instance
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: THRIVE can, upon request, provide access to a branded sandbox site.

This will include light branding (client colours and logo) and a basic, generic set of content. All features and functionality will be made available for testing.

The sandbox site can be made available for up to 14 days.

THRIVE - The Modern-Day LMS (Complete Learning & Skills Platform)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

THRIVE - The Modern-Day LMS (Complete Learning & Skills Platform)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents