SUSTAIN IQ LTD

SustainIQ

SustainIQ is an ESG/ Sustainability reporting software solution simplifying how organisations capture data, analyse their impacts and report across a range of different reporting frameworks. SustainIQ provides ESG/Sustainability data capture, analytics and reporting for the whole organisation including all assets, capital projects and social or environmental programmes.

Features

• Easy to use tool with 4 pillar approach to ESG
• Data input via manual entry, upload, QR code and API
• Reporting Dashboard for forensic analysis across organisation, site, programme etc
• Reporting metrics that can be aligned to any framework
• Stringent data security and user management protocols
• Socio Economic impacts of supply chain and materials
• Carbon and GHG impacts
• Environmental Management to include waste, water, energy and biodiversity
• Social value impacts within your own organisation
• Social value impacts to include the wider community

Benefits

• Aggregate data across all ESG/Sustainability data collection points
• Provides consistent data collection methods
• Assured and automated impact measurement and calculation methodology
• Holistic view of impacts across assets, capital projects and programmes
• Compliance with social value model
• Provides full transparency for stakeholders
• Reduces risk of non-compliance and greenwashing
• Increased efficiency of ESG/Sustainability reporting process
• Report on a range of approved metrics and frameworks
• Customised reports and infographics at the touch of a button

£15,000 to £50,000 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at maria@sustainiq.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

622401661705409

Contact

Maria Diffley
07754099958
maria@sustainiq.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Open API
• Cloud deployment model: Private cloud
• Service constraints: No. We use a deployment tool for updates with no downtime, maintenance requirements are low, minimal downtime
• System requirements:
  • Subscriptions to the service are required for access
  • Suggestion Google Chrome - optimal performance on this browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide email support response times are within 30 minutes for most queries dependant upon availability for Medium-level tickets, Low-level tickets may be up to 1 hour, and Critical tickets are within 15 minutes. All tickets are reviewed and classified for priority before review and responses are sent, detailing action to be taken, and provide estimated timelines.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support provided engages client via Technical Lead and/or Account Manager, support is offered on the same tier to all clients, using an internal support level status against all bug reports. Critical bugs are those which affect the system in a manner which disrupts service, High being disruptive tickets but not restricting system usage, Normal being general bugs which do not affect system performance or usage, and Low being minor display or formatting issues. Issues presented are classified, and dependant upon status, assigned within the period of time against the SLA. Fixes checked on local, and testing before being moved to production, with confirmation responses sent to reporter. SLA response times are noted as: Urgent response 15 mins / Complete 8 hours, High response 30 mins / Complete 24 hours, Medium response 60 mins / Complete 48 hours, Low is dependant upon the request. An outline of typical support package is included in the pricing document along with extra development costs.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: SustainIQ have a“one step at a time” implementation plan to ensure clients do not get over whelmed with the onboarding process.; ; 1. Deliver a demonstration and wireframes to senior management to showcase the capabilities a SustainIQ solution.; 2. Convene internal SustainIQ champion network – should represent different departments and have adequate knowledge of existing systems/data collection methods and the power to push the implementation in their departments.; 3. SustainIQ Champion Network, Senior Management, Procurement department and SustainIQ implementation team agree scope in a phased approach alongside agreed timelines and clear lines of reponsibility across relevant departments to meet milestones in order to deliver on time go live date.; 4. Communicate to all staff the importance of a system to measure, monitor and report on the sustainability impacts to include the scope of that reporting across the estate, programmes and captial projects to begin with. ; 5. Deliver training both onsite and online and provide all users with access to training videos and user documentation.; 6. Meet with relevant IT experts, agree process for migration of baseline data if available, and for important integrations. SustainIQ tech team work on scheduled development from agreed scope with an agreed testing period before go live.
• Service documentation: Yes
• Documentation formats:
  • ODF
  • PDF
  • Other
• Other documentation formats:
  • Doc
  • Docx
• End-of-contract data extraction: Users can request that their data be provided to them, this must be provided within 28 days of the contract end, and in written format. The execution of the action will be undertaken by a Database Admin, and exported to CSV format documents, which will be bundled and provided to the requester.
• End-of-contract process: System access is terminated for all users after expiry of the contract period, data will be retained for a period of 28 days, after which it will be removed from the system. If an extension is agreed, then access will be restored, or if a request to extend data storage is requested, then data will be retained for the agreed period of time.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Minimal difference between web and mobile, same functionality provided on both, only significant difference is the display method, flexible views for different screen sizes.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The API is the backend of the web application, servicing a Single Page Application. Oauth login and token based authenticator, providing all data calls associated with the web application, none of which interact to any third party. The API handles all data storing, data retrieval, reporting, and data object responses. Further expansion of the API will provide data pushes on request to some client platforms, with only those registered or subscribed companies availing of these, to avail of this an account will be added with only the required rights for access, and the token to interact with the API and underlying data. Users cannot make changes to the API,, instead requests can be made to expand, enhance, or add functionality as required. Users are also unable to setup their own access, as this serves the main web application it is solely a service for providing we application functionality.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Some sections of the web application allow for the selection of specific metrics, changing of names/logos used within the web app within their company profile, turning on/off sections as required, infographics can be customised for export. Only users with the specified privileges can modify these section, company admin level. If any new feature or enhancement to current functionality is required then a cost will be incurred, this cost will be dependant upon the complexity (High to Low) and/or availability (Single use customer, or applicable to all) of the request.

Scaling

• Independence of resources: Continuous monitoring of the web server loads, including warnings for peak periods, continuous periods of strain on the webserver leads to an increase in resources to ensure uptime is maintained. Operate on a Private Virtual Server rather than shared service which significantly reduces any potential downtime due to other instances failing.

Analytics

• Service usage metrics: Yes
• Metrics types: Currently we offer the ability for companies to monitor their employees (web app users) engagement with the web application to ensure usage, and error rates. Usage metrics will be included for section usage, errors/exceptions, users counts, device metrics.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Either export document view via reporting forms within their own portal view, or a SustainIQ admin can assist via our management portal.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • JPEG
  • PNG
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Aim to achieve up-time of 99%, with uptime monitors in place running 24/7, reporting potential issues or risks to this. RPO and RTO requirements outlined. DR Plan with specifics on RPO and RTO, if fail to node, return to service with 15 minutes on a new node, with full data recovery, dependant upon size of restoration can be up to 24 hours.; SLA Ref 11.1 The Website and the Services are provided “as is” and on an “as available” basis. SustainIQ gives no warranty that the Website or the Services will be free of defects and/or faults. To the maximum extent permitted by law SustainIQ provides no warranties (express or implied) of fitness for a particular purpose, accuracy of information, compatibility and satisfactory quality. 11.2 SustainIQ accepts no liability for any disruption or non-availability of the Website or the Services resulting from external causes including, but not limited to, ISP equipment failure, host equipment failure, communications network failure, power failure, natural events, acts of war or legal restrictions and censorship.
• Approach to resilience: 24/7 Monitoring for uptime and resources.
• Outage reporting: Any outages are reported to the user via email alert.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Restricted management sections of the web application are protected from access by locking to a specific user role type, specific domain lookup, and username/password login requirements.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We are working towards the implementation of a standard such as ISO27001 but not certified currently. A risk based approach to security is maintained for the facilitation of informed decision making processes and initiatives, those primarily concerned with the prevention of risks by identifying them and reducing impacts, detecting issues before damage occurs, recovery and repair after incident, awareness of users and staff alike for security policies and issues, and adherence of security policies in line with legislation.
• Information security policies and processes: The following policies are in place: Acceptable Use, Password Creation, Password Management, Clean Desk Policy, Information Access.; Director of Operation responsible for Organisational and HR Policies, reporting of policies ensues from this Director to Line Managers across the business. In turn, the line manager of each individual employee is responsible for providing an overview and sign off of these policies during induction (or if /when amendments to policies are made line managers include in staff updates). This ensures understanding, and promoting adherence to the policy enforcement. ; Breaches of policy are reported back to the Director of Operations for review who can then put remedial steps in place including further training or disciplinary notices where appropriate. The management team are responsible for the enforcement of specific policies including Password Creation and management reviews are undertaken on a quarterly cycle to ensure team members understand and commit to adherence, also allows for further updating and circulation as required.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes requested by a party within the web application user base, tickets are logged to our ticket tracking system. Tech Lead reviews ticket, builds a full requirements specification and moves to the next scheduled sprint for development. Also considers if the change requires a third party integration or new library, and determines if there is potential risk, categorises and rejects if high. Tickets tracked until closure through Development, QA, and Production phases. Ticket is closed, requester notified of update, and the release build is encapsulated as a package. Repository management is linked to ensure tickets and releases are matched.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Web application penetration testing undertaken by third-party security specialist company, development processes adhere to the OWASP Top 10 web application vulnerability list, ensuring that developed functionality correctly addresses known issues before test. Includes brute force with account locking, XSS, CSRF, Password management. Pen testing annually undertaken, reporting presented for unknown fixes before retest. Vulnerability list reviewed 6 monthly for new vulnerabilities, or potential risks to included plugins or libraries.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: 24/7 uptime monitoring. 24/7 Resource level monitoring. Monitoring of server access, attacks, resources, and user access. Alerts are in place for attempts to access the server, notifications are sent to Sysadmin who notifies management team. Alerts for potential attacks alert using the same process, with blacklisting of IP. Alert for user access compromises alert the Sysadmin who will block access, change passwords, and close of potential vulnerabilities. Aim is to respond within 30 minutes with fixe, 15 minutes with reported incident to affected parties, and 5 minutes internally with incident and plan.
• Incident management type: Undisclosed
• Incident management approach: Aligned to the ICO processes and procedures. User report incidents via call or email to the Account Management team, include all details, investigation commences alongside Sysadmin (if required). Cause determined, fixes or patches put into place, tested and deployed before confirmation notification to user. Process tracked and documented. Fault reports are available upon request for every incident.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  SustainIQ aims to Influence staff, suppliers, customers and communities through the delivery of the contract to support environmental protection and improvement - by ensuring that the parties using our software are able to benchmark their own performance, set goals and we can help them track their progress. ; SustainIQ also aims to deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions in terms or our own ability to work towards providing net zero operations by measuring monitoring and reporting on our own Scope1,2&3 emissions and through our work with our charity partner Solar Aid we aim to offset any carbon associated with the hosting of data on our secure servers.
• Covid-19 recovery:

  Covid-19 recovery

  SustainIQ has supported our clients to manage the impact of COVID-19 and support the physical & mental health of people affected by COVID-19, by providing safer new ways of capturing data with less touch points such as QR codes to ensure that our clients can continue to comply with their contractual and legislative requirements to report on the environmental, economic and social value of the projects they are working on but also ensuring that we were capturing up to date information on who was entering the workplace and the immediate state of their wellbeing on site. This ensures that our clients can respond with programmes to support staff back to healthier work environments and we then measure the response of staff to these measure through qualitative analysis. Amongst our own staff we have implemented improvements to workplace conditions that support COVID-19 recovery effort including effective social distancing, remote working & sustainable travel solutions. We have also provided cash health plans for staff providing all staff with 24/7 access to GP hotlines and mental health counselling services. As the world has started to open up we have engaged our staff to put a programme of staff engagement in place to tackle loneliness and isolation in the workforce.
• Tackling economic inequality:

  Tackling economic inequality

  SustainIQ supports innovation and disruptive technologies throughout the supply chain to deliver the development of scalable and future-proofed new methods to modernise delivery and increase productivity we look for collaboration opportunities throughout the supply chain to ensure we can integrate with other systems, share data and automate or make the process of project delivery as seamless as possible for all partners involved in project delivery.
• Wellbeing:

  Wellbeing

  SustainIQ has the ability to gather quantitative and qualitative data from staff, suppliers, customers and communities throughout the delivery of the contract to support health and wellbeing, and to ensure delivery of community projects that are most needed and that impacts are measured to ensure strong integrated communities.

Pricing

• Price: £15,000 to £50,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at maria@sustainiq.com. Tell them what format you need. It will help if you say what assistive technology you use.