IRIS SOFTWARE LIMITED

Every Compliance by IRIS

Every Compliance By IRIS is a cloud-based, modular compliance management system specifically designed for schools and trusts. From health and safety to managing policies, risks, assets and contracts, this flexible system allows school leaders to manage all aspects of compliance and maintain a school estate that supports great learning.

Features

• Real time Compliance Reporting across multiple sites and Document Management
• Manage IT and Premises issues across multiple sites
• Trust Wide Activity management and reporting
• Asset, IT, and inventory management
• Incident management with trust wide reporting
• School and Trust wide Project Management
• School/Trust Wide Risk Management
• Contract management
• Live chat support with help desk ticketing and phone support
• Mobile browser support and supported Android IOS Apps

Benefits

• Effortlessly manage trust-wide compliance with simple, time-saving tools
• Automated notifications prevent contract rollovers, ensuring compliance and efficiency
• Easily log IT and Premises issues for effective issue management
• Reduces the risk of future non-compliance
• Grow your system limitlessly, no extra cost for unlimited users
• Streamline compliance with document management and automated update notifications
• Efficiently track incidents/accidents with dedicated school and Trust-level reporting
• Enhanced capital planning through specialized modules for projects and conditions
• Manage assets with integrated module, depreciation, and mobile app accessibility
• Integrate suppliers for quotes and task assignments directly within Every

£1,526.00 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidTeam@iris.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

631589798045369

Contact

Bid Team
0344 225 1525
BidTeam@iris.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Every HR by IRIS
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements:
  • Web Browser
  • Internet Connection
  • WiFi or Mobile service for Apps

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Ticket created within 20 seconds
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: N/A
• Web chat accessibility testing: NONE
• Onsite support: Yes, at extra cost
• Support levels: Technical and product support is provided through online, live chat, telephone and email channels in the first instance.; Beyond that we have Regional Consultants that will visit customers to provide elements of onsite support where needed, at no extra costs.; Should additional support be required then this will be escalated to the Technical team who will assess the resources required. We try to avoid charging the client where necessary.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers are allocated a unique Implementation Number and assigned a dedicated member of the Engagement team whose primary role is to guide the client through the setup and implementation of their software. ; On introduction with the client software administrator an online survey is sent enabling the client to confirm their priorities and expected outcomes from the implementation. ; A bespoke plan is then created setting out the optimal way of implementing the system for that customer to achieve their expectations. ; The process is supported through phone calls, account reviews, webinars, training videos, screen share, project days, data uploads, onsite training, online training and user documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Most core data can be exported by users through the reports tools that extract the data into Microsoft Excel or Word formats. Images may also be downloaded. For additional data not available directly through the system we offer a data extraction service. This is offered at no cost in the first instance for simple extractions, for more complex extractions a fair charge is offered.
• End-of-contract process: The platform allows data to be exported into CSV/Excel/Word format. At the end of the contract the client data remains subject to the robust back up regimes for a short period before being marked for deletion/anonymising/pseudonymising, in line with our commitment to comply with the GDPR.; ; Additionally required data (metadata) can be returned to the client within a set time period as defined in the Terms and Conditions.; ; In the first instance there are no charges for the return of data or switching off the service at the end of the contract, however additional data may be charged at a fair rate where required.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile service provides a subset of functions, specific to tasks that would be performed and are acceptable to update via a mobile device. ; The desktop (web based) service provides more comprehensive functionality and reporting, however the mobile service provides all the functionality required for the scenarios it is intended to be used for.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: User can link our system to their Schools Active Directories to be able to import and manage user accounts automatically
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: The system offers a range of customizable features tailored to individual customer preferences. These include personalized product branding options like logos and titles for pages and reports, as well as the ability to configure key data categories such as user groups, access levels, and data partitioning groups. Additionally, administrators can customize specific system notifications, such as email alerts.; All of these customization options are accessible to user administrators through the settings section of the system. Moreover, customers have the flexibility to fully customize their package by selecting the specific modules within Every Compliance that best suit their requirements, creating a tailored package that perfectly fits their needs.

Scaling

• Independence of resources: The service is provided on a load balanced web servers, with regional failover. ; The performance and infrastructure of the platform are monitored on a 24/7 basis. The infrastructure means that it is possible for more servers to made available on demand, if required.

Analytics

• Service usage metrics: Yes
• Metrics types: We monitor system performance in terms of service up time to the clients as well as page load and query return performances. ; We also log interactions with records, records entered across the modules of the system and these statistics are made available the client users through their software in the form of charts, graphs and tables
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users are able to export data through a variety of inbuilt reports in word or excel formats. More detailed exports can be requested and Every will endeavour to meet these requests in a timely manner.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Word
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Excel
  • Word

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Guaranteed availability is 99.5% annually. Actual achieved availability is at 99.99%.
• Approach to resilience: The system is hosted within a geographically redundant (UK) data centres, with separate, load-balanced web and database servers.; Redundant Internet links and network connectivity and a multi-DC provider strategy reduce the risk from data centre failure.; All local disk arrays are RAID10 for additional resilience and all hosts and core networking devices are dual powered. Our host data centres are supported by at least N+1 electrical infrastructure with at least dual geographically redundant network feeds. The hosts also maintain an ISO 27001 managed Business Continuity and Disaster Recovery plan at a corporate level that seeks to ensure the maximum availability and integrity of service delivery, support and communications.; Catastrophic failure should result in downtime of no longer than 30 minutes.
• Outage reporting: Planned service outages are notified to customers at least two weeks in advance by both messages within the system and by email.; Unplanned or emergency outages are notified to the customer by email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is limited to authorised personnel, as required solely to fulfil their role. ; Customer permission must be given before any user data is accessed and all management interfaces and support channels are fully audited.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Security governance is driven from board level and is fundamental part of all processes. ; IRIS has a full suite of policies and procedures in place covering: Information Security, GDPR and Group Data Protection Policy, Acceptable Use, Stored Data, Access Control, Data in Transit, Physical Security, Disposal of stored data, Data classification and handling policy, Data Breach Policy, System protection, software development and testing. These are issued to, tracked and followed by all personnel.; Internal and external training is provided on an annual basis and reinforced quarterly.
• Information security policies and processes: IRIS operates with a full suite of policies and procedures - including : ; IRIS Group Data Protection Policy ; IRIS Information Security and Acceptable Use Policies Summary ; IRIS Data classification and handling policy; Personal data incidents reporting procedure; Engineering Personal Data Breach Policy.; ; Security governance is driven from board level and is fundamental part of all processes. We comply with Cyber Security Essentials.; There are policies and procedures in place covering: Information Security, GDPR, Acceptable Use, Stored Data, Access Control, Data in Transit, Physical Security, Disposal of stored data, System protection, software development and testing. These are issued to, tracked and followed by all personnel.; Internal and external training is provided on an annual basis and reinforced quarterly.; ; These are issued to all staff (for Software Development policies - only to those staff they apply to) and an audited process is followed to ensure that the staff members have read, understood and had the chance to ask any questions. Internal and external training is provided on an annual basis and reinforced quarterly.; Managers are given additional training and monitor staff for compliance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes are tracked and monitored through the development / release cycle. All components are unit tested, manual tested and release tested prior to release. Regular automated penetration tests are run on test servers with release code, prior to release.; Tracking is recorded and monitored through project and issue management tools.; All component changes go through a formal process of scoping, specification, implementation, regression testing and release.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We follow the OWASP guidelines including security testing on our product for the OWASP Top 10 vulnerabilities.; In addition to our development procedures, the application is automatically penetration tested using software penetration testing tools at each major release. It is also penetration tested annually using a CREST accredited security company.; Our hosting environment is penetration tested on a monthly basis.; Patches are generally deployed immediately after they are approved for release, or as soon as practicable (after they are approved for release) in other cases.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Protective monitoring is provided covering both hardware/software failure and system attack/compromise.; Intrusion detection systems monitor system changes, as well as providing a comprehensive audit trail of changes.; Additionally, the system and applications are monitored live for availability and/or failures.; Audit trails and monitoring tools are used to identify issues or potential compromises.; Notifications are provided to key members of staff and prioritised accordingly. Target incident response time is immediate or as close to as possible.
• Incident management type: Supplier-defined controls
• Incident management approach: The incident management process is defined formally in the Information Security policy.; Users report incidents or suspected incidents to the internal service desk and these are then reviewed by one of the information security team. All calls, emails or live chat records are logged and tracked until closure.; Tickets are dealt with or escalated to the appropriate level (including board level) as appropriate.; In the case of major incidents a major incident report will be produced. For minor or non-incidents, feedback will be given to the users directly.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  We are committed to ensuring equal opportunities at IRIS. Our CEO, Elona Mortimer-Zhika, celebrates diversity in our workplace and expects the culture and environment of IRIS to be based on mutual respect and free from discrimination. We are committed to delivering a competitive and fair employment environment. We put equality, diversity, and inclusion at the forefront of our decisions, monitor progress, take action to continually improve, and be transparent with our findings. We have a zero-tolerance approach to discrimination based on protected characteristics and any allegations of discrimination will be dealt with in line with our Disciplinary policies. We have several wellbeing groups, including Unique which provides support for physical or mental health conditions or neurodivergent people. We provide a variety of training schemes to all employees, regardless of any protected characteristic, and encourage progression through our organisation.; ; We are passionate about gender equality and are committed to building a diverse workforce. We have continued to invest in our range of programmes to support gender equality and support the women of IRIS so they can reach their full potential. These initiatives ensure that we continue to focus on making IRIS a great place to work, enable our people to flourish, improving gender pay equality and providing equal opportunity for all. IRIS Groups championing of women in leadership has been recognised as a Great Place to Work for Women. The executive team comprises of three female leaders and 11 male leaders. ; Our Modern Slavery Policy sets out the ways in which we identify and manage the risks of modern slavery as a business, including risk assessment, risk mitigation and staff training. IRIS reviews all material suppliers and assesses whether any risks of slavery or human trafficking arise.

  Wellbeing

  We are committed to engaging, supporting and empowering our workforce. We create an environment where they feel part of a team; from regular global company updates to social evenings and charity events. We’re a UK Best Workplaces™ for Wellbeing. We have over 40 Mental Health First Aiders, have a weekly workplace support group and offer a free Employee Assistance Programme and bereavement counselling. We have several wellbeing groups and celebrate diversity. We offer colleagues a cycle scheme, private medical insurance and reduced gym memberships. We hold company fitness challenges and provide free fitness sessions. We’re proud to be a Real Living Wage employer, provide UK cost of living support, offer a tech and car scheme and give access to money coaches, workplace ISAs and pension, life assurance and critical illness cover. We seek our employees feedback on benefits that matter to them.; We give our employees three ‘Giving Back’ days a year on top of their annual holiday entitlement to support local community and national charitable cause. Employees are encouraged to actively give their time and skills to fundraise for a charity of their choice and volunteer on community projects, including being a school governor, charity trustee, reading with school children through the Benchmark scheme, mentoring in schools and running money management courses, both externally in conjunction with charities and schools, as well as internally with IRIS employees.

Pricing

• Price: £1,526.00 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidTeam@iris.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.