VIRTUAL MAIL ROOM LIMITED

Hybrid Mail

Provision of Hybrid Mail (Click, Print, Post Solution), including SMS, email communications and secure web-based communication.

Features

• 24/7 Processing
• Mail Merge
• Return to Sender Reporting
• All postal classes
• Multi delivery medium e.g. Post, SMS, Email, Fax
• Legacy system support
• Robust Data Protection
• Greater mailing efficiency/turn around times
• Bespoke Solutions e.g. Integrations and Support
• Thin Client Support

Benefits

• Centralised Forms
• Full Audit Trail
• Value for Money e.g. reduction in mailing costs
• Greater sustainability
• Brand Consistency
• Flexible Solutions to meet demands
• Safe and Secure in line with GDPR

£0.71 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tmoloney@vmailroom.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

650195729818269

Contact

Tina Moloney
07557908576
tmoloney@vmailroom.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: MS Office; NEC/Northgate; Capita/Academy; Civica
• Cloud deployment model: Public cloud
• Service constraints: Our service is fully accessible via a browser, and has minimum planned maintenance e.g. updates; which occur outside of core working hours.
• System requirements:
  • Access to a web browser
  • Automated data transfer capability

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We will initially respond within 2 hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: As standard and for no extra costs, all clients have a nominated Account Manager who provides support with setup/implementation and then ongoing delivery and technical queries thereafter. ; ; The Account Manager is supported by a technical team (including an external cloud support engineer) who are available to undertake any technical tasks following escalation.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: When starting services, all users are provided with virtual training by a VMR Account Manager on how to use the system, along with our User Guide.; ; The User Guide provides step by step processes and diagrams to support with the system installation, login and service delivery. This includes detailed and chronological processes for document setup, application of the various options available (e.g. references, fonts, mail merge etc) and document submission. As well as for the upload of forms and creation of templates within the system.; ; Thereafter, support is provided by a VMR Account Manager.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Following the end of a contract and upon request by the user (via phone or email), the Virtual Mail Room Account Manager exports all requested data from the system within a XML or MS Excel/.CSV format.
• End-of-contract process: All requested client data is provided within a XML or MS Excel/.CSV format following contract completion. This is provided free of charge. Following completion of a contract, the user will also determine how long the data retention period should be.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile application is limited to reporting, and does not enable full service and upload of documentation. Unlike the desktop version which provides the full end to end service.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Through APIs users can submit transactions to process and retrieve status reports. APIs are a separate setup with different security credentials and will need setting up by appropriately skilled personnel.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Distributed back end processing units are monitored 24/7 for loading and elastic resource is provided.

Analytics

• Service usage metrics: Yes
• Metrics types: Service Activity; Service Performance against KPIs/SLAs
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Secure download links are provided by the Virtual Mail Room Account Manager, which enables Users to export their data.
• Data export formats:
  • CSV
  • Other
• Other data export formats: XML
• Data import formats:
  • CSV
  • Other
• Other data import formats: PDF

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: VMR implements two key Service Level Agreements, for our services:; ; 1) Access to our service is maintained at 99.9%.; ; 2) All data received before midday is printed and posted by the end of the next working day; with electronic messaging sent within 2 hours of receipt (first attempt). ; ; Internal dashboards and alarms monitor our SLAs. If SLAs are not met, this is escalated internally, users are notified and service credits are issued.; ; For all postal items- a 50% refund will be applied for failing the SLA by 1 working day, and 100% refund will be applied for failing the SLA by 2 working days or more. ; ; For electronic items failing by 1 hour, a 50% refund will be applied, and for items failing to be sent within 3 hours or more a 100% refund will be applied.; ; If our service availability drops below 99.9%, we will refund £10 for every 24 hours
• Approach to resilience: Both the front and back end of the service have been developed to run as distributed services using multiple layers of resource. We use best practices and contracted services provided by AWS and AZURE to ensure resilience at both datacentre and location independence.; Back end processing (in the physical world) is supported with 3 UK sites – and switch over between these sites is manually controlled. ; ; All servers and services are mirrored and are backed up daily to the cloud, and all data is encrypted.; ; VMR runs numerous commercially available defensive and protective services to ensure robustness within its networks. These are monitored 24/7 with defined escalation procedures in place. Networks are protected by external and internal firewalls and Group Policy Objects. These policies are reviewed frequently and controlled at Director level.; ; Removable media cannot be connected to the internal network as it is cloud-based. ; ; Access to PCs, laptop computers and to the computer network is by password. Only authorised staff have external access to the network via a secure RDS gateway and MFA.
• Outage reporting: For service outages, all users will receive an email alert.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Amazon Cognito is implemented which ensures strong password/IP restrictions and the ongoing monitoring and reporting of suspicious login activity.; ; Furthermore, all users can only access our service via a unique login and password.; ; All access is regularly monitored by our third party IT supplier.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Username or password
  • Other
• Description of management access authentication: Not granted. Management access requires Director level approval after the request has been vetted against our ISO27001 policy. A register is kept and reviewed monthly.; ; Once granted, access is authenticated via a username and login.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: UKAS Management Systems
• ISO/IEC 27001 accreditation date: 15/12/2013
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Virtual Mail Room have developed and implemented the following policies:; ; Acceptable Use Policy,; Access Control Policy,; Account Administration Policy,; Back Up Policy,; Business Continuity Policy,; Change Control Policy,; Clear Desk Policy,; Code of Conduct Policy,; Data Breach Procedures,; Disciplinary Policy and Procedure,; Encryption Policy,; Information Classification Policy,; Internet and Social Media Policy,; Password Management Policy,; Records and Information Policy,; Supplier Management Policy,; Visitor Security Policy,; ; All policies are taught on induction to ensure comprehension and we ensure policies are followed through the implementation of our quality assurance programme which comprises spot checks and formal audits undertaken by our Director.; ; All quality assurance data is reviewed to identify the root cause of any issues, and solutions developed to ensure compliance, high quality and continual improvement. ; ; If an information security incident occurs, the customer and/or Account Manager will report to our Director who will then liaise with our information security team to develop and implement appropriate solutions.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Effective configuration management forms part of our ISO 9001 and ISO 27001 accredited policies. It ensures that all configurable service components are tracked through their lifetime, with changes assessed for potential business and security impact. ; ; Ensuring this, upon identification all change requests are categorised and submitted to our head of IT, who then undertakes an impact assessment against security implication, best practice, and feasibility. ; ; Following, the results of the assessment are discussed with the Director, suitable mitigations implemented (where required) and if the risk is acceptable, changes are made, tested, verified against requirement and documented within our configuration management database
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: In line with ISO27001, our Head of IT undertakes regular vulnerability assessments to define, identify, classify, prioritise vulnerabilities within our operating system, network, IT security policies/processes. This is supported by scans via installed software.; ; Following each assessment/scan, a report is produced detailing any present vulnerabilities/security risks, and risk mitigating solutions/actions e.g. installation of new software, deploying of patches etc. These solutions are immediately implemented by the Director. In addition to the vulnerability assessments, the Head of IT will also undertake regular penetration testing and run regular scans using our antivirus software; ensuring a wealth of accurate data on potential threats.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The VMR Head of IT utilises our antivirus software and undertakes regular full system scans to proactively identify potential compromises. The Head of IT also undertakes regular vulnerability assessments and penetration tests (VAPT) of our system to identify any further compromise.; ; Following an antivirus scan and/or VAPT, if a potential compromise is identified the Head of IT responds immediately. They will develop action plans, which outline the ways to prevent the potential compromise being realised e.g. update in policy, patch deployment and/or new software. The action plan is discussed with the Director, ensuring lessons-learned.; ; All incidents are responded to immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: Within our ISO27001 accreditation, we have a documented/pre-defined process for common incidents, outlined within our Incident Response Plan. This details how all staff and users are responsible for reporting any suspicious activity and/or incidents to our Head of IT, within our internal ticketing system with follow up to Director level. ; ; Following identification, incidents are contained by the Head of IT who implements action plans, isolates logs, switches off processing and effected desktop applications. Following issue eradication, systems are recovered and an incident report produced detailing the incident, root cause and solution.; ; This report is discussed with Director, ensuring lessons learned.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  Our Hybrid Mail solutions supports the delivery of sustainability goals by generating carbon efficiencies through digital management, bulk printing and delivery.

  Tackling economic inequality

  Future contracts awarded through G-Cloud will support our ongoing local recruitment, including apprentices and for those NEET.

  Equal opportunity

  Through the delivery of this framework, Virtual Mail Room will continue to operate in full compliance with the Equality Act 2010. All personnel will continue to have a professional development plan, and opportunities for growth within the business.

Pricing

• Price: £0.71 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tmoloney@vmailroom.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.