PlanX

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: The range of services PlanX can support, and users experience depends on the availability of data (eg GIS data) for planning constraints.
System requirements: Any modern web browser (Chrome, Safari, Edge, Firefox, IE11+)

User support

Email or online ticketing support: Email or online ticketing
Support response times: Email support for admins only, reply within 24 hours. Urgent issues will usually be responded-to more quickly.
User can manage status and priority of support tickets: No
Phone support: No
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Every customer is assigned an account manager who can be contacted by admins at any time during business hours. We seek to respond to admins queries as quickly as possible, normally within 24 hours or less. Users and editors can report any issues via the public and editor interfaces 24/7.

Additional support services such as training, co-writing and planning information and data auditing are available for an additional cost (see pricing).
Support available to third parties: Yes

Onboarding and offboarding

Getting started: We can provide:

- An onboarding checklist, listing everything you need to do to launch your service.
- Additional help and advice if needed during onboarding.
- Assistance adding content related to your Article 4 directions
- Basic training for officers
- Shared scenarios library for testing
Service documentation: Yes
Documentation formats: HTML

Other
Other documentation formats: Documentation is built into the interfaces

Video tutorials available for editors

Code repositories contain documentation for developers
End-of-contract data extraction: Admins will be able export all of the data relating to their Plan✕ services in a structured format (eg csv, json). In the case of data that is available but cannot yet be exported automatically, customers can request this data, and it will be made available to them for no charge.
End-of-contract process: A Council can request to terminate their Plan✕ subscription at any point in line with the termination terms, by notifying their Account Manager by email. They can extract any and all data available via the API, and request reasonable assistance in facilitating this.

Any additional assistance – for example, working with a team to help them set up a replacement service – will have a cost based on a reasonable day-rate, to be agreed at the time.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Public users will have the same experience on mobile and desktop.

Although the editor interface used by planning authorities will work on mobile device to some extent, but its design is not optimised for them. The editor interface is primarily designed for use on desktop devices.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: The main public interface is typical of many digital service interfaces, and uses patterns and components broadly in-line with those used on, for example GOV.UK, but themed with each council's visual identity. Users are asked a series of questions or for specific pieces of information. Their path through the service then depends on the information they provide. The interface is simple, legible, with help text available where users request it.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: Service has been tested and audited May 2022, complies with WCAG 2.1 AA. However some non-essential components, specifically maps, may be difficult for some users with accessibility requirements
API: Yes
What users can and can't do using the API: PlanX has an API that allows users to:

– Access and interrogate the content and structure of digital services
– Request enquiry / application data from the database (if they have permission to do so)
API documentation: No
API sandbox or test environment: No
Customisation available: Yes
Description of customisation: Customers can customise their PlanX channel with their brand colour and logo, to provide end users with a clear, seamless experience when navigating from and to other council web pages. You will also need to add a privacy notice and help / contact information for users.

You can also use your own council subdomains. eg planningservices.council.gov.uk

The content of all flows is controlled by editors within the PlanX editor. Editors can also pull-in flows that are written and maintained by others for use within their own flows.

Scaling

Independence of resources: Plan✕ procures hosting from AWS (or equivalent) which can scale in response to spikes in user demand.

Data (such as mapping or GIS) that is pulled in from third party sources will, as far as possible, be pulled in from sources that are also able to scale. In the even that demand spikes beyond the scaling capacity of these services, Plan✕ can continue to function independently without these services until demand normalises again.

Analytics

Service usage metrics: Yes
Metrics types: – Traffic
– User activity through flows (revealing, for example, the most common enquiry types, balance of responses, and revealing which areas of guidance / policy are proving to be key barriers to users)
Reporting types: Real-time dashboards

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Some documents and data will be available by means of an export button within the interface. Data can also be exported via the API, subject to permissions.

Any data that the user controls but that is not available for direct export can be requested.
Data export formats: CSV

Other
Other data export formats: JSON

PDF (in the case of documents)
Data import formats: CSV

Other
Other data import formats: PDF (in the case of documents)

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: The services is currently hosted on AWS and therefore benefits from their availability (99.9% uptime) and resilience. In the unlikely event that the PlanX service should go down, our team will be alerted automatically (or by the customer) and seek to restore the service as quickly as possible.

No refunds are currently agreed in the event of service downtime as part of the SLA.
Approach to resilience: The weakest link in Plan✕ is where data is being pulled in from a customer or third party host (Ordnance Survey and Digital Land). These are separated, so Plan✕ is designed to continue to function without that third party data. Previous enquiries will remain stable.
Outage reporting: Customers will be notified of any planned outages by email in advance, and such outages will be timed to minimise disruption. In the event of any unplanned outage, the Customer will be informed as quickly as possible by email.

Identity and authentication

User authentication needed: Yes
User authentication: Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels: The Plan✕ editor uses role-based access control for admins and editors. Users will be authenticated using federated identities (e.g. Google or Microsoft vis OAuth 2.0 standard). Attempts to circumvent these restrictions (e.g. via the API) would return an error and the request will be logged.

Third party support channels used by OSL enforce industry standard authentication and require two-factor authentication whenever possible.

An access log is kept centrally, detailing permission levels. Management access by OSL staff is controlled by company Directors. Access to the servers is monitored using third party application services.
Access restriction testing frequency: At least every 6 months
Management access authentication: Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: The Plan✕ tech lead is tasked with ensuring OSL security policies are complied with.
Information security policies and processes: The CEO is a Director of OSL and is ultimately responsible for ensuring policies and processes are well-designed and followed. Directors receive a report from the Plan✕ tech lead at Board Meetings. OSL maintains a risk register and issue identification and escalation process. Company procedures are regularly reviewed to ensure best practice compliance.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Whenever possible OSL provisions and manages infrastructure with code using services (such as Terraform). Configurations are stored in a Git repository so we can track changes in version control. All code deployments must pass a suite of Continuous Integration Tests before going live. We tag each build as part of the deployment process.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: OSL uses an automated service to constantly monitor for threats and identify attacks immediately. Whenever possible we intend to keep all dependencies up to date using an automated service (such as Dependabot).
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: OSL uses monitoring tools to help identify potential compromises with reports on server activity and email alerts. All code deployments must pass a suite of Automated Tests before going live.
Incident management type: Supplier-defined controls
Incident management approach: A risk log is maintained and mitigation actions are captured. Incidents are checked against this log to ensure we are constantly learning to prevent reoccurence. Many incidents may be automatically detected and logged. Customers can report incidents via their Account Manager or through an issue report.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

PlanX does not yet use fully zero-carbon servers.

However, may make some positive impact in a much as the service itself will make it easier for users to understand and meet planning policies and legislation related to climate change.
Covid-19 recovery: Covid-19 recovery

Plan✕ allows councils to operate better self-serve services remotely, and makes it easier for householders and small businesses to embark on change and development projects. It has also been used to, for example, make it easier for small businesses to understand and navigate latest, up-to-date planning legislation measures related to the pandemic.
Tackling economic inequality: Tackling economic inequality

Plan✕ aims to have a direct impact in making it easier for those with less money and knowledge of the planning system to navigate it, levelling the field for small businesses and householders.
Equal opportunity: Equal opportunity

The purpose of Plan✕ is to make planning information more accessible and easier to understand for everyone.
Wellbeing: Wellbeing

Plan✕ only makes an indirect impact on wellbeing by making the planning system easier to navigate, especially for homeowners, community organisations and public organisations, it will make it easier for them to carry out development works that will significantly improve the wellbeing of those who use those buildings.

Pricing

Price: £10,000 to £20,000 an instance a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

PlanX

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents