CTRL HUB LIMITED

Ctrl Hub

Ctrl Hub is an easy-to-use cloud software application for managing compliance, competency, and risk across your business. It generates efficiencies in the field and the office, reducing risk exposure and increasing data quality. Our mission is to ensure your people get home safely at the end of each day.

Features

• Live compliance risk status across all people & projects
• Field data capture using custom forms and workflows
• Asset and personnel competence status
• Fleet and equipment compliance management
• Project Governance - field access to documentation and work allocation
• Workforce management
• Real-time dashboards
• Cloud application available on any online device
• API and CSV data access for reporting and analysis

Benefits

• A cloud-based solution designed to digitise your operations
• Custom forms and workflows built to your business requirements
• Confidence that all works and resources are competent and compliant
• Cost effective solution to generate a significant return on investment
• Version controlled document management with audit trail
• Visibility of your people’s roles, responsibilities, performance and certificates
• Visibility of certifications and allocations for your assets
• Requirement Matrices allow training requirements to be identified and managed
• Access to project documentation from your worksites
• Evidence of certifications at the click of a button

£15 a user a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark@ctrl-hub.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

670706135994472

Contact

Mark Lisgo
07770339900
mark@ctrl-hub.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: There are no constraints. Our service is a SAAS (Software as a Service) offering.
• System requirements:
  • Internet browser
  • Internet connection from users' devices

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support requests are acknowledged within the working day (Monday to Friday).
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide a full support service from implementation to BAU (business as usual). We will guide and advise you on setting up your Ctrl Hub system as well as providing ongoing support for any questions you or your users have whilst using the system.; ; After initial onboarding and go-live, the same team will continue to manage your account on a day to day basis so we can provide prompt responses to your support requests, whether they be bug reports, feature requests or user training requests.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As part of the onboarding process we provide handholding to populate data, review requirements and develop configured form templates, and up to 8 hours of training, with the option to purchase additional time as required. We also provide a free online Help Centre.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Word / Google Docs
  • PowerPoint / Google Slides
  • Excel / Google Sheets
  • Online Help Desk
• End-of-contract data extraction: Data can be exported to CSV and / or PDF. These can be generated via API calls. Our standard terms and conditions address the provision of customer data at the end of the contract’s stated term.
• End-of-contract process: Upon termination of the contract, Ctrl Hub will provide the customer with all customer data upon written request from the customer. The licence will terminate and the customer will no longer be able to access the Ctrl Hub platform.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The service is the same whether accessed via a mobile or desktop device. The UI (User Interface) favours desktop and mobile tablet devices, over mobile phones, however there is no difference in the feature set between device types.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: We have an API (Application Programming Interface) covering the entities within our application.
• Accessibility standards: None or don’t know
• Description of accessibility: There are two interfaces - (1) via an API and (2) a client dashboard.; ; The API is RESTful which allows authenticated requests to perform operations on the underlying data and system. It is a secure and authenticated endpoint with the privileges which are assigned to the token. The API is versioned appropriately to the functionality.; ; The dashboard is also authenticated and uses the same permissions system as the API.
• Accessibility testing: None
• API: Yes
• What users can and can't do using the API: The API offers the same functionality as the UI. It allows users to control the data in their system and the configuration of the features as required by the user.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Data Capture Forms; (1) Fully configurable form content and layout, (2) Custom workflow, steps and transitions; ; Other customisable system areas include: (3) Dashboard widget content, (4) Document storage folder structure, (5) Personnel statuses, occupations, conditions and teams, (6) Project, Site and Task statuses and types, (7) Vehicle and Equipment categories, statuses, makes, models and owners, (8) Qualification and Certification types, renewal periods and providers, (9) Custom requirement matrices allowing configuration of dedicated training plans and learning pathways for personnel, and certification matrices for assets.; ; Access to make customisations is managed through roles and permissions. All customisations are made through your own ctrl-hub web application.

Scaling

• Independence of resources: Auto-scaling is enabled to respond to user demand and infrastructure is isolated and segmented.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Front end tools are available to export data to CSV files and / or PDF where applicable.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our SLA provides a 99.9% uptime guarantee. In more than seven years of trading, we have never fallen below this threshold on a monthly basis. We monitor availability using Pingdom. If our performance falls below the SLA level, we offer a sliding scale of refund linked to the actual availability of the platform. This would be refunded from the following month’s subscription invoice.
• Approach to resilience: We use cloud infrastructure, based in London, to provide our core infrastructure. We run kubernetes across multiple zones in the region which provides geographic resiliency. Our workloads run on at least two instances to provide redundancy in different zones. We also utilise autoscaling to provide enough resources to meet the demands of transient traffic changes.
• Outage reporting: We report outages via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Support is managed via email, so a manual verification of the sender is performed against known, registered users. Where we receive a request for support from an unknown source, this is verified with the respective customer contact before proceeding.; ; There are no management interfaces that grant us privileged access to the system, we use the same string security methods which we provide to our customers by default.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau / UKAS
• ISO/IEC 27001 accreditation date: 18 May 2018 and re-certified on an annual basis since then
• What the ISO/IEC 27001 doesn’t cover: Our ISO 27001 certification has no exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Ctrl Hub is ISO 27001 certified and has been since May 2018. Information security is reviewed on an ongoing basis and our platform has software monitoring services built in. Information security is reviewed on a monthly basis. The company’s MD (Managing Director) is the designated individual responsible for information security.; ; All of Ctrl Hub’s operational data (held in the operational database) is encrypted to AES-256 encryption standards. We maintain strong referential integrity within the operational database, including proper referential cascading and indexing.; ; Ctrl Hub uses Probely to penetration test our system. This tests a wide range of attack vectors. We can provide a penetration test and associated report upon the provision and implementation of Ctrl Hub and it’s associated infrastructure for the client.; ; Ctrl Hub’s disaster recovery testing procedures are inline with our ISO27001 management system policies. These briefly include ad-hoc termination of instances and triggering of failover processes between compute / data replicas in the various physical locations.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The company has a formal change control procedure using SCM technologies. In conjunction with this the company utilises GitHub software to monitor development progress.; ; The company has a standalone Project Security Policy which governs how configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We carry out weekly penetration tests using Probely. We also employ a range of monitoring software to our platform, such as Falco (CNCF) and Grafana. Any other threats would be raised in the weekly management meeting and addressed as such.; ; For patch deployment we operate on a Hotfix basis, deploying extremely fast turnaround fixes. Depending on the issue, these fixes are deployed without causing downtime.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Because we have a containerised workload, our applications deploy in read only mode. That limits the potential attack surface. Any attempts within the cluster to gain privileged access are reported through Falco. Because we use the public cloud and rely on the vendor to manage the underlying node infrastructure, there is no requirement to check for malware within the stack.; ; Responding to an incident where access has been made possible would involve shutting down the affected workload and starting the audit process.; ; Incidents are reported in real time and actioned immediately.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Responding to an incident where access has been made possible would involve shutting down the affected workload and starting the audit process.; ; Incidents are reported in real time and actioned immediately.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Our cloud application and digitised workflows reduce the travel miles needed to manage site and fields operations by providing real time status information to any online device, so reducing the need to be on site.

Pricing

• Price: £15 a user a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We provide access to trial our application for a defined period, usually a maximum of 2 weeks.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark@ctrl-hub.com. Tell them what format you need. It will help if you say what assistive technology you use.