Ciptex

One Payment Cloud - Contact Centre Payment Processing

One Payment Cloud is a suite of card payment solutions for both voice and digital interactions which prevent card data from entering a client’s environment (including home workers). This removes the risk of card data breach and greatly reduces the cost of attaining and maintaining PCI compliance.

Features

• DTMF Payment Processing
• Digital Links Payment Processing
• Compliance-as-a-service
• B2C Compliant remote payments

Benefits

• Take secure, assisted telephony payments
• Take secure, unassisted telephony payments
• Send a secure payment link via SMS, email
• Provide PCI compliance-as-a-service and meet the PCI standard
• Telephone IVR Automated Payments Service
• Add Payment Service to Twilio Flex RACE (Add-on)

£0.20 to £0.50 a transaction

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jolyon.parsons@ciptex.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

672897802650481

Contact

Jolyon Parsons
0345 880 0808
jolyon.parsons@ciptex.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: We provide a number of services under the One Payment Cloud brand, which can be taken as a standalone service, or as part of our Twilio RACE service. The individual services can be combined as part of an overall solution.; ; DTMF Payment Processing; Digital Links Payment Processing; Compliance-as-a-service; Twilio RACE
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: We carry out planned maintenance but provide 48 hours notice. For any emergency maintenance, we will provide as much as notice as possible, however it is best endeavours. Refer to the Service Level Agreement for specific terms.
• System requirements:
  • Stable Internet Connection (for supporting voice calls)
  • VT - Computer must meet minimum specifications for OS
  • VT - Browser must be a stable release
  • VT - Javascript must be enabled
  • VT - localstorage must be enabled
  • VT - Security protocol newer than TLS 1.1

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Lead times are dependent on priority of the issue, and are consistently available 24x7 (dependent on service times). Our response time SLA for priority issues is 1 hour as a maximum
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Ciptex Support Webchat powered by Ciptex RACE has been tested with a number of screen readers and other assistive technologies and is in use by several charities providing services to those requiring Assistive Technologies
• Onsite support: Yes, at extra cost
• Support levels: We offer different levels of support, dependent on a client's needs. The cost of support provided is dependent on the solution provided, and the level of support needed. Our service desk is manned by a team of cloud support engineers who handle the queries.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide online training materials, How to videos and Tutorials for all elements of the service. All One Payment Cloud deployments also come with a 3 hour train the trainer session included for Agent, Supervisor and Administration Roles.; ; Extra training including optional on-site is also available.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Transactional Logs, CDRs and Customer Payment Data can be provided in CSV Format as required by our Team.
• End-of-contract process: Clients that wish to cancel/terminate their One Payment Cloud service are obliged to provide a minimum 1-month advance notice of cancellation, to ensure cancellation occurs at the contract termination date, unless a future cancellation date is pre-agreed. A final bill for transaction charges will be sent in the subsequent month following service cancellation.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Depending on the services taken, the service can be consumed fully through the browser, and in some cases, on a mobile device.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Simple layout is available through Virtual Terminal capture pages for agents to take payments either via Digital Links or DTMF Suppression.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Testing by Suppliers has been conducted using a number of assistive technologies.
• API: Yes
• What users can and can't do using the API: CardEasy SDK API offers the ability to integrate the payment page through a CRM, or screen pop with another application such as Twilio RACE. It allows payment captures to be taken. They are accessed via a secret. ; ; CardEasy Soap API offers the ability to integrate the payment page through a CRM, or screen pop with another application such as Twilio RACE. It allows payment captures to be taken. They are accessed via a secret.; ; Sotpay API provides the same functionality as above but for Digital Link Technology.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Branding, look and feel (logo, drop downs, fields); ; Merchant / Payment Service Provider (we work with more than 100 payment providers including CapitaPay360, WorldPay, Barclaycard, WorldPay, HSBC Global Payments, SagePay, Stripe, Paypal, Elavon etc); ; Payment flags (payment thresholds, secure payments, currency, card type, financial services, fraud, validation); ; Bespoke customisation's (merchant reconciliation, analysis and reporting); ; Call routing functionality (IVR, ring groups, queues, call priorities, agent skills); ; Change control is used, clients can request changes via our project team or support ticket. For any changes outside of scope, we will quote an applicable cost. Any support is subject to our standard terms.

Scaling

• Independence of resources: The Services are housed on resilient clouds in state-of-the-art data centres with redundant and fail-safe business contingency. ; ; In some cases we use AWS which is deployed globally, for example IVR Payment Services.; ; Our service performance and levels are independently verified by a third party security assessor.

Analytics

• Service usage metrics: Yes
• Metrics types: Full reporting capabilities available with 360 degree view of payment services, IVR and telephony. Fully-cloud based.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Syntec CardEasy, SOTPay, Twilio

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: On request via our support team.; Typically in CSV format, although there is little need for data import with this service.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Ciptex Ltd warrants that the Services will (excluding any period of Force Majeure and scheduled maintenance) have an Uptime Percentage of not less than 99.9% of every calendar month. For our Full Service SLA see Terms and Conditions.
• Approach to resilience: We have developed a risk framework and strategy that accounts for the evaluation of our facilities, technology, applications, data, processes and overall organisation to ensure our risk mitigation strategy operates at multiple levels with broad coverage. One Payment Cloud uses a fully redundant, distributed, and automated environment consisting of geographically separate data centres running multiple, self-sustaining instances of the One Payment Cloud application. As a precaution, we have additional space and power to add capacity to our data centres should one data centre become unrecoverable in a disaster. We use multiple Internet service providers, connected through diverse paths entering the facilities at physically secure, separate locations. This redundant mesh-edge network design delivers robust networking through a number of paths. Our database data is stored on efficient flash memory devices with multiple servers per database cluster. Any hardware component failures are handled quickly and easily with automated builds and deploys. Our strict backup regime helps protect customer data should we experience a major incident. Key source data for standard One Payment Cloud accounts is backed up daily, which includes both local and off-site storage.
• Outage reporting: Notification of outages and scheduled maintenance are reported primarily by status page updates, that customers can subscribe to. Dependent upon the nature of the outage or scheduled maintenance, notifications are also provided by phone call and email too.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: User access control permissions; Multi-tenancy; Supervisor access; Segmentation of data
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: IMSM
• ISO/IEC 27001 accreditation date: 11/08/2023
• What the ISO/IEC 27001 doesn’t cover: Not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Securious Limited
• PCI DSS accreditation date: 15/12/2023
• What the PCI DSS doesn’t cover: Ciptex is covered for operator-assisted and unassisted payments over the contact centre platform, when used in conjunction with our One Payment Cloud secure service.
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2 (Service Organization Control 2)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • GDPR (General Data Protection Regulation)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We conform to the ISO27001 Standard. We have a nominated CISO who reports directly to the board of directors.; ; IT Security Policy; Secure Development Engineering Policy; Acceptable Use Policy; Business Continuity Process; BYOD Policy; Audit Policy; ; We are regularly audited by an independent consultant.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We work closely with the software vendor to ensure effective change management. Any service updates or similar updates are scheduled in conjunction with the client. Standard patching occurs outside of UK standard business operational hours.; ; Patching occurs initially in our test environment, (a mirrored version of our live environment), and fully tested against supplier-defined criteria prior to being submitted to the live platform environment. Clients can be granted access to the test environment to run their own tests, to ensure any changes will not affect their specific configurations. We work closely with our clients to maintain optimal operations.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Ciptex engineers, together with our suppliers diligently monitor all potential threats to One Payment Cloud services. Our engineers subscribe to all relevant security bulletins and are very active in the cyber security community. Following a potential breach, we actively assess the threat level and potential impact on service.; Prioritise rapid deployment of security patching to ensure prompt resolution.; ; We work closely with other agencies to ensure that the security of the platform is meeting with Government-approved standards.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We digest many sources of potential vulnerabilities for product and infrastructure, including: (i) code scans; (ii) network scans; (iii) penetration tests; (iv) threat intel; and (v) QA testing. All of these sources feed into ticketing processes for validation, risk-ranking, assignment, and tracking. We investigate and respond as necessary to any incidents or potential compromises immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: Level 3 engineers alerted; Proactive customer notifications, with regular ticket updates to customers.; Depending on the nature of the incident and its threat assessment, notification will be available in the portal.; Tickets replied to in standard SLA times.; Our escalation process includes director level contacts including suppliers.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Twilio's cloud-based communication platform enables remote work and virtual collaboration, reducing the need for extensive travel and commuting. By facilitating remote communication, Twilio helps organisations minimise their carbon footprint and overall environmental impact.

  Covid-19 recovery

  During the Covid-19 pandemic, Twilio's communication tools have been instrumental in enabling remote work, virtual events, telehealth services, and contactless customer interactions. Twilio's solutions have supported businesses and organisations in adapting to new challenges and maintaining operations during lockdowns and social distancing measures.

  Tackling economic inequality

  Twilio's accessible and scalable communication solutions can empower businesses of all sizes, including startups and SMEs, to compete on a level playing field. By providing affordable and flexible communication tools, Twilio helps democratise access to technology and opportunities, thereby contributing to reducing economic inequality.

  Equal opportunity

  Ciptex's diverse workforce and commitment to inclusion and diversity initiatives promote equal opportunity within the company. Additionally, Twilio's communication tools can help organizations enhance accessibility, reach underserved communities, and bridge communication gaps, thus fostering equal opportunities for participation and engagement.

  Wellbeing

  Twilio's communication platform supports various applications in healthcare, mental health support, crisis intervention, and community outreach. By enabling secure and reliable communication between individuals, healthcare providers, and support organizations, Twilio helps promote overall wellbeing and access to essential services, particularly in times of crisis or need.

Pricing

• Price: £0.20 to £0.50 a transaction
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jolyon.parsons@ciptex.com. Tell them what format you need. It will help if you say what assistive technology you use.