Lexonis Ltd

SFIA and DDaT Skills Assessment Software by Lexonis

Optimise DDaT (Digital, Data and Technology Framework), SFIA (Skills Framework for the Information Age), and other frameworks. Utilise skills-based job templates or create them with integrated AI. Assess employee skills, pinpoint gaps, and uncover career development opportunities for personal development. Utilise skills intelligence for organisational capability/gap analysis and workforce management.

Features

• SFIA, DDaT and other framework skill assessments and analysis.
• Pre-built SFIA job profile templates for easy customisation.
• Technology skill definition and behavioural competency support.
• Visual career pathways and career development plans.
• AI-enabled tools to build up-to-date job profiles and skill definitions.
• Skills intelligence and job architecture views for strategic analysis.
• Intuitive administrative tools to build jobs and skill/competency definitions.
• Built-in consulting tools to capture SME feedback and buy-in.
• Robust and scalable hosting on Microsoft Azure Cloud.
• API’s, JSON, XML, Microsoft Excel, CSV options to exchange data.

Benefits

• Capability/Gap Analysis: view your organisation's SFIA/DDaT skills and gaps.
• Recognise Expertise: find employees for projects based on critical skills.
• Learning Needs Analysis: pinpoint business critical, high priority development areas.
• Personal Development Plans: build development plans based on job requirements.
• Career Development: identify development opportunities based on matching skills.
• Job Profile Templates: fast-track job creation with pre-built SFIA templates.
• Up-to-date Job Profiles: use AI to build new SFIA/DDaT profiles.
• Job Profile Rationalisation: review closely matching jobs based on skills.
• Skills-based Hiring: dynamically generate evidence-based interview guides based on skills.
• Career Coaching Guides: create best practice guides for managers.

£4 to £110 a user a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andy.andrews@lexonis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

683146164914306

Contact

Andy Andrews
07584990167
andy.andrews@lexonis.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Lexonis hosts on Microsoft Azure, other than that there are no known constraints.
• System requirements:
  • Internet Access.
  • Web browser.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Depends on the severity and the terms agreed in the contract. The following are the terms available by default:; ; Severity 1: A Defect which causes a major failure of the Service, affecting all users of the Service -> 1 Business Hour (UK hours); ; Severity 2: A Defect which has a severe impact on the provision of the Service to the Client -> 4 Business Hours; ; Severity 3: A Defect which has a moderate impact on the Client’s business -> 4 Business Hours; ; Severity 4: A Defect which has a minor impact on the Client’s business -> 1 Business Day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Third level support which is contractually defined as the provision of the services of one or more systems experts whose role is to address Defects in the Service; support for end users is provided via the client’s trained administrators.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: During the initial project launch meeting, a Lexonis consultant will discuss site functionality, configuration options and prepare an outline project plan. Once the plan is agreed the service will be provisioned for the client.; ; The consultant will then provide documentation that covers Customer Administrator and user functionality, and arrange for online Customer Administrator training. If the client specifically requests onsite training, this can be arranged.; ; In addition, a Lexonis' Prosci certified consultant will help the client's implementation with online sessions, provision of change management tools, communication templates and share best practice processes.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The provision of data may be amended in the terms of the signed contract. However, it is typical for functionality to be available on the client's site so that one of the client's administrators (with appropriate permissions) may download it. If a different format is required, the client's contact may request the data. This service may be subject to a fee, depending on the format required. If this is the case, a Lexonis consultant will extract the data in the agreed format and transfer it to the client via a secure file service. The client's data will be destroyed from all Lexonis systems within the number of days agreed in the contract.
• End-of-contract process: 4.4.4 following the Termination Date, destroy or otherwise dispose of any or all of the Client Data in its possession (except where Lexonis is required by law to keep a copy) unless Lexonis receives, within three Business Days of notice of termination, a written request for the provision to the Client of a copy of the then most recent back-up of the Client Data held by Lexonis. If Lexonis receives such notice, it will use reasonable endeavours to provide that copy to the Client within 10 Business Days after the Termination Date in a format supported by the Service (access to such format by Client shall remain live for a maximum of 4 weeks after which Lexonis shall delete such Client Data without further notice to Client).; ; Lexonis reserves the right to charge reasonable costs for the provision of the Client data unless the file format, structure and fees have already been negotiated in the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile devices access the application through a web browser in the same way as for a desktop. The application does not rely on any desktop-specific functionality which is not easily replicated through a mobile interface (e.g., double-clicks are not used etc.). The application display changes to take into account screen width on both mobile and desktop, so that the application functions the same way when narrowing a browser on desktop as when viewing the site through a smaller mobile screen.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The application is accessed through a forms-based login screen (username/password), or if so-configured by SSO. Once logged-in, users are shown a set of tiles which can access the named functions. A navigation bar at the top of the screen allows users to navigate back to previous pages. Information is presented in text, table and occasionally graphic form.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Quality Assurance has been performed against the core user functionality on the site. This automatically identifies errors, contrast errors, alerts, structural elements, features and ARIA properties. Each report contains links which can be followed back to the relevant https://www.w3.org/ section. The QA testers review each report and raised bug-cases to the development team for review and fixing where a WCAG 2.1 AA violation is identified. Fixes are implemented through the secure development lifecycle process, including iterative re-testing until all errors have been fixed, or accounted for as false-positives.
• API: Yes
• What users can and can't do using the API: The Lexonis APIs use standard HTTP Basic Authentication over HTTPS/SSL per RFC 7617. Access to the APIs is restricted to designated security roles and permitted IPs which must be specifically configured (meaning that API functionality is inaccessible by default). By default numerous APIs are available and additional APIs can be created on a client-by-client basis.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: All the content in the software is customisable by users with the appropriate permissions.; ; The software application is deployed with a number of configuration options available to clients, enabling/disabling whole sets of functionality, or simply modifying how functionality works.; ; Client customer administrator users can perform some of these configurations themselves through a Site Settings function, potentially under the guidance/with the support of a Lexonis Consultant. Alternatively, certain configuration options can only be made by Lexonis Consultants, on the explicit request of the client.; ; Further bespoke changes can be made to the tool, but typically this will be discussed during the contracting process, and will be undertaken through Lexonis' standard secure development lifecycle process.

Scaling

• Independence of resources: Web applications are set to automatically scale and are monitored for availability using StatusCake, and performance using Microsoft Application Insights.; ; In addition, Lexonis' ISO 27001 certified ISMS operates a defined set of capacity management controls. As part of these controls Lexonis has carefully benchmarked its current usage against its current capacity to ensure it meets its SLAs.

Analytics

• Service usage metrics: Yes
• Metrics types: Two types of metrics are provided for the service: end usage metrics; system availability metrics.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The application contains a number of different export capabilities in Microsoft Excel, Microsoft Word and PDF formats, and depending on the configuration of the site, end users will have access to at least some of these.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XLSX
  • DOC
  • PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XLSX
  • DOC
  • JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: By default, the Lexonis TalentScape Software Subscription guarantees 99.5% availability excluding scheduled maintenance and emergency maintenance, in reality the software service has averaged 99.99% availability for the past 12 months.; ; In the event that Lexonis does not meet the SLA for 3 consecutive months, the client may terminate the agreement and Lexonis will refund the client any fees paid by the client in advance in respect of the period following the termination date.
• Approach to resilience: Application instances are always hosted across a pair of geographically distinct datacentres. Each datacentre is constructed with significant business resiliency in mind. UPS, large banks of batteries, onsite generators with dedicated fuel reserves are all in place, alongside dedicated teams of service persistence engineers who work around the clock. Furthermore the datacentres use extensive monitoring, service support, backup failover and incident management teams and processes to ensure ongoing service resilience.; ; Lexonis' application web/app service instances are configured for hot failover with the secondary datacentre automatically picking up the web/app service of a site if the primary web/app service becomes unresponsive.; ; Application instance SQL database hosting is provisioned to replicate between primary and secondary datacentres, but operates on a cold failover basis.; ; Database backups are taken locally, but at each datacentre, ensuring geographically separate backup capacity.
• Outage reporting: All Lexonis application instances have three monitors created to track their uptime:; 1. An overall site uptime monitor.; 2. A primary web/app service monitor.; 3. A secondary web/app service monitor.; ; All three monitors are configured to send automatic alerts to designated Lexonis employees to report downtime. Downtime in either (2) or (3) on their own do not generally impact the uptime for (1). (1) only reports downtime if either both (2) & (3) have failed, or if (2) fails and the failover to (3) also fails.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The application controls user access based on assigned security roles. During implementation Lexonis will provision 1+ Customer Administrator (CA)users, and configure the site under instruction from its dedicated client contact. CAs are then able to provision users with elevated security roles (including other CAs). Ongoing management of security role permissions is the responsibility of the client.; ; Post-implementation site changes (configuration, development etc.) are carried out as projects, requiring formal approval from client contacts.; ; Support requests are raised through the application to Lexonis support staff. Site changes requested through support are fed back to client contacts for review.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: Authentication can also be provided using Single Sign On with SAML v2.0.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Centre for Assessment Limited
• ISO/IEC 27001 accreditation date: 28/11/2023
• What the ISO/IEC 27001 doesn’t cover: The scope of Lexonis' ISO 27001 certification covers the following:; ; 'The provision of competency-based HR solutions to international organizations and membership bodies, including software development, software maintenance, quality assurance, site provisioning, and consulting services'; ; Within the Information Security Management System's Statement of Applicability, the following controls are excluded as irrelevant to the above scope:; -Management of removeable media (Lexonis do not use any); -Physical media transfer (Lexonis do not transfer physical media); -Working in secure areas (Lexonis do not have any 'secure areas'); -Delivery and loading areas (Lexonis do not have any such areas); -Restrictions on changes to software packages (Lexonis do not change software packages)
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Lexonis' ISO 27001 certified ISMS defines, implements and operates multiple infosec policies including:; -Information Security Policy; -Mobile Device and Teleworking Policy; -Access Control Policy; -Cryptographic Control and Key Management Policy; -Clear Desk and Screen Policy; -Information Backup Policy; -Information Transfer Policy; -Secure Development Policy; -Information Security Policy for Supplier Relationships; ; Processes and standard operating procedures associated with all policies are developed to ensure adequate implementation.; ; Policy following is assured by the following controls:; -Employee contracts requiring adherence to the ISMS; -Defined disciplinary processes for non-adherence; -Information Security training, including coverage of ISMS adherence; -Dedicated Corrective and Preventative Action (CAPA) process for recording and correcting/preventing non-compliance events; -Regular, structured Information Security Committee reviews of ISMS Objectives, Access Rights, Personal Information processing, Supplier Services, Intellectual Property, ISMS Resourcing and GDPR obligations.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Lexonis operates a defined set of change management controls including:; -ISMS Processes: Changes managed through processes and procedures defined in the ISMS. These processes incorporate security impact considerations in their design.; ; -Projects: General Project changes are handled by the Project Management Operating Procedure. Software development is governed by the Software Development Lifecycle Operating Procedure, which includes functional, security and regression testing processes. All projects involve an explicit InfoSec assessment phase, and may trigger a DPIA.; ; -No Pre-existing Procedure: Non-project changes falling under no pre-existing Operating Procedure/ISMS Process are handled by implementing a full Risk Assessment and treatment plan process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Lexonis' ISO 27001 certified ISMS includes a number of vulnerability management controls. Lexonis products are developed against a defined threat model which considers the most significant risks against the confidentiality, integrity and availability of information assets. All software development projects require an information security assessment, which may require a formal DPIA process being invoked. The Lexonis security team subscribes to a number of industry recognised security feeds which inform both the threat model and information security assessment phase. Security patches are deployed to application instances based on the highest priority.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Lexonis maintains platform, web, application, database, hosting, storage, network and firewall logs, aggregated within the Microsoft Security Centre application against which security policies and alerts are set, and logs reviewed and audited. This application automatically reports designated events and thresholds to the CTO and Information Security Manager.; ; Log alerts which could realistically indicate the actual Confidentiality/Integrity/Availability compromise of an asset, or a weakness which might allow for such, are raised within the ISMS-defined InfoSec Incident handling process. Incidents are actioned for immediate mitigation, logging/backup requirements, resolution and root-cause analysis. Confidentiality issues are addressed as the highest priority.
• Incident management type: Supplier-defined controls
• Incident management approach: All employees are required to report (including relevant highlighting end-user support requests) any plausible compromise of the Confidentiality/Integrity/Availability of an information asset, or weakness which might allow such a compromise to the Incident Response Team. These security events are evaluated to determine if the compromise/weakness are real, and raised as security incidents if so. ; ; Incidents are reviewed for immediate mitigation, logging/backup requirements; resolution plans are developed and actioned and post-incident root-cause analysis carried out. Any data breaches are reported using formal Data Breach records by email to the ICO and clients within 72hrs of detection, as required by GDPR.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Supports new methods of remote working and service delivery that help organisations working towards net zero greenhouse gas emissions.

  Covid-19 recovery

  Supports organisations and businesses who have been adversely impact by COVID-19 and who have members of their workforce at risk of losing their jobs, to identify new career opportunities and re-train accordingly. Also supports use of sub-contractors who have skills for identified skill gaps.

  Tackling economic inequality

  Creates employment and re-training opportunities, particularly for people who wish to be employed in industries where there are acknowledged skill gaps and/or are in high growth sectors.

  Equal opportunity

  Supports people including the disabled and those from disadvantaged or minority groups to develop new skills and to plan their careers; also helps organisations to recognise their skills within the workplace and new work and growth opportunities.

  Wellbeing

  Encourages mental wellbeing through good communication between managers and employees in respect of utilising employee’ strengths and closing skills gaps, project assignment and career development opportunities.

Pricing

• Price: £4 to £110 a user a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andy.andrews@lexonis.com. Tell them what format you need. It will help if you say what assistive technology you use.