COMPLY
COMPLY is a contract compliance and performance management
software solution for government bodies and public sector
organisations needing to manage multiple service providers and
contracts.
COMPLY promotes proactive management of provider/contract
performance through insightful data dashboards and customer configurable reporting.
COMPLY has previously been instantiated as 'Curious' for the MoJ.
Features
- Facilitates management of contract providers' performance with detailed contextual data.
- Scheduling functionality, for example, timetabling regular ongoing service delivery.
- Multiple user-types can access and contribute to the system.
- Monitor delivery against contractual KPIs & SLAs.
- Enables performance management of service delivery.
- Operates on “people data” outputs and records and tracks outcomes.
- Reports and Dashboards configured to contract needs.
Benefits
- Compliance management underpinned by aggregated data on individual-level outcomes.
- Vast time savings compared to multi-document, paper-based solutions.
- Centralised application gives a single view of contract performance.
- Management of contract compliance for multi-agency and multi-site contracts.
- Provides contextual information to better understand provider's quality of service.
Pricing
£172 a user a year
- Education pricing available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
6 8 5 8 9 3 6 9 6 8 9 8 9 2 6
Contact
MegaNexus Ltd
Daniel Brown
Telephone: 020 7843 4343
Email: solutions@meganexus.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- No
- System requirements
-
- Internet connectivity
- Modern browser
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Within 1 hour.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- No
- Support levels
- Meganexus agrees upon exact Support Levels during contract signing. However our standard support levels are typically: Urgent issues - Response time of 1 hour, Resolution time of 1 day. High priority issues - Response time of 4 hours, Resolution time of 2 days. Normal priority issues - Response time of 2 days, Resolution within the next software upgrade cycle. Low priority issues - Response time of 5 days, Resolution depending on the availability of Meganexus support team. The support costs are included in the license costs. Additional costs for onsite support are detailed in the pricing document, rate card. Meganexus will provide a technical account manager to oversee service delivery.
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
- We have a dedicated onboarding team that supports users through the transition to our solution.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Video
- End-of-contract data extraction
- Once the contract is completed, all user data is extracted and downloaded to a secure drive. The drive is then handed directly to the client once the license has expired. Once the data has been transferred to the secure drive, all data is deleted.
- End-of-contract process
- All off-boarding services and any associated costs are agreed on initial contract. Any complex or third-party services will be discussed with additional costs according to the standard professional services rate card.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The mobile and desktop services are similar in features and functionalities, the platform is fully responsive across all mobile devices.
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 A
- Description of service interface
- A support portal that allows application users requiring support to raise and track queries raised. This portal additionally has a self-service feature.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- Not Applicable
- API
- Yes
- What users can and can't do using the API
- Microservices Architecture - our solution is comprised of multiple APIs which can be utilised to retrieve and publish data depending on the business need.
- API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- No
- Customisation available
- Yes
- Description of customisation
-
The COMPLY application can be customised across the modules such as data capture, reporting, workflows, scheduling and cost allocation and location. Branding including logos, colours, layout, etc can be tailored to organisation needs.
Following initial agreement Meganexus can, if required, add or customise further features in the COMPLY tool through professional services.
Scaling
- Independence of resources
- Meganexus applications operate on a hyper-scale platform and an architecture/implementation that allows us to auto-scale and contract in line with changing business demands.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Includes but not restricted to Traffic Analysis (status of all tickets), Average Ticket Response times, Customer Satisfaction ratings, SLA (Met Vs Breached), Created Vs Resolved, Average Resolution time
- Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- The reporting module provides an option to export data.
- Data export formats
-
- CSV
- Other
- Other data export formats
- Excel
- Data import formats
-
- CSV
- Other
- Other data import formats
- Excel
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
- Access to endpoints and applications is controlled by whitelisted known IP addresses.
Availability and resilience
- Guaranteed availability
-
Meganexus commits to 99% availability for the COMPLY application.
Our SLAs are as follows:
Urgent Issue: renders core functionality inoperative. No workaround exists. Problem impacts service to Licensee’s customers.
Response/Resolution time- 1 hour/1 day.
High Issue: renders part of the core functionality inoperative but does not stop the remaining Software Modules' functioning. Issue impacts service to Licensee’s customers.
Response/Resolution time- 4 hours/ 2 days.
Medium: An issue which has little impact on productivity, for which a workaround exists.
Problem/Fault, User Education, Documentation, Query, Training, Product Enhancement Request.
Response/Resolution time- 2 days/Next Software Upgrade.
Low issue: Cosmetic issues, Manual/instruction/training problems, Enhancement requests, Training requests.
Problem/Fault: User Education, Documentation, Query, Training, Product Enhancement Request.
Response/Resolution time-5 days/At Meganexus' discretion.
Refund policies are available on a case-by-case basis. - Approach to resilience
- Geographically resilient deployment with data being replicated between 2 geographically separate onshore sites and available for recovery in the event of an outage or that data is required to be restored from a backup. We use the replicated data as our source for restore, with resilience of components in each data centre.
- Outage reporting
- Both email messages to customers and notifications on the application front page.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Username or password
- Access restrictions in management interfaces and support channels
- Whitelisted IP addresses and 2-factor Authentication for escalated privileges.
- Access restriction testing frequency
- At least once a year
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- The Certification Group
- ISO/IEC 27001 accreditation date
- 30/06/2023
- What the ISO/IEC 27001 doesn’t cover
- Data centre physical controls which are covered by our third party data centre management.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- We follow the processes defined within our ISO 27001 Information Security Management System (ISMS). Our implementation team develops, defines and refines ongoing tasks through an identified security baseline, applying the agreed risk management process, and implementing the risk treatment plan to ensure that controls applied are effective. We measure, monitor, and review these policies and controls on a month-by-month basis. Our support technicians report to the COO and CTO who in turn report to the CEO. Adherence to policies is ensured by evidencing actions driven by the process, reviewing procedures at least annually and again evidencing this to the ISO auditor.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- The Configuration and Change Management process is designed to facilitate the introduction of changes quickly and with minimal disruption to live services, ensure that changes adhere to agreed service levels/contractual agreements and do not introduce additional risk of disruption, error or security. A Request for Change (RFC) is required for any modification. All changes must be approved by the Change Advisory Board (CAB). The CAB approval process serves as a risk analysis activity, ensuring any risk associated by the Change has been accepted by the appropriate stakeholders. All changes are maintained in the RFC tracker.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- All vulnerabilities are prioritised through risk assessment, monitored through notifications and assessed and actioned through change management or incident response procedures. Available patches are risk-assessed and vulnerability control decisions are audited. The ISO Steering Group receives regular reports on the vulnerabilities, any additional controls in place and outstanding issues. Compliant with ISO27001, annual IT-health checks enable remediation within 3-6 months. Additional vulnerability assessments are informed by any changes to our security framework. We are advised of threats/vulnerabilities through a range of distinct channels including The National Cyber Security Centre, Vendor Channels(e.g. Microsoft), Government customers such as Ministry of Justice.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Our protective monitoring controls are based around the legacy GPG13 guidelines (deter). Alarms are automatically raised to our service team on suspicious behaviour. Any suspicious behaviour is treated as a priority 1 incident and will be dealt with within 4 hours. We have analysis tools that are constantly scanning our solutions to identify curious patterns of behaviour that may identify potential compromises and alert system administrators accordingly.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- Incidents raised by users or detected by Meganexus support professionals are categorised and assigned to the appropriate team. Incidents involving security, high-significance or business-critical systems are immediately addressed by the CTO and technical teams. We investigate the cause and resolution of the incident and restore the service while providing notifications to the client. Solutions for common events are documented in the Known Error Database and available to support teams. Incidents are reported through emails, the service portal or phone. All incident details are recorded in the service portal. Incident reports requested by the client are extracted from the service portal.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
We aim to carry out the following measures to minimise the organisation’s carbon footprint as far as possible: Our cloud hosting partner Microsoft is constantly working to reduce reliance on data centres. We have set up recycling points in the office. We commit to a 5% reduction in printing/paper usage. We encourage a cycle-to-work scheme, thus committing to a reduction in the use of fossil fuels.Covid-19 recovery
We support 4 local start-up businesses with areas of professional skills, specifically, IT / Software development. Senior Staff to support voluntary and community organisations. We will be available for them if they need speakers at events or advise them in our area of expertise (software development). We provide 6 hours of meeting room/event space for use by community and voluntary organisations.Tackling economic inequality
We commit to 2 work placements per year focusing on service users with lived experience and young people leaving the looked-after system. Levelling up, all employees are paid a minimum of LLW (Low-Level Wage) regardless of where they live in the country.Equal opportunity
We implement the following steps towards ensuring equal opportunities for all sections of the community: We support “Ban the Box” (to give individuals with lived experience), a fair chance to obtain employment. Levelling up, we pay the London Minimum wage for all UK new employees regardless of where they live or work.Wellbeing
Meganexus carries out the below steps towards the health and well-being of its employees: We provide gym membership for employees working in the Tavistock office. We have an employee support service in place to provide counselling services. We encourage employee fitness through our cycle-to-work scheme. We arrange free health check-ups for our employees annually.
Pricing
- Price
- £172 a user a year
- Discount for educational organisations
- Yes
- Free trial available
- No