DATAGRAPHIC E-DOCUMENTS PORTAL

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Edocuments provides an online document service extension to any existing software: Sage, Oracle and SAP etc.

Edocuments does not need any prerequisite software to work, it can be offered as a standalone web service.
Cloud deployment model: Private cloud
Service constraints: Edocuments is web based so the buyer and user simply need a device with internet connection and a compliant browser to access.
System requirements: Only system requirement is internet access and a compliant web-browser

User support

Email or online ticketing support: Email or online ticketing
Support response times: Average ticket response time is within 2 hours during business hours and the same for weekends. Out of hours and weekend support can be provided at an additional cost, which is detailed in the attached SFIA card.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Yes, at an extra cost
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
Web chat accessibility testing: We use Zendesk Chat which has been fully tested as part of the WCAG 2.1 AA accreditation.
Onsite support: Onsite support
Support levels: You will be provided with a dedicated technical account manager who will be responsible for ongoing support and maintenance service updates. All support is provided by an experienced, UK based team. In addition, a service support desk is manned at Datagraphic between 8.30a.m. to 5.30pm. Monday to Friday at no additional cost. Our average response time for support calls is under one hour and our average response time for email support requests is 2 hours.
Datagraphic will publish a list of key contacts as part of Service Level documentation and detail roles and responsibilities within the support structure. This list will provide primary and secondary contacts in addition to escalation and out of hours/emergency contact details.
If additional support is required, this can be provided at an additional cost as part of a bespoke support package.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: The Edocuments software is designed to be intuitive and easy to use, so minimal training is usually required.
Online demos and training sessions are available via WebEx or video content, with onsite support provided as appropriate. We have found that workshop sessions and train the trainer sessions where users all feel involved, help to promote a positive experience and increase uptake of the new system.
User guides, user videos, printed collateral and general communication resources are provided as standard at implementation stage to ensure that all users become fully familiar with the application prior to go live. We can also assist in the production of marketing or communication materials to help with the roll out of the Edocuments product to your staff and portal users.
During the implementation phase we provide a full project plan and transition timetable along with scheduled user testing documentation to ensure all stakeholders are kept up to date with onboarding processes.
Additional support is available in the first few weeks of post go-live to ensure a smooth transition for users who have just started using the service.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Datagraphic comply fully with the GDPR’s right to data portability.
To extract data at the end of the contract, Datagraphic will always work closely with Data Controllers to supply their data back to them, when required, in an appropriate and mutually acceptable format. This will be handled in coordination with the technical account manager.
Datagraphic specialise in Data transformation and manipulation. This speciality lies at the heart of our ability to provide secure multimedia / format communication solutions.
Datagraphic pride themselves on their ability to interpret and represent data in a multitude of formats.
As such Datagraphic are able to provide assurances that respective data can always be returned, when required in a format as required by a Data Controller.
End-of-contract process: The secure return of any Client data and the disposal of data that is not required is included in the price.
Through a dedicated single point of contact, Datagraphic work closely with Clients from the initial transfer meeting.
The transfer plan will cover the following areas in respect of both parties;
• The allocation of personnel to assist in the transition of services
• Reporting channels
• Liaison between Datagraphic and new provider
• Responsibilities for approval of transfer project documentation
• Escalation procedures
In addition, both parties will agree that the transfer plan shall cover each party’s responsibilities for the provision of services;
• Up to and on the termination date
• During any parallel provision of services
• During the hand back period after the termination date
Responsibilities and obligations during transfer of;
• Operational documents, including customer records, artwork and addresses
• Purchasable relevant surplus stock.
Datagraphic advise clients of the status throughout the process until the transfer.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Edocuments is screen adaptive to so it switches between the standard desktop view and a mobile intuitive version for mobiles and tablets. The mobile intuitive version has all of the same functionality as the desktop version but its design features enable users on their phone or tablet to interact in an easier way for their screen size e.g. scroll feature between dashboard options, burger menu, badge notifications.
Service interface: No
User support accessibility: WCAG 2.1 A
API: Yes
What users can and can't do using the API: If requested, an Edocuments API can be made available to customer super admins. The API allows users to post document data into the system.
API documentation: Yes
API documentation formats: HTML

PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The Edocuments user interface is customisable as standard and the look and feel can be branded to the buyer identity through logo and background images. Layout is fixed but text within certain key pages is configurable as is the content of email notifications and the portal subdomain. Buyers can also choose which ‘widgets’ to display on the user dashboard. Business logic and data format/importers are always defined per customer. The PDF documents can also be completely customised to the buyer's look and feel and the above is all defined at set up stage.
Editor tools are provided to allow administrators to customise pages such as useful info, contact us and messages. Additionally, administrators can publish generic PDF documents, such as terms and policies, to the company documents area of the portal.
The out-of-the-box product is designed to be highly configurable to enable organisations to present a recognisable and trusted interface for its users.

Scaling

Independence of resources: The infrastructure has been designed to support both SME’s (with less than 100 users) and cater for businesses within excess of 100,000 users. Servers are closely monitored throughout via our automated software, which triggers alerts to the technical services team in the event that thresholds for memory, processing speed and response times are exceeded. In the event of business growth our hosting provider allows us to increase both bandwidth and memory usage with minimal notice ensuring we can respond rapidly to change.

Analytics

Service usage metrics: Yes
Metrics types: Super administrators have access to standard usage reports showing real time login activity by user, these are available for interrogation at any time through the Edocuments interface. Common reports include active and inactive users lists, user email lists, print preferences and password reset request logs. These can be exported as excel files if required for further analysis.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with another standard

Other
Other data at rest protection approach: • Physical access strictly controlled. Proximity-based access control system in operation. Staff access levels are role-based and granted on principal of least privilege.
• Variety of encryption methods used based appropriateness of each relevant to situation.
• Database fields for web-facing systems are encrypted, where feasible.
• Company laptops & phones encrypted at system level, removing the risk of loss of confidentiality from lost or stolen laptops.
• Anti-Virus/Anti-Malware software in place throughout
• Heavily restricted Internet access. Only Business required and approved websites from our production networks.
• Vulnerable endpoints, USB, CDs and Wi-Fi etc, are disabled through software.
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Clients may export their data by downloading PDF output of forms and company documents.
Any data that has been uploaded to the services by the client can also be exported in the original file format by users with the appropriate permissions (admins).
If required administrators can also export standard and bespoke report data in XLS format.
Data export formats: Other
Other data export formats: PDF

XLS

Same format as original file input
Data import formats: CSV

ODF

Other
Other data import formats: XML

TXT

EXCEL

RTF

PDF

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Edocuments is available 24/7/365 days of the year on dedicated servers with a 99.7% uptime SLA. Users are always pre-notified of any down-time and we can agree service credits in the unlikely event of not meeting guaranteed levels of availability.
Approach to resilience: Edocuments:
The Edocuments Data Centre is ISO 27001 accredited. The building is designed around Tier-3 data centre standards. Physical security measures include palisade fencing, external/internal CCTV, 24/7 security, access control system and biometric mantrap entry system. Secure areas limited to authorised staff through access control system.
Edocuements Business Continuity:
Data is recoverable on a per customer (web application) basis and all servers receive a full backup, restore and business continuity recovery service. Backups are taken twice daily, and on a weekly, monthly and yearly basis allowing for minimal data loss in any disaster recovery situation. In the case of data loss or complete server failure we make sure that all relevant files and folders are restored. Backups are encrypted to AES 256 bit standard.
Edocuments Disaster Recovery:
We can offer an off-site (Geographically separated) Disaster recover option. If this option is selected, The Client’s Edocuments Database will be backed up every 24 hrs and sent via SFTP To Datagraphic Rugby. A dedicated virtual machine would be configured to provide geographically separated disaster recovery service.
This additional option would be provided with the following Recovery Point Objective (RPO) and Recovery Time Objectives (RTO):
RPO = 24 hrs RPO = 48 hrs
Outage reporting: Email alerts are sent prior to any scheduled downtime.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Username or password

Other
Other user authentication: Users can login to Edocuments directly using supplied username and password and either 3 security questions or an authenticator token (as part of Multi-Factor Authentication).
We also offer SAML IDP and SP single sign on.
Standard Users can only access documents attached to their account; documents are attached based on a unique identifier within each document.
Admin roles are given to buyer staff in appropriate positions of authority and can shadow all, or a subsection of, Standard Users. Administrator permissions can also include uploading of data to generate documents and control of the messaging tool.
Access restrictions in management interfaces and support channels: We aim to disable all non-essential services on web facing systems.
Internet facing application servers are configured on a standard build. This is a ‘hardened’ build that has undergone penetration testing and security review.
• Default passwords for system accounts are changed
• Default system accounts are disabled where possible

Default passwords for all hardware such as routers, firewalls and switches are changed
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Username or password

Other
Description of management access authentication: All user Internet connectivity with Edocuments is encrypted via https using SHA2 certificates

Server administration (SSH port 22) is limited to requests originating from Datagraphic’s Public IP ranges.

All server system admin access is restricted to unique logons based on Datagraphic’s originating IP Address.

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Alcumus ISOQAR
ISO/IEC 27001 accreditation date: 11/05/2006
What the ISO/IEC 27001 doesn’t cover: Datagraphic is certified to the latest ISO 27001:2013 standard. An ISO 27001 certification has been held by Datagraphic every year since 2006.
The entire business is within the scope of the certification. The certificate is awarded by a UKAS approved accreditation body.
Datagraphic’s ISO 27001 reference number is: 2992.
At the heart of ISO 27001 lies the requirement for holistic Risk Assessment.
Based on Risk Assessments, controls have been implemented to reduce and mitigate risks associated with threats to the Confidentiality, Integrity and Availability of Information processing facilities.
• Confidentiality - ensuring that access to information is appropriately authorised
• Integrity - safeguarding the accuracy and completeness of information and processing methods
• Availability - ensuring that authorised users have access to information when they need it
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: Yes
Any other security certifications: Cyber Essentials

Cheque & Credit Clearing Company - C&CCC Standard 55

ISO 9001:2015

ISO 14001:2015

Xerox Premier Partner

NHS IG Toolkit

ISO 5001:2018

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Our sites are developed to banking standards with all document data being processed, printed and hosted at secure UK ISO27001 accredited facilities. The minute-critical documents we send include sensitive personal and financial data, requiring robust and secure processes and infrastructure.

The information security policies and processes we follow include ISO 27001 audited security policies including (but not limited to): Information Security Policy, Physical Security & Asset Management Policy, Information Security Training and Awareness Policy, GDPR & Data Protection Policy, Compliance Statement, Business Continuity and Disaster Recovery Policy, Secure Systems Engineering Principals Policy, Recruitment and Screening Policies and organisational structure.

All Datagraphic employees are required to annually sign non-disclosure and confidentially agreements along with the Information Security Policy. This is done alongside Information Security Training to acquaint staff with company policies, their responsibilities relative to them and any security procedures relevant to their work. Employees are trained on our detailed incident management process and told to report any potential or suspected security events or suspected security weaknesses to the CISO or their line manager.

Clients are also given a copy of our reporting structure as part of the standard onboarding process with descriptions of event classification, escalation protocol and contact details.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All change requests are recorded and reviewed by the relevant expert authorities and Business Process owners before, if appropriate being implemented. Risk Management, Back Out or Change Reversal plans are always considered before implementation of significant change requests.
We carefully choose when to implement change and how to then test that change has been successful. Our aim is to minimise disruption to our services when implementing change.
Change and version control mechanisms are in place and provided by a concurrent versioning system or “source safe”. This enables branching and concurrent development to occur in an efficient and safe manner.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: CST (Continuous Security Testing) is performed against Datagraphic’s entire internet facing digital estate. As opposed to a one-off assessment, CST is a continuous assessment of Datagraphic’s online assets. Regular vulnerability scanning is essential to maintaining a strong security posture.

Results are collated, and fixes prioritised by our Information Security function, prior to implementation by development teams. We then retest to ensure remediation.

Patches applied ASAP during set operational hours, with appropriate technical staff available to support implementation.

Datagraphic are informed of High vulnerabilities as a priority by our dedicated security experts. Lower impact vulnerabilities are supplied through a monthly report.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: To identify potential compromises, CST (Continuous Security Testing) is performed against Datagraphic’s entire internet facing digital estate. As opposed to a one-off assessment, CST is a continuous assessment of Datagraphic’s online assets, which is essential to maintaining a strong security posture.

When responding, results are collated, and fixes prioritised by our Information Security function, prior to implementation by development teams. We then retest to ensure remediation.

Patches are applied ASAP to vulnerabilities during set operational hours, with appropriate technical staff available to support implementation.

User account activity is monitored, abnormal activity is flagged and reviewed by our Information Security team.
Incident management type: Supplier-defined controls
Incident management approach: We have pre-defined processes for common events, and our Incident Management process includes:
• Contact Data-Controller: Communicate incident details to customer without delay.
• Breach Remediation: Implement suitable protective controls.
• Residual Risk Evaluation: Review controls implemented for potential residual risk.
• Contact 3rd Party Specialist: Depending on nature of breach, it may be necessary to involve 3rd Party Specialist Information Security consultants (in consultation with affected parties).

Users can contact their Account Manager, to report a potential or suspected breach, our CISO will be made aware.

An incident report will be completed and made available to the affected parties.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

The climate crisis we’re all facing is so dire that being carbon-neutral doesn’t go far enough. We believe, if you aren’t solving the problem, you still have a problem.
Environmental considerations and energy management sit at the heart of our organisation. Certification to the Environmental Management System ISO 14001 and the Energy Management System ISO 50001 show our commitment is more than just words.
Being sustainable is paramount to us. All paper used in production is FSC sustainably sourced. Offsetting our carbon footprint, using carbon credits and planting trees in the community are also steps in the right direction, but only the start.
We’ve developed a robust science-based carbon reduction strategy with a target of being net-zero by 2040 (Scope 1 & 2 in our operations by 2035) and carbon-negative after that. Using the Green House Gas (GHG) Protocol we are measuring Scope 1, Scope 2 and Scope 3 emissions. Only by doing this and working closely with our supply chain partners, can we find effective solutions for reducing the impact of CO2 emissions connected to our work.
By working with us, you can be assured you’re partnering with a Climate Aware company that is committed to being carbon-neutral well before the Government target of 2050. We welcome you to join us in realising this commitment. And know you will share our passion for showing the positive contribution organisations can make to work more sustainably for the benefit of people and our planet.

Pricing

Price: £0.05 to £0.12 a unit
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

DATAGRAPHIC E-DOCUMENTS PORTAL

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents