XLeap Managed Server (G-Cloud)
XLeap is secure facilitation software trusted by UK government departments and other UK public sector organisations for over 10 years. XLeap Managed Server (G-Cloud) is the enterprise-class deployment for large UK government departments or UK public sector organisations. The software service is hosted in London or Dublin as required.
Features
- Supports any facilitated meeting process. Virtual or face-to-face.
- Personal flat-fee for unlimited concurrent meetings and participants.
- Brainstorm workspace with anonymity and theming. Highlighting with sticky dots.
- Discussion workspace for discussing multiple topics. Anonymously or by team.
- Rating workspace with all customary rating methods. Multi-criteria analysis.
- Presentation workspace for crisp scalable slide shows. Interactive feedback channel.
- Full and instant reports easily stored in SharePoint, MS Teams
- Process templates for easy reuse and sharing of best practice.
- Easy collaboration between Hosts (Co-facilitation).
- Video conference included (voice, video & screen sharing).
Benefits
- Intensive interactivity and collaboration alongside existing conferencing platforms.
- Stakeholder engagement, cross government, and managing complex stakeholder groups.
- Inclusive and diverse group working, giving space to diverse voices.
- Advanced prioritisation and decision making for policy making and delivery.
- Engagement with citizen and stakeholder groups for 'open policy making'.
- Collaborative remote workshops for core project and programme management processes.
- Repeatable processes for developing business cases, impact assessments, project planning.
- Remote workshops on risk, benefits realisation and lessons learned.
- Virtual learning reviews, hot and cold debriefs for operational units.
- Futures work with including stakeholder analysis and horizon scanning.
Pricing
£47,350 an instance a year
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
7 0 0 6 8 0 2 2 8 1 9 9 6 1 0
Contact
XLeap GmbH
John Turner
Telephone: +49 40 6891 4578
Email: g-cloud@xleap.net
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- No.
- System requirements
-
- Computers must run Chrome, Firefox, Edge, Opera, or Safari
- IPads and iPhones require Safari 11 (iOS 11 or later)
- Android devices require the Chrome, Edge or Firefox browser
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 4 hours on weekdays.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Support is included for technical issues such as access to the service or functionality of a software feature. Technical support does not include consulting on facilitation processes or meeting design.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
The appointed administrator receives 90 minutes online training which includes a walk through the administrative options.
Licensed users (users who can run meetings and workshops as Host) are supported in context by extensive and in-depth online help and how-to videos.
Online and on-venue training is available at extra cost.Participants do not require any training or onboarding. - Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
-
Hosts typically download the automatic report (the minutes) of a meeting or workshop directly after it has ended. This contains all content.
Storage of meetings on the XLeap Center serves the limited purpose of easy in-system re-use of content and meeting processes. Hosts can save the content and process of their meetings to disk. - End-of-contract process
- At the end of the subscription period - unless instructed to the contrary - the XLeap Center is maintained for a grace period of 90 days during which the subscription can be renewed. After the grace period, the deployment, its database and all backup files are deleted irrevocably. The customer's administrator is warned/informed of these successive steps repeatedly by email.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
The mobile service is functionally identical with the desktop service, except for active screen sharing not being supported on mobile devices.
The layout is responsive, meaning that workspaces will look different on a phone. - Service interface
- No
- User support accessibility
- WCAG 2.1 A
- API
- Yes
- What users can and can't do using the API
- The meeting center supports SSO (SAML 2.0)
- API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- Center administration can (1) control access and authentication requirements, use restrictions etc. (2) brand the login page, holding screen, meeting report.
Scaling
- Independence of resources
- The XLeap Managed Server runs with generously allocated dedicated resources. Systems trigger timely utilisation alerts for resources to be increased. This hardly ever happens.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Host and participant log in, total and new meetings created in last 180 days. Customizable statistics module.
- Reporting types
-
- Real-time dashboards
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with SSAE-16 / ISAE 3402
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
-
Hosts typically download the automatic report (the minutes) of a meeting or workshop directly after it has ended. This contains all content. They can also export the content of workspaces to Excel or text.
Hosts can also save meetings (process configuration with content) to disk in XLeap's .xleap-format. - Data export formats
-
- CSV
- Other
- Other data export formats
-
- Docx
- Xlsx
- Data import formats
-
- CSV
- Other
- Other data import formats
- Excel
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- XLeap commits contractually to 99.9% uptime on a monthly basis, excluding regularly scheduled maintenance times or Force Majeure Events. If in any Account Period this uptime commitment is not met by XLeap and customer was negatively impacted, XLeap shall provide, as customer’s sole and exclusive remedy, a service credit equal to the number of minutes the Subscription Service was unavailable during that Account Period. If the service failed for a consecutive 4 hours, a full day shall be credited.
- Approach to resilience
- We follow industry best pactice under Amazon AWS's shared responsibility model. Details are available on request.
- Outage reporting
- Our service is continually monitored via AWS-supplied and other mechanisms. AWS supplies a dashboard. Responses are triggered via APIs and email alerts to XLeap's response team.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
- Access restrictions in management interfaces and support channels
-
Management interfaces fall into three categories: 1. The management interface of the AWS service is protected by username, password and an AWS-supplied token device. 2. Privileged access to productive XLeap systems can only occur via a bastion server which can only be accessed from a defined set of IP addresses and 2-factor authentication. 3. Privileged access by users (customer-appointed administrators) can be limited to separate user accounts with 2-factor authentication or SSO.
User support requests which involve access to customer systems or information are only accepted in writing (email) and verified via a separate channel, e.g. call back. - Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Username or password
- Other
- Description of management access authentication
- Restriction by source IP address.
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- Between 1 month and 6 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Bureau Veritas Certification Germany GmbH
- ISO/IEC 27001 accreditation date
- 19/06/2020
- What the ISO/IEC 27001 doesn’t cover
- Service is fully covered.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
Our security awareness and training policy defines basic and role-based training requirements.
The information security policy follows the ISO 27k standards.
The information security team ensures compliance by a variety of measures verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback. The Infosec team leader reports to the CTO who is responsible for security and reports to the CEO.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap maintains under automated configuration control a current baseline configuration of the information system. The configuration is reviewed annually and on significant change. Older configurations are retained should a rollback be required. Configurations are based on a deny-all permit by exception policy which extends to software permitted to execute on the system. Changes to the configuration are assessed for risks and require approval by the Infosec team leader after testing in the staging network.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap routinely scans of its systems for vulnerabilities with an industry standard vulnerability scanner employing the latest definitions and signatures based on i.a. the NIST vulnerability database and the CWE list. 'Critical' and 'Important' Patches are deployed immediately, 'Low' patches within the day. XLeap subscribes to various sources of security feeds including US-Cert and Microsoft's Security Bulletin.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap employs automated log analysis, continuous configuration monitoring and integrity scanning to identify security incidents. Events are correlated by TrendMicro's Managed XDR service. In the event of a suspected breach, the incident response team is alerted directly by email and SMS text for a verification of the incident. Further measures depend on the attack type and vector and the severity rating of the incident which is based on the functional and information impact, the appropriate containment, eradication and recovery strategy and required notifications.
- Incident management type
- Supplier-defined controls
- Incident management approach
-
Amazon AWS is certified to comply with ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402. Under AWS' shared responsibility model XLeap operates an incident response policy and set of incident response plans for external and removable media, attrition, web, email, impersonation, improper usage or loss/theft of equipment.
Users report incidents by email to a specific email address.
The user's main or designated contact is informed of all security breaches which impact or threaten the function or integrity of their deployment including the findings of impact analysis and measures (to be) taken to contain, eradicate and recover from the breach.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
XLeap enables remote real-time collaboration thereby removing the need travel.
As a company, we follow our own advice working remotely where we can, avoiding travel, and leveraging the efficiencies of virtual computing, cutting our electricity consumption to the minimum.
The electricity we do use is 100% renewables.
Pricing
- Price
- £47,350 an instance a year
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- The XLeap trial is limited to 14 days and includes the full functionality for Hosts (the person who can plan and run meetings and workshops) and participants. The meeting report and the export of content are cut off after 10 line items per workspace.
- Link to free trial
- Www.xleap.net