ATHIUM LIMITED

Registrar Service Management System

A complete solution for local registration services. It includes a public-facing appointment booking and copy certificates ordering system, a registrars back office function for managing appointments, ceremonies and venues and a service centre application. Full integration with payments, case management and finance systems and reporting for financial and business analysis.

Features

• A complete solution for registrars service
• Public facing appointments booking application with payment facility
• Public facing copy certificate ordering functionality with shopping basket
• Customer Service appointment booking functionality, including script flow
• Registrars appointments and ceremonies management, including travel between venues
• Venue management, including room type, capacity and availability
• Register/certificate book management, reserving books for appointments and ceremonies
• Certificates linked to appointments
• Correspondence and notification management
• Cash management system, financial and management reports

Benefits

• Improves overall efficiency
• Reduces volume of phone calls to customer service
• Reduces errors and enables better planning
• Minimises repetitive tasks for the registrars
• Increases utilisation, minimising gaps between appointments
• Reduces administrative costs of processing and allocating payments
• Gives members of the public more control over appointment booking
• Improves the issuing of copy certificates
• Provides comprehensive stock reporting for certificates
• Improves the ceremony planning experience for the public

£25,000 to £50,000 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@athium.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

702086845357044

Contact

Matthew Sewell
0333 880 5860
gcloud@athium.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Every issue raised by a client or our internal monitoring is assessed by our triage team for severity and priority. The severity specifies the impact of the issue whilst the priority states the urgency of resolving it. Each issue is also assigned a type ranging from support issue to bug to new feature request. The most common target fix times are 1 hour, 2 hours, 24 hours, 1 working day or 5 working days. The response time varies with the fix time.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: We use a web chat service that performs all testing for assistive technology users for us.
• Onsite support: Yes, at extra cost
• Support levels: Every issue raised by a client or our internal monitoring is assessed by our triage team for severity and priority. The severity specifies the impact of the issue whilst the priority states the urgency of resolving it. Each issue is also assigned a type ranging from support issue to bug to new feature request.; ; The most common target fix times are 1 hour, 2 hours, 24 hours, 1 working day or 5 working days. Other fixes will be based around an agreed plan.; ; Although clients can purchase additional support if required we do not believe that this will be a standard scenario as the default support should be sufficient.; ; For every product we have a member of our team designated as product manager and lead developer. Each client will also have an assigned account manager who will endeavour to understand their circumstances and work with them to resolve support issues.; ; Any issue that is raised that is above a certain level or priority or severity will immediately be escalated to the product manager and lead developer as well as any account managers that are impacted. Further escalation will be possible to the development manager and operations director.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We have two different targets for our onboarding process.; ; Firstly, the customer's IT department where we provide system documentation, technical guides and guidance to enable the technical implementation of the service. This can be extended to more detailed collaboration and onsite training if required.; ; Secondly, the focus is on the individual service itself. For these we provide online training guides, full user documentation, train the trainer sessions and configuration training sessions. These can be extended to onsite training if required.; ; We would normally expect to have detailed conversations with the client during the onboarding process to fully understand their business process, the implementation they're trying to perform and any nuances there are to their service.; ; This is agreed with the client to provide the most appropriate experience to them.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All the data from the system is accessible via the APIs for the whole duration of the contract. Moreover, at the end of the contract, a bulk export of all the data can be provided.
• End-of-contract process: The end of contract process will depend on whether the council is replacing the system or simply removing the service.; ; If they are removing the service then we will work with the council to close the service down, extract all of the data into a final archive and provide that to the council for retention.; ; If it is to migrate to another provider then once the council has selected a change over date then we will work with them to provide an extract of the data on that date for import into the new system.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All elements of the service can be accessed and used on a mobile device. This is done using both responsive and adaptive design depending on the circumstances.; ; Some clients might also choose to install an Android, Windows mobile or iOS application to interact with the service but this is not required.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: All the data stored in the system can be access through the API. Moreover, all the actions that can be invoked through the user interfaces can also be triggered via the API. This allows the client to freely integrate the product with any other system that would benefit from such integration (e.g. CRM systems, mobile applications, financial transaction systems, etc).
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: There are three different levels of customisation.; ; Firstly, the application can be integrated with the customers existing systems, such as CRM; this is done by Athium developers in collaboration with the customers' IT specialists. Some of this has already been done and can be offered out of the box with just configuration required.; ; Secondly, the service can be customised in conjunction with the buyer to provide additional features or appearances. This can be done either by Athium or by the customer.; ; Finally, the service is set up to be configured by the buyer. It is expected that the customer (together with Athium if required) will insert their own data that will drive what services the customer provides, what data they collect and how they interact with their customers. This can be done through the interface provided.; ; A significant number of customisations have been added during the course of the Covid-19 pandemic. These are continuing to evolve and are made available to any customers who request them. Further details are available from Athium on request.

Scaling

• Independence of resources: This service is hosted on public cloud services with aggressive horizontal scaling configuration to ensure that the system always has sufficient resources to deliver the service. This is both for the specific user as well as across users.; ; This is a guarantee we can provide and offer additional options around dedicated hardware if required.

Analytics

• Service usage metrics: Yes
• Metrics types: Full analytics can be provided using Google analytics or Piwik analytics. ; ; Additionally every interaction with the system is recorded, whether by the citizen or council user. This can be returned to the council in a variety of standard reports as well as custom ones if required.; ; These will tend to include financial reports, technical reports, business management reports and service focused reports,
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported from the system using both the user interface (CSV and PDF formats), as well as using the REST APIs (JSON and XML format).
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • JSON
  • XML
  • PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • JSON
  • XML

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our SLA guarantees 99.9% availability with specific exceptions (including those that mirror Amazon Web Services).; ; There are service credits available for any outages beyond this. There are also clearly defined maintenance windows.
• Approach to resilience: Full details are available on request but the solution is designed to both be able to be resilient and to recover quickly. The full solution uses multiple availability zones and more than one public cloud provider.
• Outage reporting: Outages are reported in real time using a combination of techniques depending on the severity of the incident and the amount of our infrastructure that has been impacted. For the worst case scenario we have a dashboard service together with SMS messages to key contacts at each customer.; ; For less severe outages we have a combination of our own dashboard, queries to the APIs, information within the system itself and email alerts.; ; These will be followed up with detailed analyses within our issues management system and the customer dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: This service is delivered to a number of different user types, from the citizen interacting with it (who doesn't have to use a username or password at all) to the customer's IT expert or third party who have access to the data via the API's. There are therefore a wide range of methods to access it (and that can be configured with the customer) with increasing levels of security being required depending on the type of system and data access that a user has. Full security can be provided using a combination of keys, VPN and multi factor authentication.
• Access restrictions in management interfaces and support channels: When accessing via the management interface or the support channels a user is still accessing using their user permissions. Other than during defined on boarding and leaving processes working with us all interactions within the system are done using a user with clearly defined permissions.; ; These permissions can be supplemented with smart checks (related to our protective monitoring) which can allow a user to have access to any individual set of data but flag up when it appears as if an unusual number of individual sets are being accessed.; ; Full monitoring of these users also occurs, as with other users.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: Full security can be provided using a combination of keys, VPN and multi factor authentication. In addition to other access methods there is some access via SSH shells. These are secured with SSH keys.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Our physical and infrastructure security is provided by the cloud providers that we use.; ; Our focus is therefore on the security of the applications and the data within those applications and we follow the NCSC principle for Governance framework.; ; We use the ITIL security management practices as well as other industry best practices. Our software has been developed in line with OWASP recommendations and best practices.; ; On a day to day basis the focus is on controlling access to the data within our systems, ensuring access is limited, proportionate and appropriate.; ; This can be tailored with the customer where required.
• Information security policies and processes: Our information security policy is owned by the Managing Director and is reported upon at board level.; ; This includes a core policy document that sets out the purpose, scope and principles of the policy together with compliance, discipline and incident management procedures. It also states who owns the responsibilities and when the document should be reassessed.; ; This is then supplemented by a number of other documents that address individual areas, for example access control.; ; These documents have been built up over a number of years working in both the public and private sector with organisations that have either extremely high profile data, extremely sensitive data or sometimes both.; ; This is a key area for us as an organisation and is reflected by the amount of attention it receives and the fact that these standards are applied across all of our work both in the UK and beyond.; ; These documents can be discussed with any customer during the onboarding process and any specific issues that customer has can be addressed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow the ITIL recommendations (based on ISO 27001) for our change management processes.; ; Before any changes are made to production services they have to have been promoted through both the test and QA environments where they have undergone rigorous testing for functionality, regression, data integrity and security amongst other elements. These tests are performed using both automatic and manual testing tools.; ; A change is then raised and logged within our change management system. This change is then tested, as is the backout, before it is performed by script at an agreed point on the production system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our vulnerability management is a multi layered process that addresses threats at a wide range of levels. Each component within the system is tracked and added to a threat matrix together with the source for information about that component (whether internal or external e.g. Mitre's CVE list).; ; Although we are prepared to react to some vulnerabilities in advance we assess our core lists on a daily basis. We also look at routine patching on a weekly basis.; ; Once we understand all the potential vulnerabilities they are patched in the most appropriate timeframe, ranging from minutes up to a few weeks.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use both third party services and our own tools to identify potential compromises. Once we have identified a potential compromise then the mitigation depends on what that could be.; ; Some responses are automatic and immediate (e.g. a simple attack from one or more IP addresses on a login page) whilst others require manual intervention and potential discussion with a client (e.g. an attack from a client network).; ; Even when the user is in the system our audit tools will ensure that incidents are spotted and addressed.; ; As part of the onboarding process the client would work through these scenarios.
• Incident management type: Supplier-defined controls
• Incident management approach: We follow ITIL best practice when dealing with incidents, as well as considering the NCSC guidance principles.; ; We use our issues tracker and knowledge base to deal with the majority of incidents, and a combination of automatic and manually driver responses that deal with those events.; ; Other incidents will be reported by a user (or picked up by our monitoring system) and added to our issues tracker. Management of the incident will then occur within that issue to ensure that it is fully recorded and assessed afterwards to see if it could have been avoided.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Effective stewardship of the environment through a commitment to be net zero by 2050.; ; In order to support and encourage this commitment, we have focused on three core principles of waste management: reduce, reuse and recycle. ; ; We will not:; ; waste what we do not use,; discard that we can reuse,; purchase what we cannot recycle.; ; Recognising that the most effective way to reduce the waste, is to not use it in the first instance, our primary focus will always be on the reduction of consumption.; ; Where we find that we have utilised a resource that we no longer require then we will aim to sell or donate it.; ; Finally where we need to purchase we will aim to only purchase those items that can be recycled at their end of life.; ; In applying our waste reduction strategy we examined our methods of production to determine where and how to apply our focus and set our goals.; ; How we get to work; ; We aim to maximise our Remote Working commitment to allow all staff the opportunity to work remotely full time, while ensuring that we support them to minimise the associated social risks.; ; The way we work; ; We are a service industry supplying IT software solutions, and have a long history of utilising technology in order to minimise the need for face-to-face meetings unless deemed absolutely necessary. We will continue to advocate the importance of shared virtual workplaces and maximise any opportunity to use technologies such as virtual whiteboards, instant messaging, video conferencing.; ; The resources we require to work; ; Our two largest consumables are computer hardware and electricity. We aim to minimise of computer hardware through our growing adoption and utilisation of virtual machines and emulators.; ; In terms of energy use, we seek to source from carbon neutral suppliers.

Pricing

• Price: £25,000 to £50,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A full trial version can be setup with the potential client for them to be able to assess the merits of the software.; ; To save the customer having to enter all of their own information it is setup with a default configuration.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@athium.com. Tell them what format you need. It will help if you say what assistive technology you use.