Cintra HR and Payroll Limited

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: NA - no hardware constraints.
Maintenance arrangements are also minimal
System requirements: Multifactor authentication required to access mobile or browser add-on

User support

Email or online ticketing support: Email or online ticketing
Support response times: Questions are triaged. In general questions are responded to within one workind day unless they are determined to be urgent in which case they will be responded to within 30mins/1 hour
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: We offer a single level of support for all clients.
We have a dedicated support team who can deal with all technical queries and issues. You will have a named account manager that will be able to assist with on-going contract management and work with you on a consultancy level .
Support available to third parties: Yes

Onboarding and offboarding

Getting started: From the outset, we provide guided implementation project support which ensures that the system is configured for your requirements. We provide User training as part of the implementation process and on an ongoing basis as required. We have an extensive online library of guidance, information, fact sheets and how-tos. We also have a dedicated support team who can respond to queries as well as the use of our Cloud messaging service which is a means of communicating directly with our outsource team if you are using our payroll team for processing.
Service documentation: Yes
Documentation formats: HTML
End-of-contract data extraction: Data can be extracted from the system
This can be provided to the client within a CSV format
End-of-contract process: Our Exit Strategy details the process for contract migration or handover.
Data which is returned to the Data Controller will be executed in line with the Information Transfer Policy which can be summarised as follows:
-Formal agreements and arrangements for the transfer of data must be set up prior to data transfer.
-Transfer of data should not contradict the PSSG Data Protection Policy, PSSG Data Retention Policy, or contravene any data protection legislation.
-Personal data will not be transferred outside of the European Economic Area without prior written consent of the data subjects and proper legal justification.
-Transfer volume and frequency should not unduly affect normal operations. If excessive or unfounded requests for data transfer are received, PSSG reserve the right to charge an appropriate admin fee, which will be agreed in advance by both parties.
-Both parties must take appropriate steps to ensure confidentiality, integrity, and availability of data is preserved during transfer. Key contacts for data transfer should be agreed in advance of the event

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: No difference
Employee Manager access to self service has been designed with mobile phones in mind enabling users to download payslips, book absences, access P60s, P11ds.
Service interface: Yes
User support accessibility: None or don’t know
Description of service interface: TBC
Accessibility standards: None or don’t know
Description of accessibility: TBC
Accessibility testing: We use CircleCI as our testing software in order to deploy our software. When we add new functionality , as part of testing before deployment we build into our testing routines. The software steps through each process automatically.
API: Yes
What users can and can't do using the API: An integration key will be provided on request allowing for a third-party system to make API requests into our payroll system. All changes would be made through this method.
Our main API documentation can be accessed at - https://api.cintra.cloud/documentation/index.html. We also have the ability to create a specific Integration API for the purposes of a deeper integration. To use this, we would share a postman collection with the client of all the endpoints we have available.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Tbc

Scaling

Independence of resources: Databases are single-tenant which limits the effect on service users. The service is scalable and continually monitored.

Analytics

Service usage metrics: No

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users have the ability to run standard and custom reports through the software. Data can be exported in CSV, xls, PDF , Word.

In Cintra Cloud, users can select data and export with a click of a button.
Data export formats: CSV

ODF

Other
Other data export formats: Xls

PDF

Word
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: We don't have an SLA for availability. Uptime...
Approach to resilience: Available on request
Outage reporting: Email alerts are used to report outages.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: Regarding support channels we follow user identification, to ensure that you are a user of the system.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: You control when users can access audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: SGS (UKAS accredited international certification body)
ISO/IEC 27001 accreditation date: July 2023
What the ISO/IEC 27001 doesn’t cover: Clause 14.2.7 as we do not outsource any system development functions
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: Cyber Essentials Plus, and ISAE3402
Information security policies and processes: We have numerous policies in place and operate in line with ISO 27001.
Cintra follow the principles of the Data Protection Act 2018, United Kingdom General Data Protection Regulation (UK GDPR) and the European Union General Data Protection Regulation (EU GDPR).

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Compliance FAQs

Software development cycle compliance
IT infrastructure and cloud change management
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We have an IT team that follow security blogs and information portals to identify any new common threats.

We perform regular penetration testing to ensure that we analyse potential vulnerabilities.

Any vulnerabilities that are classed as either High or Critical have an SLA of 24 hours from being identified to when they are fixed, deployed and in production

Whenever a vulnerability or threat is identified, we convene a group of our most senior IT and infrastructure engineers to work out what needs to be done and plan a course of action within 4 hours of the threat being identified
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We have tools to monitor for potential compromises. Primarily we install anti-virus software on our machines. Compromises are alerted through email/live chat systems to our IT team.
An individual is responsible for triaging potential alerts in 5 mins. In the event of a large threat, they initiate a group call with relevant members of our IT/Development teams.
Our experienced professionals do no other work until the threat is identified and entirely eliminated.
Our maximum SLA is 24 hours to resolution but we expect this to be under 1 hour.
We use Dark Trace to eliminate and isolate network-related threats automatically.
Incident management type: Supplier-defined controls
Incident management approach: Incidents are either reported manually by customers to our support team, or we have active monitoring of all servers and services and any incidents are quickly identified.
A designated individual for each area of our system is responsible for triaging potential issues and prioritising this. If they identify that the issue is a P1 issue (major customer impacting incident that prevents significant parts of our system from operating correctly) they convene a group of our experienced IT and Development professionals who work together until the incident is resolved.

Our SLA for P1 Incident resolution is 1 hour.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Equal opportunity

Cintra is committed to supporting equal opportunities by fostering an inclusive workplace that upholds the principles of diversity, fairness, and respect. We have established policies and initiatives designed to promote diversity and prevent discrimination across all aspects of our operations.

Modern Slavery Policy: We uphold a zero-tolerance stance towards modern slavery and are dedicated to ensuring all business dealings are conducted ethically. This includes implementing effective systems to prevent any form of modern slavery within our business or supply chain, as detailed in our Modern Slavery Policy.
Health & Safety Policy: Our Health and Safety Policy underlines our commitment to ensuring the well-being of all employees, visitors, and contractors, emphasising our responsibility to provide a safe working environment.
Data Protection and GDPR Compliance: We adhere strictly to GDPR and other data protection laws, ensuring fair and transparent processing of data, which supports our commitment to protecting the rights and freedoms of all individuals.
Sub-Processor Transparency: In our handling of data and engagement with third parties, we maintain transparency about our approved sub-processors, which aligns with our commitment to ethical business practices and compliance with data protection laws.
Support for Employee Development and Recognition: Our dedication to equal opportunity extends to our professional development and recognition programs, ensuring all employees have the opportunity to grow and be recognised within the organisation.

Pricing

Price: £1.87 a user
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Cintra HR and Payroll Limited

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents