Worktribe Research

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: The system does require some configuration to accommodate each client's internal approvals processes. The configuration is performed during the implementation project, which under G-Cloud is termed the 'onboarding process.'
System requirements: Users require a modern browser with Javascript enabled

User support

Email or online ticketing support: Email or online ticketing
Support response times: Second-line Worktribe support is available to technical client staff from 9am to 5pm UK time, Monday to Friday, excluding English bank holidays.

Faults are categorised and resolved based on their priority:
* High (Service is not available, multiple users affected): 1 hour response, 4 hour fix/workaround.
* Medium (Intermittent fault causing great difficulty in using the service, one or more users affected): 2 hour response, 8 hour fix/workaround.
* Low (Intermittent fault but service is still usable, one or more users affected): 8 hour response, fix time by agreement on a case-by-case basis.
User can manage status and priority of support tickets: No
Phone support: No
Web chat support: No
Onsite support: No
Support levels: Support services are included within the annual SaaS fee.

We provide remote support between 9am and 5pm Monday to Friday, excluding English public holidays.

Typical support arrangements for ongoing support and maintenance are that the client provides first-line support in-house, with Worktribe providing second- and third-line support via our UK-based helpdesk.

Support requests are submitted to Worktribe using our online tool or, in exceptional circumstances, via email. Regardless of the channel through which the request is raised, a ticket is created on our portal to track the request through to resolution.
Support available to third parties: No

Onboarding and offboarding

Getting started: Worktribe immediately provide 3 environments as standard: Test; Train; and Live.

The implementation process then consists mainly of: online training for the client's project team; workshops to define the client's approvals processes; configuration of the system to accommodate the agreed approval processes; client staff setting up the base data (client-specific lookup lists, for example); client staff setting up integration links with their other systems (typically HR, finance and website CMS); importing legacy data (optional); testing; client staff training the wider user base; and go-live. The following documentation is provided: User guides; Administrator guides; API documentation; data import documentation; documentation guidance on use of templates for documents containing Worktribe data.

Worktribe provides an implementation consultant and a project account manager. Support is provided from the start, and regular progress meetings are held. The key determinant of implementation speed are the readiness of the client and the client's assigned resources. As the system is already in wide use, the implementation process has become streamlined and quite straightforward.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Clients may extract their data using the following methods:

1) Using the Worktribe API, which is comprehensive and exposes all user data.

2) Using the SQL data extract, which is provided as part of the Worktribe service. This extract is normally provided on a regular basis for input to the client's Business Intelligence or other corporate reporting system, but it may also be used as a data source at the end of the contract.
End-of-contract process: The costs of the end-of-contract process are included within the normal annual SaaS charge. The process is:

Some months beforehand, client and Worktribe to agree dates for trial data extracts and uploads to new system, and for final data extract.

On each extract date:
* All users (including system administration users) to be logged out at a previously-agreed time.
* Worktribe to shut down all user access to the Worktribe system.
* Client to perform whatever extracts they need via the API.
* Client to test the outcomes (including imports to the replacement system).

After the client has performed the final data extract:
* Worktribe to delete all copies of the client’s research-related data from its systems, no matter how old, or where held or in what format. (This may require destruction of physical media.) Worktribe to inform client in writing when deletion is completed.
* Worktribe to retain data regarding business contacts between the client and Worktribe, and commercial data regarding the relationship, subject to the limitations of the Data Protection Act or equivalent(s) then in force.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: The system includes a Graphical User Interface (GUI) and an Application Programming Interface (API). Other interfaces are also provided for importing legacy data in Excel format and exporting report data in Excel, CSV, XML and Microsoft Word formats.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: To assist in our accessibility evaluations, we use the Web Accessibility Versatile Evaluator (WAVE) tool.

Text blocks are well formatted and readable by screen readers.

Worktribe users can also customise the presentation for accessibility within the usual constraints of the web browser and their operating system (for example to increase the font size or change the contrast ratio).
API: Yes
What users can and can't do using the API: Worktribe's comprehensive programmatic REST API has HATEOAS features. This is our preferred method for integrating with your other systems.

Typical API uses include: loading legacy data; receiving HR data (including salary data) from your HR system; integrating with your finance system to synchronise budget codes and receive 'actual spend' data; integrating with your web site CMS to expose researcher profiles and research outputs.

The REST API exposes all data entities to full CRUD (Create, Read, Update, Delete) operations, and is fully under your control.

The integration mechanism consists of responding to authenticated HTTP commands sent by external applications. This means that creation, reading, updating and deletion of records within the Worktribe system by external applications are performed using the appropriate POST, GET, PUT and DELETE commands. Data is exchanged in JSON format.

The system also includes an event driven 'subscription' system. This means that you can have both 'push' and 'pull' integrations.

API-based interactions between the Worktribe system and the other systems may be managed by your own ‘integration layer’ or ‘middleware layer’. This is a flexible, ‘loose coupling’ approach to integration.
API documentation: Yes
API documentation formats: HTML

PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: The Worktribe Research system is provided as a package, with the following customisable/configurable aspects:

1) Clients can maintain their own specific lookup lists (e.g. organisation structure, salary scales, lists of journals and publishers, tags of all types, report templates, and so on).

2) The system's workflow accommodates the approvals processes for each client through the configuration of users’ and groups’ responsibilities at each workflow stage.

3) Certain product fields can be specified as mandatory or non-mandatory as required by the client.

4) Certain product fields/questionnaires can be configured as required by the client.

This configuration is done during the implementation project, called the 'onboarding process' under the G-Cloud framework.

Scaling

Independence of resources: We run VMware vSphere in a fully redundant, high-availability configuration, using load balancers and private cloud systems for scaling. All virtualised systems are single-tenanted (i.e. clients do not share virtual disks or machines).

Analytics

Service usage metrics: Yes
Metrics types: The support portal includes provision for client reports and data exports to be created at any time, so that performance against SLA is completely transparent.

Examples include:
• Uptime%
• Number of support tickets per month
• Average issue resolution time
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402

Encryption of all physical media
Data sanitisation process: No
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users may export data from the Worktribe system in JSON format via the API.

User-specified report datasets may also be exported in CSV and Microsoft Excel formats.

The Worktribe system also enables export of data directly into documents, using Microsoft Word document templates. Clients may create many Word templates which retrieve the required data from the Worktribe system automatically and present it as part of the resulting document, similar to mail-merge.
Data export formats: CSV

Other
Other data export formats: JSON (via the API)

Microsoft Excel

Microsoft Word
Data import formats: CSV

Other
Other data import formats: Microsoft Excel

JSON (via the API)

XML

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Our standard availability is 99.8% uptime. The Worktribe Service Level Agreement includes provision of service credits if availability drops below 99.8%.
Approach to resilience: We use virtualized servers and redundant disks that give us a high level of availability and resilience at our hosting provider. This maximises uptime and minimises the risk of system loss.

We take hourly encrypted backups to local backup systems at our primary secure host. These encrypted backups are themselves immediately backed up to a second secure hosting site, as a precaution against failure of both the system and backup at the primary host site.

In the event of disaster and failure of all fully redundant systems at our primary site, we will trigger the restore from backup. Any restoration of data from backups is performed by our in-house staff.

Worktribe uses automated provisioning software that enables us to quickly rebuild systems at a disaster recovery site. If we initiate the offsite recovery (e.g. if all network connections to the primary host were severed, with predicted downtime of hours or days) we can be up and running at the secondary recovery site within hours.

We regularly test our backup systems, both offsite and onsite. We also temporarily clone and restore live systems for testing and support, so the system is in constant use.
Outage reporting: The situation is presented on each client's support dashboard provided by Worktribe, so it is visible to the client.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password

Other
Other user authentication: The Worktribe system supports single-sign-on using customer Identity Providers including Shibboleth (via the UK Access Management Federation), Microsoft ADFS and Azure AD (SAML 2.0). With several of these systems, multi-factor authentication is also available. The Worktribe system also includes a built-in local authentication module (password based).
Access restrictions in management interfaces and support channels: There is no management interface available to client personnel or to hosting suppliers. Access to servers for management purposes is tightly restricted to just a few individuals within Worktribe.

For our own support personnel, access to client data is controlled by public key authentication rather than by password. The very few staff authorised to access client data have individual keys, and the authorised set is controlled by our provisioning systems. Alternatively, the support personnel can ask the client to grant access, which of course leaves the usual in-app audit trail.
Access restriction testing frequency: At least once a year
Management access authentication: Public key authentication (including by TLS client certificate)

Dedicated link (for example VPN)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: No audit information available
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: BSI Assurance UK Limited
ISO/IEC 27001 accreditation date: 05/03/2024
What the ISO/IEC 27001 doesn’t cover: Secure hosting services are not covered by our ISO27001 certification, but are covered by that of the secure hosting suppliers we use. We only use hosting suppliers who are ISO27001 certified.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: All staff certified on the CybSafe security training platform.

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: The Chief Information Officer (CIO) is an Executive Director of Worktribe, who ensures that:
• The Information Security systems are fully documented and implemented in accordance with ISO 27001:2013
• All employees are made aware of customer requirements and have the skills to ensure they are met.
• All employees are aware of the Information Security policy statements, and their role in the implementation of these. This is supported by provision of a Staff Security Procedures document on the company intranet, and frequent reminders on the intranet to keep security at the front of employees' minds.
• Management reviews of the performance and improvement potential of the Management System are regularly provided.

In practice, the CIO is also personally involved in the control of access to client data, which can only be obtained through explicit and time-limited permission, and is only granted to a few staff. Access to client data is also tracked through use of individual keys, so that each access can be traced to a specific individual.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All software is based on the secure Worktribe platform to minimise security risks. Each software release and each build within each release is uniquely identified. Each new release is tested before publication. Requests for new and amended functionality are normally discussed using our online user group forum. Those gaining sufficient support are discussed at formal user group meetings. Further specification refinement may then take place in special interest group meetings, so that new features embody best practice. The new functionality is then embedded into our road map, and provided as part of our planned release schedule.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Our systems are hosted in a private cloud with secured access, so the server environment is tightly controlled. We receive the security patch streams for Ubuntu LTS (the operating system on our servers), which are promptly installed first to our development and test systems, and then to production systems. Our DBMS is our own proprietary system which is stable and is guarded in several ways which prevent any unauthorised access. This prevents security attacks against the database. Also, user access permissions are enforced by the Worktribe platform at the lowest level of database access, so cannot be subverted.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We use automated monitoring tools to keep a continual eye on the systems, and intervene immediately if we see any issues arising. We also use automated intrusion prevention systems which block IPs making suspicious access attempts.

Worktribe has a strong track record with the speed in which we react to client situations. We are confident that our client base of over 50 HEIs would answer any questions you may have about our responsiveness.
Incident management type: Supplier-defined controls
Incident management approach: Users report incidents as support requests. If we ever had a data breach it would be accorded the highest importance and urgency, and escalated for immediate investigation by our most senior engineers, including the Chief Information Officer.

An integral part of our incident management process is frequent investigation progress updates by phone and email. For this purpose Worktribe maintains an 'In Case of Emergency' list which contains both phone and email details of emergency contacts within clients, to be used in the case of such an event.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

Worktribe is committed at management level to helping clients to minimise and reduce their environmental impact. As a documents and records management system provider, these issues are core to the service that we provide, and we lead by example:
- The Worktribe platform provides a document and records management system that captures, stores and retrieves all materials for day-to-day research and curriculum management. Worktribe has maintained a fully paperless office since 2003, and our system helps clients towards achieving this goal (no paper files).
- Our implementations are completed remotely using online conferencing and screen-sharing systems (to reduce the need for travel)
- Our online project and ticket Tracker system with integrated version control allows for fine-grained control of all day-to-day project/BAU issues (no paper files)
- In addition, the company operates a range of online systems to minimise its own environmental impact, including use of the Worktribe platform for its own CRM system, for tracking all inbound and outbound communication with customers and suppliers (no paper files)
- We operate a documented environmental policy. This includes a statement of intent that lays out our commitment to consider environmental impacts in every aspect of our business, and we actively aim to work with local customers and suppliers wherever possible.
- We also operate a complete e-invoicing system and all transactions with existing customers and suppliers are fully paperless. We perform all financial transactions via BACS and CHAPS and our supplier selection criteria include their ability to trade electronically. We manage all of our business administration online, using the Government Gateway services for payroll, corporation tax and VAT.

Pricing

Price: £8,550 a licence a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Worktribe Research

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents