IMIN LTD

OpenActive / open data powered search & booking APIs for physical activity finders

The imin platform aggregates, filters and enhances live physical activity information (what, where, availability etc) from multiple activity providers, delivering real-time search & book functionality. This is used by Local Authorities to create powerful, up-to-date activity finder websites / apps / widgets for residents. Built with OpenActive / open-data standards.

Features

• Real time Search - live availability for local physical activities
• Real time Booking - seamless booking/payment for physical activities
• Data Augmentation and quality enhancement
• User accounts - upcoming bookings, cancel bookings, store payment cards
• Provider Selection - choose which providers you receive data from
• Secure whitelabel checkout (book&pay): host on your website, GDPR-complaint
• Whitelabel live activity Timetable - to add to any webpage
• Leisure Member Integration: create, manage and sync user leisure accounts
• Interactive Chatbot: modern tools for dialogue-based physical activity search
• Detailed, visual reporting: on physical activity opportunities available, booking trends

Benefits

• Deliver real time information to residents about physical activity
• Monitor search and booking trends to improve service investment
• Residents manage bookings, payment cards etc from one account
• Build fully interactive, seamless leisure centre websites
• Tap into a network of public and private booking partners
• Deliver end-to-end, measureable user journey for public health campaigns
• A digital front door: residents can access all physical activity
• Analyse activity availability and resident booking patterns
• Provide streamlined access to physical activity for members and non-members
• Residents can sync and integrate leisure accounts across services

£100 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nish@imin.co. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

741098973912756

Contact

Nishal Desai
07905861778
nish@imin.co

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: The imin platform integrates with the booking management solutions of physical activity providers - such as those used by many leisure operators, local authorities and smaller clubs.; ; Local authority websites - we provide live search engine, timetabling and chatbot tools that can be embedding onto existing webpages.
• Cloud deployment model: Private cloud
• Service constraints: The power of the platform is dependent on the booking system software in use by the local physical activity providers (such as leisure operators). Whilst imin has integrated with numerous systems (especially those part of the Government funded "OpenActive" initiative to open up more physical activity data), the imin service will be less impactful in areas where systems are in use that we have not yet integrated with.; ; However, we have shown in other areas that, with a local authority sponsor, we can rapidly integrate with new systems to enhance the service offering for any area.
• System requirements:
  • Resident-facing website (although we can provide a whitelabel)
  • Ability to create subdomains or edit existing pages (add plugins)
  • An activity finder / leisure website, local directory website etc.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: SLA dependent on Pricing Plan selected. If your chosen pricing plan does not include an SLA, then we will use best endeavours to answer any queries within a reasonable time frame.; ; For customers on a pricing plan that includes an SLA, responses to submitted support requests will be processed during the hours: 9am to 5:30pm (UK time), Monday to Friday; and best endeavours at the weekend. Our SLA for response times scales dependent on the severity and nature of the defect reported.; ; Additional support available as part of SLAs at higher tiers.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: We use a product called "Slack" to interface with our consumers. It is an online chat forum for organisations. We invite customers to join Slack, with a dedicated channel for their questions and support. Customers can ask questions, query API documentation, send images / screenshots of issues, and have a history of the conversation.
• Web chat accessibility testing: None to date.
• Onsite support: Yes, at extra cost
• Support levels: Where a price plan includes our standard SLA, the support levels include:; - access to online documentation; - queries can be emailed to our helpdesk; - customers can request chat (slack) support forum to be set up*; - customers can request name account manager support*; - customers can request technical account manager / developer support*; - standard uptime guarantees; - response times for critical bugs and issues from 4 hours, according to severity (generally immediate where possible).; - scheduled system maintenance that might result in a pause in the Service: advanced notice will be provided with at least 5 working days’ notice.; ; *A custom SLA (based on specific customer requirements) is available on the "Enterprise Tier" of Service, and includes these types of SLA features. Please see pricing document for cost related to support levels.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Over the phone / online developer support is offered initially at docs.imin.co. Specific guidance has been created for starting a project using the APIs, as well as use case specific examples and instructions.; ; Further onboarding documentation provided over email, or in person / phone, dependent on pricing plan chosen. This includes the option of on-site training / up-skilling in the basic principles and technology of OpenActive and open data, for customer's team and / or local partners such as activity providers.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: For the Search API part of the Service, imin does not hold any User-owned data so there is no extraction requirement on contract termination.; ; For the Booking, User Accounts and Leisure Account Sync part of the Service, imin is the Data Processor role, so at notice of contract termination we will inform the User to ensure they have retained and stored whatever data they require from the Service, and at contract termination date we will destroy any personal data we hold on behalf of the User.
• End-of-contract process: When contract termination is delivered by either party:; (a) the termination date is agreed by both parties (which is when the API key will become invalid); (b) the Customer will be prompted to retrieve and separately store any Service data that they own; (c) at termination date, the API key will be invalidated and any and all personal data held by us on behalf of the Customer will be destroyed across our systems and sub-processor systems.; ; The above steps are all included with all pricing plans.; ; If there is to be any handover to replace the imin Service with a like-for-like Service, we will provide technical resource at a pre-agreed day rate to support this process.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: For Search, the Service is delivered through a set of APIs providing data to a front-end application - either web or mobile. There is no difference in the Search API output or performance whether on mobile or on desktop.; ; For Booking, the whitelabel Checkout (a front-end flow for secure booking and payment of physical activity by a resident), is fully responsive for any size screen device.; ; The imin platform has been successfully used multiple times used across both desktop, mobile, chatbot etc.; ; The whitelabel Timetable plug-in is fully responsive and is optimised for desktop and mobile screen size.
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: The core of the imin platform is itself a set of APIs:; (1) search API - live availability of physical activities; (2) booking API - booking (and payment) for those activities; (3) user accounts - creation of user accounts, allowing users to retrieve details of previous and upcoming bookings, make amendments, cancellations and request refunds; (4) leisure member sync - allowing users to "authenticate" their leisure account in order to make bookings under an existing leisure centre account / membership level.; ; Our customers receive API keys to securely access the API endpoints included in agreement. sers are helped using online guidance, or through their account manager, to create the right API calls for the end-user journey the user is wishing to create. Any restrictions within the API (for example, based on pricing plan selected, or for custom requirements such as only showing data from certain physical activity providers) will be set up by the imin account manager when providing the customer with specific API keys.; ; Customers can then autonomously make specific API calls to the service, within a set of parameters described in the API documentation, in order to best meet their use case.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customers can:; - whitelist or blacklist which physical activity providers they would like to access through the Service; - instruct imin to create custom "enhancement rules" based on the user experience being created - e.g. if the resident-facing website is aimed at inactive people, ensuring all images, text etc are suitable for motivating that demographic to engage in physical activity, as well as adding relevant tags such as "suitable for beginners" to enhance searchability by end-users; - whether the secure booking and payment whitelabel checkout is part of the user experience to be delivered; - work with a selection of our partners who have already created whitelabel activity finders integrated with the imin platform (i.e. off-the-shelf brand-able resident facing widgets or whole websites); ; Customers can choose their customisation during the contracting process - their account manager will present these options to them in order to set up the Service to begin with. Customers can liaise with the account manager on-going if requirements change over time and customisations need updating.; ; The authorised main point of contact between imin and the User will be instructing the account manager about any customisations required.

Scaling

• Independence of resources: The cloud infrastructure on which our services are built allows for simple and automatic horizontal and vertical scalability, which responds to varying load. We also have regular monitoring our service response time which allows us to proactively identify and respond to infrastructure bottlenecks. See https://imin.statuspage.io/

Analytics

• Service usage metrics: Yes
• Metrics types: Search trends - number of searches, when, where.; Booking trend - number of searches, when, where, and for what.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Our internal data security measures and protocols includes provision for Physical and Environmental Protection
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The relevant data for export is any booking history related data, which can be accessed via the Service dashboard delivered to the Customer. They can view booking history data, and can choose to export it via CSV.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The SLA provided with relevant Pricing Plans guarantees at least 98% uptime.; ; Refund mechanisms (Service credits) as per https://www.imin.co/terms/service-terms-of-use#Schedule-2-Service-Level-Agreement
• Approach to resilience: We have appropriate SLAs in place with each cloud infrastructure supplier in use, as well as several redundancy measures, backup syncs etc for outages. More detailed information is available on request.
• Outage reporting: We have a public dashboard at https://imin.statuspage.io/; ; We will also notify Customers via email if there is a serious outage that has the scope to effect the delivery of their own service to end-users.; ; We will also notify Customers ahead of time if there are any expected service outages due to planned maintenance work. The Standard SLA details any notice of maintenance will be sent at least 5 days before any downtime is expected.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: Customers must supply correct API key credentials when making API calls to the Service.
• Access restrictions in management interfaces and support channels: Management interfaces / Support Channels are either restricted to email, or for monitoring dashboards a username and password is required.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: For internal staff, we have a centrally administered 2 factor authentication process - profiles can be denied access remotely.; ; For clients, they cannot directly access administrative areas of the platform - this is done by communication with their account manager who will set up API options on their behalf accordingly.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: PCI Security Standards Council
• PCI DSS accreditation date: 17/03/2022
• What the PCI DSS doesn’t cover: The imin Book & Pay Checkout used to deliver the single, consistent Booking System is PCI-DSS payment compliant (through the Stripe payment gateway). imin do not store credit card information directly, and instead use a tokenisation mechanism via secure SSL connection to defer this storage to Stripe, which assures PCI DSS compliance using the “Pre-filled SAQ A” method (https://stripe.com/docs/security).
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: IMIN LTD complies with the requirements of the Cyber Essentials Scheme and achieved a Gold Award certificate of assurance confirming for the IASME Governance Standard in 2018, with an independent on-site audit (offers a similar level of assurance to the internationally recognised ISO 27001 standard). ; ; Since that audit, we have maintained rigorous practices in accordance with those standards, but have opted to not recertify with IASME due to the expense involved. For contracts that require this to be in place, we are willing to re-certify with IASME as needed.
• Information security policies and processes: Acceptable Use of Corporate Property (AUCP) Policy; Administrator Access Tracker; Asset Register - Information; Asset Register - Physical; Breaches of Personal Data Protocol; Bring Your Own Device (BYOD) Policy - Laptops; Bring Your Own Device (BYOD) Policy - Mobile Devices; Business Continuity Plan & Disaster Recovery Plan; Computers & Networks Management Information; Data Classification Policy; Data Privacy Approach for B2B Contacts; Data Protection Policy; Information Security Policy (including Incident Reporting Procedure); Privacy Impact Assessment; Record of Processing Activities (Article 30 GDPR) - imin as a Data Controller; Record of Processing Activities (Article 30 GDPR) - imin as a Data Processor; Subject Access, Data Portability, or Right to Erasure Requests: Process for Response

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: 1. A System Change Request Form is filed.; 2. The proposed change is described with reason for change given.; 3. The impact of the change is evaluated (including priority, environment impact, resource requirement, test plan description and rollback description).; 4. The change is approved or denied.; 5. The change is implemented and tested.; 6. The completed change is communicated.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: 1. imin uses Sophos to perform vulnerability scans of BYOD and corporate devices, including reporting unsupported applications, and take immediate action to resolve any vulnerabilities detected.; 2. The Company uses a combination of Detectify (penetration testing) and Synk (components with known vulnerabilities - A9 of OWASP Top 10) to detect software vulnerabilities.; 3. The results of the scans and any changes made shall be reflected in the Company’s risk assessment and security policy as appropriate.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: 1. Where possible, we aggregate error and event logs from all applications, in addition to Heroku and AWS Cloudwatch native logs. We deal with each incident generated on a case-by-case basis.; 2. The Company also has real-time alerts sent to the team to monitor for unacceptable activity and suspicious user behavior.; 3. If high volumes, the Company will use cloud-based log analytics service such as AppDynamics.; 4. The Company reserves the right to monitor systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: 1. All breaches of policy and all other information security incidents are reported to the Security Officer.; 2. If required as a result of an incident, data will be isolated to facilitate forensic examination. ; 3. Information security incidents are recorded in the Security Incident Tracker and investigated by the Security Officer to establish their cause and impact with a view to avoiding similar events. The risk assessment and relevant policies are updated, if required, to reduce the risk of a similar incident re-occurring.; 4. A record is kept of all security incident investigations.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Wellbeing:

  Wellbeing

  The imin service can directly improve the health and welling being of citizens. Our mission is to help organisations, including public bodies, to lower the barriers that exist for people to engage in physical activity - whatever their preferences, background, socioeconomic status, fitness levels, disability etc. Using the imin API (and further supporting OpenActive) will (a) contribute to this mission nationally, and (b) will help deliver this benefit to residents locally. ; ; The imin service also improves community integration, because by delivering one physical activity search capability for residents, local activity providers in the community can more easily reach their intended audience. More local people can find out about the breadth and diversity of the local physical activity offer, finding the activity that is best for them (rather than only finding those with the best marketing budget). This levels the playing field and makes it more likely that residents will make connections with their local community organisations.

Pricing

• Price: £100 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: All APIs, products and services can be made available for a limited time to test development approaches, with either test data, or where needed (in exceptional circumstances) with time-limited access to live data.
• Link to free trial: https://docs.imin.co/platform-products/search/imin-events-api#dummy-data

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nish@imin.co. Tell them what format you need. It will help if you say what assistive technology you use.