SHAUNSOFT LIMITED

CTX

CTX is an application to manage the day-to-day provision of transport services, including Home to School Transport, Social Services Transport, Community Transport. You can use the application to manage contracts with external providers as well as your own fleet.

Features

• Scheduling, route planning, optimisation, map visualisation of journeys and routes
• Travel Passes, Door to Door Services, SEN Transport, Mainstream Transport
• Own fleet vehicle diary, Driver, and PA allocation
• Comprehensive database, Passengers, Pupils, Organisations, Schools, Operators, Other Destinations
• Configurable Pupil Eligibility, Walking Routes, Catchments
• Driver and Passenger Assistant management, operator, and own staff
• Contract and Operator Management, including incident and onsite school inspections.
• Custom Reporting for spreadsheets, maps, graphs, letters, emails, and print
• Windows Application, Web, and Mobile Apps
• Custom API for other system integrations

Benefits

• Straightforward, intuitive, and easy to use interface(s)
• Flexible configuration to meet your monitoring and reporting needs.
• Save time and money building optimal routes and schedules.
• Easily export data for analysis in your preferred tools.
• Custom API allowing integration with your and 3rd party systems.
• Streamline administration of your transport services
• Scalable and secure with regular updates including user requested features
• A simple affordable subscription with no hidden costs.
• Easy to access and quick to respond support
• Host your data in our cloud or your own cloud

£1,600 a licence a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at shaun@shaunsoft.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

755791016730836

Contact

Shaun Ellis
01768 779988
shaun@shaunsoft.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: The primary application is Windows based and requires a local installation(s).
• System requirements:
  • Windows Version 10 or Later
  • Cloud Access
  • Firewall Rules

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Monday to Friday 9-5 usually within 5 minutes, out of hours depending on the priority of the issue within an hour or so.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: We use Microsoft Teams for chat based support. Users can contact us any time on teams, though we prefer people to telephone out of hours.
• Web chat accessibility testing: We haven't tested Microsoft Teams with users of assistive technologies but Microsoft says that teams aligns with WCAG 2.1 AA and EN 301 549.
• Onsite support: Onsite support
• Support levels: We only have one level of support as part of our subscription that is available typically 9-5 Mon-Fri, however users can telephone out of hours for high priority issues, such as a service outage, account failure etc.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The approach to getting started we take is very much dependent on the needs of the users and the customer. We typically set the users up with a ‘test’ set up either with our dummy data or with a test version of their ‘imported’ data, we then go through all the processes and parts of the system the user will need to understand and use. ; We try and encourage at least one user to get a deeper understanding the wider framework as helps this helps review their existing practices and see how CTX can assist them in being more efficient. ; Our training sessions are conducted usually through Microsoft Teams, delivered in concise, segmented sections. We intentionally maintain an informal tone during these sessions, as we believe it enhances information retention and facilitates effective learning. ; During this process, we not only reevaluate the configuration but also work with the customer to produce focused documentation on their processes. Once the users and the customer feels confident in the system we will take them live. We encourage all users to contact us as often as they need for help with new processes or for support using parts of the system they use infrequently.
• Service documentation: Yes
• Documentation formats:
  • ODF
  • PDF
  • Other
• Other documentation formats:
  • DOCX
  • Markdown
• End-of-contract data extraction: At the end of the contract, we will keep the system live and work with the customer to ensure that they have extracted all the data they require. Once this has been done, we will continue to keep the system live for up to 6 months or until the customer confirms that we should securely delete their data. If the customer is hosting their own data, then they can do with it what they want, we will support them in extracting the data, creating views and reports and so on for up to 6 months.
• End-of-contract process: There are no additional costs at the end of the contract. Once the data extraction period is completed, we will delete all users and any records we have beyond those required for legal reasons. We recommend that any applications the customer may have installed be removed to prevent any confusion as they will no longer function.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems: Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Yes, our mobile apps are limited to specific tasks. For example, we produce an app called ctxGoDrive which is an application for drivers who have been allocated work in the primary application, that details pick ups and drop offs, collection of mileage etc. We intend to add more of these focused apps.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Our API’s provide access to all aspects of the CTX platform. We typically create or adapt our API’s to meet the needs of our customers and where appropriate their 3rd party suppliers. The only limitation to access to our API's is that users must support Oath2.0 and the Microsoft Identity platform (Microsoft Entra).
• API documentation: Yes
• API documentation formats:
  • ODF
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: CTX has been designed from the ground up to be customisable, in the way it behaves, how it looks and the content. ; Each user can customise their profile, choosing dark or light theme’s, indicative colours, e.g. Warning Colour, Good Colour etc. They can choose font sizes for lists and create short cuts to parts of the system. They can also control how windows open with support for multiple monitors. They can choose to see their own dashboard, a system wide dashboard or none when they open the application. These profiles follow the user around the different applications either on the web or mobile where appropriate.; ; Throughout the application there are drop downs and choices, for example Journey Purposes, Cancellation Reasons, Eligibility Reasons, User and Staff tags, all the content of these options are fully customisable, with colours, order and ‘rules’. ; It is also possible to customise how CTX behaves through hundreds of settings and options. Including, eligibility rules, how to generate account references, charging structures and support for external services. You can also control which users have access to which applications or parts of applications.

Scaling

• Independence of resources: All our services are monitored in real time for performance and capacity issues. If any of the metrics we monitor were to get anywhere close to degrading our services, we receive automated alerts. Most of our services are configured to automatically scale as required. If required, we can manually scale in response to a severe situation.

Analytics

• Service usage metrics: Yes
• Metrics types: We closely monitor all access to the system in general and all the applications. Each of our customers has different requirements from our metrics, so we tend to work with them to make sure that they have what they need, either through reports or a custom API.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: Never
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Within the application there is a report type called Quick Reports, these reports are created on request for the customer at no extra cost and can be exported to CSV, XLS\X, PDF, HTML and other formats. The process is straightforward, a user contacts us and describes the data they require and what criteria, we add this to the Quick Report menu, users can then run the report as often as they require, to export the data they run the report and choose the save as dialog.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • XLSX
  • HTML
  • PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: XLSX

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We aim to provide 99.9% uptime for all our services. To do this we leverage Microsoft Azure’s robust infrastructure, which guarantees an industry-leading Service Level Agreement (SLA) of 99.99% uptime for its services. All our services, including our API's, Websites and Databases are hosted within Azure. In the event of us failing to achieve this level of service we would suspend the software users subscription payments for an agreed period of time. We currently don't provide a formal SLA for our services, however if a customer were to request a specific agreement, beyond what is stated in our terms of service we would happily work with them to create one that meets both our requirements.
• Approach to resilience: Our software is hosted on Microsoft Azure, which has a highly resilient data center setup, certified to the highest standards. We use the Microsoft Azure UK West datacentre as our primary centre with failovers to the UK South datacentre.; We take advantage of Azures various disaster recovery solutions, such as Azure Site Recovery, Cloud Defender and Azure Backup, which further enhance the resilience of our services. These services allow us to quickly recover from disruptions and minimize downtime.; Azure continuously monitors the health of its services and hardware, enabling proactive maintenance and fast response to any issues that arise. We also monitor the health of all our services and have configured alerts to warn of any potential issues.
• Outage reporting: Any outages or potential service outages are reported to customers via email alerts. If there is an outage that would affect specific customers, we would contact customers directly by phone.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: We are currently evaluating using secure pass keys with aim of going passwordless using Microsoft Entra (formerly Azure Active Directory).
• Access restrictions in management interfaces and support channels: Within the CTX framework each user has an access level to each of the core applications. There are in practice only 2 levels, Admin and Standard User. These are managed by an Admin user of the application, who can grant or deny access to various parts of the system and it’s applications. All users have access to support for functionality they have permissions to access.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Citation
• ISO/IEC 27001 accreditation date: 14/06/2023
• What the ISO/IEC 27001 doesn’t cover: 7 Physical Controls; This is not currently considered applicable.; The Company does not store any Company; information at a permanent physical office, with all; staff working remotely; thereby control measures; identified in 7.1-7.8 and 7.12 are not deemed; applicable.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow a comprehensive set of information security policies and processes, aligned with the ISO 27001 standard. We have regular security review meetings and regularly conduct risk assessments to identify potential security threats and vulnerabilities. These assist us in implementing appropriate controls to mitigate these risks.; We have strict access control policies in place. Only authorized personnel have access to sensitive information.; We ensure that all data is encrypted both at rest and in transit. This includes all data stored within our application and any data transmitted between our application and Microsoft Azure.; We have a well-defined incident response plan in place. In the event of a security breach, we follow this plan to quickly contain the incident and minimize any potential damage.; All our staff members undergo regular security awareness training. This ensures that they are up-to-date with the latest security threats and know how to follow our security policies effectively.; We continuously monitor our systems for any unusual activity. We also regularly review and update our security policies and processes to ensure they remain effective and aligned with the latest security best practices.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our configuration management processes and policies, ensure accurate tracking of system components throughout their lifecycle. We maintain version control, document changes, and use unique identifiers. For change management, we assess potential security impacts rigorously. Changes undergo risk assessment, security testing, and general testing before approval. ; We use a combination of tools and policies to achieve this, including Azure DevOps for change tracking as well as source and version control.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We closely monitor our services and those services we depend on for potential threats and recommended mitigations. We do this by a combination of regular service reviews and automated assessment tools, such as Azure Advisor, Microsoft Defender etc.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We maintain a robust vulnerability management process. We continuously scan all components of our service to identify vulnerabilities and suspicious behaviour.; We have automated monitoring on all our services, including our Microsoft Entra directories, looking for suspicious activity and receive regular reports and notifications, which are reviewed as they arrive and at our regular security meetings.; When vulnerabilities are discovered, we triage them based on severity and impact in line with our incident management policy. We prioritize mitigations and apply security updates promptly and immediately inform our users of any potential impact.
• Incident management type: Supplier-defined controls
• Incident management approach: We have strong Incident Management Policies that define our response to any incident. The policies describe the procedures, responsible people and who we need to inform. We also maintain a number of ‘play books’ that have clear instructions on what to do with specific incident types such as account compromise, Password Brute-Force-Attack.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  We not only supply our software to Local Authorities but also provide it to Community Transport projects at a significantly reduced cost, with the aim of helping these projects to survive and grow. Our origins are from within the community transport sector and continue to support it by providing our services and support at affordable rates.

Pricing

• Price: £1,600 a licence a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We provide full access to our services whilst organisations evaluate the system for up to 2 months.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at shaun@shaunsoft.com. Tell them what format you need. It will help if you say what assistive technology you use.