HANDS HQ

HandsHQ: Training register

HandsHQ's Training Register allows businesses to seamlessly manage training for a safe and compliant workforce. Training Register can store personnel records and training certificates and assign expiry dates to courses. Our new eLearning feature integrates with iHASCO so businesses can book onto over 140 courses through Training Register.

Features

• Cloud-based software, to store, track and manage training records
• Monitor and book training from one place
• Forecast future training needs and costs
• Get email notifications when training is due to expire
• Direct eLearning integration with iHASCO
• Deliver eLearning from any provider
• Download training reports at the click of a button
• Access training records and certificates on the go
• Assign mandatory training to company roles
• Integrate Training Register with other HR and job management software

Benefits

• Accelerate digitalisation: move away from paper, or complicated Excel spreadsheets
• Manage training records from anywhere with an internet connection
• Ensures the right people with the right skills are working
• Provides a comprehensive overview of all training and qualifications
• Simple design-driven platform that requires limited technical skills
• Manage sub-contractors and their qualifications and training
• Personnel flagged with insufficient training for site
• Stay compliant with up to date records and certificates
• Remove hours of admin by automating eLearning Management

£3,600 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at help@handshq.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

778128049672876

Contact

Jamie Carruthers
020 3318 4901
help@handshq.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: HandsHQ risk and method statement (RAMS) software
• Cloud deployment model: Private cloud
• Service constraints: As a cloud platform, HandsHQ - Training Register has limited constraints associated with the platform. An internet connection is required to use HandsHQ- Training register. Each user will have their own individual login accessed via an email address. ; ; The platform works across all the latest browsers, however, we do suggest using Google Chome if you have the option. HandsHQ can be used on desktop, tablets and smartphones, however, tablets offer the best user experience due to the size of the screen available.
• System requirements:
  • Active internet connection
  • A modern web browser (ideally Chrome)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond to questions received during normal business hours within 1-2 hours. Normal business hours are Monday- Friday, 9am-5pm
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: HANDS HQ- Training Register uses Intercom to power web chat. All Intercom products are built to be accessible, including Screen Reader Support, Keyboard Navigation and Colour Contrast
• Onsite support: Yes, at extra cost
• Support levels: As standard, all HandsHQ- Training Register customers have access to an online knowledge base containing FAQs; and live chat/in-app support during office hours. ; ; Customers on Business & Enterprise pricing plans have a named, dedicated, Customer Success Manager who provides initial platform set up, onboarding and continuous learning throughout the organisation. ; This can include but is not limited to, site visits, in-person training days and webinars. Training plans are customised to suit customer requirements. Training covers all aspects of the software, including different features, functions and permissions.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The onboarding process for all new customers of HandsHQ Training Register includes access to an online knowledge base, phone and email support and in-app support during UK office hours. For Business & Enterprise customers we create customised training plans that ensure all individual needs are met. This can include but is not limited to, on-site training and web training. ; New users will have guidance on importing personnel information and their account manager will project manage data importing to ensure it is suitable for specific company needs and requirements. Information will include training information, supporting documents,personnel information and specific training requirements for roles and responsibilities.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Online knowledge base
  • Video
• End-of-contract data extraction: Customers are able to access, and export, their data into CSV format while they have an active HandsHQ- Training Register subscription. For a period of two years following the termination of a contract, their data will be securely retained. If within that period of time their subscription is not reactivated, their data will be deleted.; ; During that two year period, former customers of HandsHQ- Training Register are able to contact the team should they wish to access their documents without reactivating their subscription. Documents will be supplied in CSV format.
• End-of-contract process: HandsHQ- Training Register customers are required to inform the company of the decision to terminate the agreement with 30 days notice. ; ; Upon termination of the agreement, customers can choose to receive a folder containing all of the documents stored in the HANDS HQ platform in CSV format.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: HandsHQ offers API integration via automation tools Zapier and Microsoft Flow . Customers that wish to use the API simply need to contact their Customer Success Manager, who will provide their API Key and guide through set up. HandsHQ also offers direct API access for those who want to use completely custom solutions and have the technical know-how to implement them, this also uses an API key to interact with the API and the developers using the API will have the documentation be made available to them. The API currently supports some actions in relation to the Training Register that are most likely to need to be automated, such as recording training records and managing the roles and their assignment to personnel. As well subscriptions to webhook notifications for important events such as changes to existing roles and when training statuses have changed for personnel.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: The training register is mainly meant as a way for customers to input their own content, while providing a consistent way that the resources of personnel, courses and roles ultimately lead to meaningful summaries such as training statuses. Most of the customisation comes in deciding the relationships between this content and the impact on the statuses (e.g. when things are required or when things are considered to be expired), as well as behaviour of what kind of notifications might be sent. While the core experience is the same across all users, regardless of their data set - the main customisation comes in the form of how customers wish to interact with these experiences (e.g. setting up their own custom workflows based off training status changes via the API) ; ; The front-end of the platform can be customised to reflect our customers' branding.

Scaling

• Independence of resources: HANDS HQ uses an Auto Scaling service which monitors applications and adjusts capacity to maintain a steady service. The service, provided by Heroku, means that demand is never an issue. Additionally, we receive a number of alerts around capacity thresholds as a backup.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics & reports provided:; Personnel training status ; Expiring training report; Complete training report ; Current training status ; Downloadable training matrix; Personal training reports
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Other
• Other data at rest protection approach: The database plan we are using via Heroku is encrypted at rest with AES-256, block-level storage encryption. We protect data in transit by requiring the use of HTTPS for all application communication
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Customers or ex-customers can contact the HANDS HQ team through any of our support channels to request a data export.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • Manual

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: HandsHQ has a target of 99.6% uptime. For any downtime beyond one consecutive day, customers will receive pro rata credit to their account.
• Approach to resilience: HandsHQ use Heroku and AWS; details of their data centre measures can be found on their websites. The HANDS HQ platform has been built with a high level of self-healing and redundancy built into our service. If there is a failure, we are alerted immediately. Our databases are backed up daily; in the event of an outage, we can restore in any point of time over the last seven days.
• Outage reporting: Customers are informed of any upcoming downtime at least two days before it occurs via email. In cases of unexpected downtime, we inform customers it has occurred, the reason why, and the steps we are taking to mitigate risk. We additionally publish downtime statistics on the HandsHQ website.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: We use an access control matrix to ensure that only staff that require high impact systems are provided with access to them. As well as this, Hands HQ has several additional policies in place, such as reviewing privileged access at ISO Committees We also have a staff offboarding process to ensure all systems access is adequately removed on their last day or before, depending on the situation. We do not allow our staff to unencrypt or download customer confidential data, but those that have the access rights to do so are limited.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 13/06/2018
• What the ISO/IEC 27001 doesn’t cover: All of HandsHQ is covered by this certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: HandsHQ has ISO 27001:2022 which is headed up by our CEO. The company adheres to multiple policies and procedures that are required or are best practice in line with ISO 27001, including Asset Management, Access management, Third Party Management, Secure Development practices etc. (see our SOA which controls apply). HandsHQ runs an ISO Committee every quarter which reports on the effectiveness of our ISMS and conduct quarterly internal audits. We ensure policies are followed through internal audits and staff management - both day-to-day and via performance targets. HandsHQ holds regular security training and inductions to ensure all staff remain aware of the security policies and are kept up to date with the latest threats and vulnerabilities.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: HandsHQ is built with Ruby on Rails with Postgres hosted on Heroku/AWS. We use a product management tool (Product Board) to gather feedback/issues from customers which are prioritised by the development team. All code is peer-reviewed and we use a test-driven development methodology with a target of 95% test coverage to ensure code quality. We have continuous monitoring of all code dependencies to identify security issues and all new features are run against our penetration testing tool. All of the development team are trained in secure development practices and we adhere to OWASP best practices.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Code will be assessed for vulnerabilities, dependencies and known issues by using a combination of continuous code checking through Code Climate and Github tools, and then half yearly vulnerability scanning using ZAP on our staging environment, which is an identical reproduction of our production environment. These tools rate the risk in three layers and HandsHQ has applied timescales for each. The team will log test results in a spreadsheet and state which are applicable to the Production environment which will take priority and adapt the impact accordingly where necessary and detail the reasoning for the change or downgrade.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor service downtime and degradation using a variety of tools which measure from as little as continuously to up to an hour intervals. We monitor vulnerabilities and capacity as previously described. Alerts are flagged immediately and assessed for their severity by a member of staff. If the issue is categorised by the staff member as an incident they will evoke the incident management procedure.
• Incident management type: Supplier-defined controls
• Incident management approach: HandsHQ uses Zube for incident management purposes. Employees report any CRITICAL/ HIGH incidents immediately to co-founders who will record the information going forward. MAJOR OR MINOR incidents can be added directly. An impact rating will be added to the case as follows: URGENT: Leak of confidential information (Fix within 72 hours) HIGH: Partial loss of service or potential corruption of data (Fix within two weeks) NORMAL: Loss, corruption or leak of non-core functionality (Fix within three months) Knowledge gained from analysing and resolving information security incidents is entered into future test scripts to prevent the issues arising again.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  HandsHQ Training Register ensures that employees have the correct and relevant training to complete their jobs and to keep them safe while working.

Pricing

• Price: £3,600 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at help@handshq.com. Tell them what format you need. It will help if you say what assistive technology you use.