OpenActive (open data) powered activity finder and chatbot for real time physical activity search
Our activity finder and chatbot is used by public bodies to enable residents to search and book local/online physical activity opportunities from multiple activity providers. The activity finder and chatbot are fully brandable, and ready to embed into new or existing websites. Powered by OpenActive / open data standards.
Features
- Real time Search - live availability for local physical activities
- Real time Booking - seamless booking/payment for physical activities
- Data Management, Augmentation and Custom Enhancements
- User accounts - upcoming bookings, cancel bookings, store payment cards
- Secure checkout (for book & pay), GDPR-complaint
- Whitelabel, brandable live activity finder: embed in any existing webpage
- Leisure Member Integration: create, manage and sync user leisure accounts
- Interactive Chatbot: modern tools for dialogue-based physical activity search
- Detailed, visual analytics: search and booking trends
- Full CMS website if required
Benefits
- Deliver real time information to residents about physical activity
- Monitor search and booking trends to improve service investment
- Residents manage bookings, payment cards etc from one account
- Build fully interactive, seamless leisure centre websites
- Tap into a network of public and private booking partners
- Deliver end-to-end, measureable user journey for public health campaigns
- A digital front door: residents can access all physical activity
- Analyse activity availability and resident booking patterns
- Provide streamlined access to physical activity for members and non-members
- Residents can sync and integrate leisure accounts across services
Pricing
£400 a licence a month
- Education pricing available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
7 9 1 7 1 4 0 3 5 4 2 3 7 1 6
Contact
IMIN LTD
Nishal Desai
Telephone: 07905861778
Email: nish@imin.co
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
-
The activity finder and chatbot integrates with the booking management solutions of physical activity providers - such as those used by many leisure operators, local authorities and smaller clubs.
Both activity finder and chatbot can be embedded into existing Local authority, local directory, public health (etc) websites. - Cloud deployment model
- Private cloud
- Service constraints
-
The power of the activity finder and chatbot is dependent on the booking system software in use by the local physical activity providers (such as leisure operators). Whilst we have integrated with numerous systems (especially those part of the Government funded "OpenActive" initiative to open up more physical activity data), the platforms will be less impactful in areas where systems are in use that we have not yet integrated with.
However, we have shown in other areas that, especially with a local authority sponsor, we can rapidly integrate with new systems to enhance the service offering for any new area. - System requirements
- Ability to create microsites, subdomains or edit existing pages
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
SLA dependent on Pricing Plan selected. If your chosen pricing plan does not include an SLA, then we will use best endeavours to answer any queries within a reasonable time frame.
For customers on a pricing plan that includes an SLA, responses to submitted support requests will be processed during the hours: 9am to 5:30pm (UK time), Monday to Friday; and best endeavours at the weekend. Our SLA for response times scales dependent on the severity and nature of the defect reported.
Additional support available as part of SLAs at higher tiers. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- None or don’t know
- How the web chat support is accessible
- We use a product called "Slack" to interface with our consumers. It is an online chat forum for organisations. We invite customers to join Slack, with a dedicated channel for their questions and support. Customers can ask questions, query API documentation, send images / screenshots of issues, and have a history of the conversation.
- Web chat accessibility testing
- None to date.
- Onsite support
- Yes, at extra cost
- Support levels
-
Where a price plan includes our standard SLA, the support levels include:
- access to online documentation & support
- queries can be emailed to our helpdesk
- customers can request chat (slack) support forum to be set up*
- customers can request name account manager support*
- customers can request technical account manager / developer support*
- standard uptime guarantees
- response times for critical bugs and issues from 4 hours, according to severity (generally immediate where possible).
- scheduled system maintenance that might result in a pause in the Service: advanced notice will be provided with at least 5 working days’ notice.
*A custom SLA (based on specific customer requirements) is available on the "Enterprise Tier" of Service, and includes these types of SLA features. Please see pricing document for cost related to support levels. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Over the phone / online support is offered initially. Specific guidance and use case specific examples and instructions are available on request / as needed.
Further onboarding documentation provided over email, or in person / phone, dependent on pricing plan chosen. This includes the option of on-site training / up-skilling in the basic principles and technology of OpenActive and open data, for customer's team and / or local partners such as activity providers. - Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- Where we hold any Customer-owned data, we are acting in a Data Processor role, so at notice of contract termination we will inform the Customer to ensure they have retained and stored whatever data they require from the Service (and we can provide a full copy of the stored data we hold on behalf of the Customer), and at contract termination date we will destroy any personal data we hold on behalf of the Customer.
- End-of-contract process
-
When contract termination is delivered by either party:
(a) the termination date is agreed by both parties (which is when the API key and / or reverse proxy will become invalid)
(b) the Customer will be prompted to retrieve and separately store any Service data that they own (and / or we will provide any Service data held by us)
(c) at termination date, the API key and / or reverse proxy will be deactivated and any and all personal data held by us on behalf of the Customer will be destroyed across our systems and sub-processor systems.
The above steps are all included with all pricing plans.
If there is to be any handover to replace the our Services with a like-for-like Service, we will provide technical resource at a pre-agreed day rate to support this process (if required).
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
The activity finder (a range of options are available) and whitelabel Checkout is fully responsive to device screen size, whether accessed on a mobile phone, tablet or laptop / desktop. These products have been designed "mobile first" and are ready for customers to access the services from a range of devices.
The chatbot is a Facebook plug-in, and through Facebook's native and third party tools, can be easily accessed through mobile phone, tablet or laptop / desktop.
Our products have been rigorously tested and successfully used multiple times across multiple device sizes. - Service interface
- Yes
- User support accessibility
- WCAG 2.1 AAA
- Description of service interface
- End-users will access the services through a web browser (as an embeddable app, full page app or complete microsite solution) or native smart phone application.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- The platforms are designed and tested to meet WCAG standards.
- API
- Yes
- What users can and can't do using the API
-
The activity finder and chatbot are both powered by the imin platform APIs which can be used directly if required (e.g. to power existing applications)
(1) search API - live availability of physical activities
(2) booking API - booking (and payment) for those activities
(3) user accounts - creation of user accounts, allowing users to retrieve details of previous and upcoming bookings, make amendments, cancellations and request refunds
(4) leisure member sync - allowing users to "authenticate" their leisure account in order to make bookings under an existing leisure centre account / membership level.
Our customers receive API keys to securely access the API endpoints included in agreement. Customers are helped using online guidance, or through their account manager. A separate pricing plan exists for use and licencing of the APIs for direct use. - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- ODF
- Other
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Customers can:
- provide brand guidelines to be implemented (colours, logos, fonts)
- select where to embed, host or create a standalone microsite
- opt to use our CMS to autonomously manage and upload content (help guides, inspiring stories, articles etc).
- whitelist or blacklist which physical activity providers they would like to access through the activity finder or chatbot
- instruct us to create custom "enhancement rules" based on the user experience being created - e.g. if the resident-facing website is aimed at inactive people, ensuring all images, text etc are suitable for motivating that demographic to engage in physical activity, as well as adding relevant tags such as "suitable for beginners" to enhance searchability by end-users
- provider user access to a secure booking and payment whitelabel checkout if required
Customers can choose their customisation during the contracting process - their account manager will present these options to them in order to set up the Service to begin with. Customers can liaise with the account manager on-going if requirements change over time and customisations need updating.
The authorised main point of contact between imin and the Customer will be instructing the account manager about any customisations required.
Scaling
- Independence of resources
- The cloud infrastructure on which our services are built allows for simple and automatic horizontal and vertical scalability, which responds to varying load. We also have regular monitoring our service response time which allows us to proactively identify and respond to infrastructure bottlenecks. See https://imin.statuspage.io/
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Search trends - number of searches, when, where.
Booking trend - number of searches, when, where, and for what.
Opportunities - number of activities (by sport, geography, price, specific activity provider etc) available within the region - Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Staff screening not performed
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- Other locations
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Other
- Other data at rest protection approach
- Our internal data security measures and protocols includes provision for Physical and Environmental Protection
- Data sanitisation process
- No
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- The relevant data for export is any booking history related data, which can be accessed via the Service dashboard delivered to the Customer. They can view booking history data, and can choose to export it via CSV.
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
The SLA provided with relevant Pricing Plans guarantees at least 98% uptime.
Refund mechanisms (Service credits) as per https://www.imin.co/terms/service-terms-of-use#Schedule-2-Service-Level-Agreement - Approach to resilience
- We have appropriate SLAs in place with each cloud infrastructure supplier in use, as well as several redundancy measures, backup syncs etc for outages. More detailed information is available on request.
- Outage reporting
-
We have a public dashboard at https://imin.statuspage.io/ which monitors the back end API availability, uptime and service status.
We will also notify Customers via email if there is a serious outage that has the scope to effect the delivery of their own service to end-users.
We will also notify Customers ahead of time if there are any expected service outages due to planned maintenance work. The Standard SLA details any notice of maintenance will be sent at least 5 days before any downtime is expected.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Other
- Other user authentication
-
Authentication only required for specific elements of the service:
- Customers must supply correct API key credentials when making direct API calls to the Service.
- Customers must provide the correct log in credentials when accessing any dashboards (e.g. analytics reports). - Access restrictions in management interfaces and support channels
- Management interfaces / Support Channels are either restricted to email, or for monitoring dashboards a username and password is required.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Other
- Description of management access authentication
-
For internal staff accessing internal systems, we have a centrally administered 2 factor authentication process - profiles can be denied access remotely. We ensure processors/subcontractors maintain a similar level of access management.
For clients, they cannot directly access administrative areas of the platform - this is done by communication with their account manager who will set up API / activity finder / chatbot options on their behalf accordingly.
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- No audit information available
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- Yes
- Who accredited the PCI DSS certification
- PCI Security Standards Council
- PCI DSS accreditation date
- 17/03/2022
- What the PCI DSS doesn’t cover
- The imin Book & Pay Checkout used to deliver the single, consistent Booking System is PCI-DSS payment compliant (through the Stripe payment gateway). imin do not store credit card information directly, and instead use a tokenisation mechanism via secure SSL connection to defer this storage to Stripe, which assures PCI DSS compliance using the “Pre-filled SAQ A” method (https://stripe.com/docs/security).
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
-
IMIN LTD complies with the requirements of the Cyber Essentials Scheme and achieved a Gold Award certificate of assurance for the IASME Governance Standard in 2018, with an independent on-site audit (offers a similar level of assurance to the ISO27001 standard).
Since that audit, we have maintained rigorous practices in accordance with those standards, but have opted to not recertify with IASME due to the expense involved. For contracts that require this to be in place, we are willing to re-certify with IASME as needed.
We work closely with our processors/subcontractors to ensure they adhere to the required security standards. - Information security policies and processes
-
Acceptable Use of Corporate Property (AUCP) Policy
Administrator Access Tracker
Asset Register - Information
Asset Register - Physical
Breaches of Personal Data Protocol
Bring Your Own Device (BYOD) Policy - Laptops
Bring Your Own Device (BYOD) Policy - Mobile Devices
Business Continuity Plan & Disaster Recovery Plan
Computers & Networks Management Information
Data Classification Policy
Data Privacy Approach for B2B Contacts
Data Protection Policy
Information Security Policy (including Incident Reporting Procedure)
Privacy Impact Assessment
Record of Processing Activities (Article 30 GDPR) - imin as a Data Controller
Record of Processing Activities (Article 30 GDPR) - imin as a Data Processor
Subject Access, Data Portability, or Right to Erasure Requests: Process for Response
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
1. A System Change Request Form is filed.
2. The proposed change is described with reason for change given.
3. The impact of the change is evaluated (including priority, environment impact, resource requirement, test plan description and rollback description).
4. The change is approved or denied.
5. The change is implemented and tested.
6. The completed change is communicated. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
1. imin uses Sophos to perform vulnerability scans of BYOD and corporate devices, including reporting unsupported applications, and take immediate action to resolve any vulnerabilities detected.
2. The Company uses a combination of Detectify (penetration testing) and Synk (components with known vulnerabilities - A9 of OWASP Top 10) to detect software vulnerabilities.
3. The results of the scans and any changes made shall be reflected in the Company’s risk assessment and security policy as appropriate. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
1. Where possible, we aggregate error and event logs from all applications, in addition to Heroku and AWS Cloudwatch native logs. We deal with each incident generated on a case-by-case basis.
2. The Company also has real-time alerts sent to the team to monitor for unacceptable activity and suspicious user behavior.
3. If high volumes, the Company will use cloud-based log analytics service such as AppDynamics.
4. The Company reserves the right to monitor systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000). - Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
1. All breaches of policy and all other information security incidents are reported to the Security Officer.
2. If required as a result of an incident, data will be isolated to facilitate forensic examination.
3. Information security incidents are recorded in the Security Incident Tracker and investigated by the Security Officer to establish their cause and impact with a view to avoiding similar events. The risk assessment and relevant policies are updated, if required, to reduce the risk of a similar incident re-occurring.
4. A record is kept of all security incident investigations.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- No
Social Value
- Wellbeing
-
Wellbeing
The activity finder and chatbot service can directly improve the health and welling being of citizens. Our mission is to help organisations, including public bodies, to lower the barriers that exist for people to engage in physical activity - whatever their preferences, background, socioeconomic status, fitness levels, disability etc. Using these services (which further supporting OpenActive) will (a) contribute to this mission nationally, and (b) will help deliver this benefit to residents locally.
The services also improve community integration, because by delivering easily accessible, modern and highly effective physical activity search / chatbot capability for residents, local activity providers in the community can more easily reach their intended audience. More local people can find out about the breadth and diversity of the local physical activity offer, finding the activity that is best for them (rather than only finding those with the best marketing budget). This levels the playing field and makes it more likely that residents will make connections with their local community organisations.
Pricing
- Price
- £400 a licence a month
- Discount for educational organisations
- Yes
- Free trial available
- No