OpenActive (open data) powered activity finder and chatbot for real time physical activity search

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: The activity finder and chatbot integrates with the booking management solutions of physical activity providers - such as those used by many leisure operators, local authorities and smaller clubs.

Both activity finder and chatbot can be embedded into existing Local authority, local directory, public health (etc) websites.
Cloud deployment model: Private cloud
Service constraints: The power of the activity finder and chatbot is dependent on the booking system software in use by the local physical activity providers (such as leisure operators). Whilst we have integrated with numerous systems (especially those part of the Government funded "OpenActive" initiative to open up more physical activity data), the platforms will be less impactful in areas where systems are in use that we have not yet integrated with.

However, we have shown in other areas that, especially with a local authority sponsor, we can rapidly integrate with new systems to enhance the service offering for any new area.
System requirements: Ability to create microsites, subdomains or edit existing pages

User support

Email or online ticketing support: Email or online ticketing
Support response times: SLA dependent on Pricing Plan selected. If your chosen pricing plan does not include an SLA, then we will use best endeavours to answer any queries within a reasonable time frame.

For customers on a pricing plan that includes an SLA, responses to submitted support requests will be processed during the hours: 9am to 5:30pm (UK time), Monday to Friday; and best endeavours at the weekend. Our SLA for response times scales dependent on the severity and nature of the defect reported.

Additional support available as part of SLAs at higher tiers.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Yes, at an extra cost
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: We use a product called "Slack" to interface with our consumers. It is an online chat forum for organisations. We invite customers to join Slack, with a dedicated channel for their questions and support. Customers can ask questions, query API documentation, send images / screenshots of issues, and have a history of the conversation.
Web chat accessibility testing: None to date.
Onsite support: Yes, at extra cost
Support levels: Where a price plan includes our standard SLA, the support levels include:
- access to online documentation & support
- queries can be emailed to our helpdesk
- customers can request chat (slack) support forum to be set up*
- customers can request name account manager support*
- customers can request technical account manager / developer support*
- standard uptime guarantees
- response times for critical bugs and issues from 4 hours, according to severity (generally immediate where possible).
- scheduled system maintenance that might result in a pause in the Service: advanced notice will be provided with at least 5 working days’ notice.

*A custom SLA (based on specific customer requirements) is available on the "Enterprise Tier" of Service, and includes these types of SLA features. Please see pricing document for cost related to support levels.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Over the phone / online support is offered initially. Specific guidance and use case specific examples and instructions are available on request / as needed.

Further onboarding documentation provided over email, or in person / phone, dependent on pricing plan chosen. This includes the option of on-site training / up-skilling in the basic principles and technology of OpenActive and open data, for customer's team and / or local partners such as activity providers.
Service documentation: Yes
Documentation formats: HTML

ODF

PDF
End-of-contract data extraction: Where we hold any Customer-owned data, we are acting in a Data Processor role, so at notice of contract termination we will inform the Customer to ensure they have retained and stored whatever data they require from the Service (and we can provide a full copy of the stored data we hold on behalf of the Customer), and at contract termination date we will destroy any personal data we hold on behalf of the Customer.
End-of-contract process: When contract termination is delivered by either party:
(a) the termination date is agreed by both parties (which is when the API key and / or reverse proxy will become invalid)
(b) the Customer will be prompted to retrieve and separately store any Service data that they own (and / or we will provide any Service data held by us)
(c) at termination date, the API key and / or reverse proxy will be deactivated and any and all personal data held by us on behalf of the Customer will be destroyed across our systems and sub-processor systems.

The above steps are all included with all pricing plans.

If there is to be any handover to replace the our Services with a like-for-like Service, we will provide technical resource at a pre-agreed day rate to support this process (if required).

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The activity finder (a range of options are available) and whitelabel Checkout is fully responsive to device screen size, whether accessed on a mobile phone, tablet or laptop / desktop. These products have been designed "mobile first" and are ready for customers to access the services from a range of devices.

The chatbot is a Facebook plug-in, and through Facebook's native and third party tools, can be easily accessed through mobile phone, tablet or laptop / desktop.

Our products have been rigorously tested and successfully used multiple times across multiple device sizes.
Service interface: Yes
User support accessibility: WCAG 2.1 AAA
Description of service interface: End-users will access the services through a web browser (as an embeddable app, full page app or complete microsite solution) or native smart phone application.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: The platforms are designed and tested to meet WCAG standards.
API: Yes
What users can and can't do using the API: The activity finder and chatbot are both powered by the imin platform APIs which can be used directly if required (e.g. to power existing applications)
(1) search API - live availability of physical activities
(2) booking API - booking (and payment) for those activities
(3) user accounts - creation of user accounts, allowing users to retrieve details of previous and upcoming bookings, make amendments, cancellations and request refunds
(4) leisure member sync - allowing users to "authenticate" their leisure account in order to make bookings under an existing leisure centre account / membership level.

Our customers receive API keys to securely access the API endpoints included in agreement. Customers are helped using online guidance, or through their account manager. A separate pricing plan exists for use and licencing of the APIs for direct use.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

HTML

ODF

PDF

Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Customers can:
- provide brand guidelines to be implemented (colours, logos, fonts)
- select where to embed, host or create a standalone microsite
- opt to use our CMS to autonomously manage and upload content (help guides, inspiring stories, articles etc).
- whitelist or blacklist which physical activity providers they would like to access through the activity finder or chatbot
- instruct us to create custom "enhancement rules" based on the user experience being created - e.g. if the resident-facing website is aimed at inactive people, ensuring all images, text etc are suitable for motivating that demographic to engage in physical activity, as well as adding relevant tags such as "suitable for beginners" to enhance searchability by end-users
- provider user access to a secure booking and payment whitelabel checkout if required

Customers can choose their customisation during the contracting process - their account manager will present these options to them in order to set up the Service to begin with. Customers can liaise with the account manager on-going if requirements change over time and customisations need updating.

The authorised main point of contact between imin and the Customer will be instructing the account manager about any customisations required.

Scaling

Independence of resources: The cloud infrastructure on which our services are built allows for simple and automatic horizontal and vertical scalability, which responds to varying load. We also have regular monitoring our service response time which allows us to proactively identify and respond to infrastructure bottlenecks. See https://imin.statuspage.io/

Analytics

Service usage metrics: Yes
Metrics types: Search trends - number of searches, when, where.
Booking trend - number of searches, when, where, and for what.
Opportunities - number of activities (by sport, geography, price, specific activity provider etc) available within the region
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard

Encryption of all physical media

Other
Other data at rest protection approach: Our internal data security measures and protocols includes provision for Physical and Environmental Protection
Data sanitisation process: No
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: The relevant data for export is any booking history related data, which can be accessed via the Service dashboard delivered to the Customer. They can view booking history data, and can choose to export it via CSV.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: The SLA provided with relevant Pricing Plans guarantees at least 98% uptime.

Refund mechanisms (Service credits) as per https://www.imin.co/terms/service-terms-of-use#Schedule-2-Service-Level-Agreement
Approach to resilience: We have appropriate SLAs in place with each cloud infrastructure supplier in use, as well as several redundancy measures, backup syncs etc for outages. More detailed information is available on request.
Outage reporting: We have a public dashboard at https://imin.statuspage.io/ which monitors the back end API availability, uptime and service status.

We will also notify Customers via email if there is a serious outage that has the scope to effect the delivery of their own service to end-users.

We will also notify Customers ahead of time if there are any expected service outages due to planned maintenance work. The Standard SLA details any notice of maintenance will be sent at least 5 days before any downtime is expected.

Identity and authentication

User authentication needed: Yes
User authentication: Other
Other user authentication: Authentication only required for specific elements of the service:
- Customers must supply correct API key credentials when making direct API calls to the Service.
- Customers must provide the correct log in credentials when accessing any dashboards (e.g. analytics reports).
Access restrictions in management interfaces and support channels: Management interfaces / Support Channels are either restricted to email, or for monitoring dashboards a username and password is required.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Other
Description of management access authentication: For internal staff accessing internal systems, we have a centrally administered 2 factor authentication process - profiles can be denied access remotely. We ensure processors/subcontractors maintain a similar level of access management.

For clients, they cannot directly access administrative areas of the platform - this is done by communication with their account manager who will set up API / activity finder / chatbot options on their behalf accordingly.

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: No audit information available
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: Yes
Who accredited the PCI DSS certification: PCI Security Standards Council
PCI DSS accreditation date: 17/03/2022
What the PCI DSS doesn’t cover: The imin Book & Pay Checkout used to deliver the single, consistent Booking System is PCI-DSS payment compliant (through the Stripe payment gateway). imin do not store credit card information directly, and instead use a tokenisation mechanism via secure SSL connection to defer this storage to Stripe, which assures PCI DSS compliance using the “Pre-filled SAQ A” method (https://stripe.com/docs/security).
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: IMIN LTD complies with the requirements of the Cyber Essentials Scheme and achieved a Gold Award certificate of assurance for the IASME Governance Standard in 2018, with an independent on-site audit (offers a similar level of assurance to the ISO27001 standard).

Since that audit, we have maintained rigorous practices in accordance with those standards, but have opted to not recertify with IASME due to the expense involved. For contracts that require this to be in place, we are willing to re-certify with IASME as needed.

We work closely with our processors/subcontractors to ensure they adhere to the required security standards.
Information security policies and processes: Acceptable Use of Corporate Property (AUCP) Policy
Administrator Access Tracker
Asset Register - Information
Asset Register - Physical
Breaches of Personal Data Protocol
Bring Your Own Device (BYOD) Policy - Laptops
Bring Your Own Device (BYOD) Policy - Mobile Devices
Business Continuity Plan & Disaster Recovery Plan
Computers & Networks Management Information
Data Classification Policy
Data Privacy Approach for B2B Contacts
Data Protection Policy
Information Security Policy (including Incident Reporting Procedure)
Privacy Impact Assessment
Record of Processing Activities (Article 30 GDPR) - imin as a Data Controller
Record of Processing Activities (Article 30 GDPR) - imin as a Data Processor
Subject Access, Data Portability, or Right to Erasure Requests: Process for Response

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: 1. A System Change Request Form is filed.
2. The proposed change is described with reason for change given.
3. The impact of the change is evaluated (including priority, environment impact, resource requirement, test plan description and rollback description).
4. The change is approved or denied.
5. The change is implemented and tested.
6. The completed change is communicated.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: 1. imin uses Sophos to perform vulnerability scans of BYOD and corporate devices, including reporting unsupported applications, and take immediate action to resolve any vulnerabilities detected.
2. The Company uses a combination of Detectify (penetration testing) and Synk (components with known vulnerabilities - A9 of OWASP Top 10) to detect software vulnerabilities.
3. The results of the scans and any changes made shall be reflected in the Company’s risk assessment and security policy as appropriate.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: 1. Where possible, we aggregate error and event logs from all applications, in addition to Heroku and AWS Cloudwatch native logs. We deal with each incident generated on a case-by-case basis.
2. The Company also has real-time alerts sent to the team to monitor for unacceptable activity and suspicious user behavior.
3. If high volumes, the Company will use cloud-based log analytics service such as AppDynamics.
4. The Company reserves the right to monitor systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: 1. All breaches of policy and all other information security incidents are reported to the Security Officer.
2. If required as a result of an incident, data will be isolated to facilitate forensic examination.
3. Information security incidents are recorded in the Security Incident Tracker and investigated by the Security Officer to establish their cause and impact with a view to avoiding similar events. The risk assessment and relevant policies are updated, if required, to reduce the risk of a similar incident re-occurring.
4. A record is kept of all security incident investigations.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Wellbeing: Wellbeing

The activity finder and chatbot service can directly improve the health and welling being of citizens. Our mission is to help organisations, including public bodies, to lower the barriers that exist for people to engage in physical activity - whatever their preferences, background, socioeconomic status, fitness levels, disability etc. Using these services (which further supporting OpenActive) will (a) contribute to this mission nationally, and (b) will help deliver this benefit to residents locally.

The services also improve community integration, because by delivering easily accessible, modern and highly effective physical activity search / chatbot capability for residents, local activity providers in the community can more easily reach their intended audience. More local people can find out about the breadth and diversity of the local physical activity offer, finding the activity that is best for them (rather than only finding those with the best marketing budget). This levels the playing field and makes it more likely that residents will make connections with their local community organisations.

Pricing

Price: £400 a licence a month
Discount for educational organisations: Yes
Free trial available: No

OpenActive (open data) powered activity finder and chatbot for real time physical activity search

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

OpenActive (open data) powered activity finder and chatbot for real time physical activity search

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents