COCOMPLY LIMITED

IR35 Classify

CoComply an Innovate UK Smart Grant 2024 winner, offers comprehensive worker classification and IR35 services through a bespoke, AI-enhanced platform, ensuring scalable, accurate, and consistent results. We provide virtual and online assessments, supply chain analysis and risk reporting alongside exceptional customer support, all underpinned by expert oversight and account management.

Features

• IR35 assessment services via legal expert aided AI/ML technology
• Behavioural analytics to prevent IR35 status manipulation
• AI-enhanced platform for scalability, accuracy, and consistency
• Ongoing checks to ensure compliance throughout engagement life-cycle
• Assist in embedding a robust process with current process/systems
• Realtime reporting on contractors, statuses, costs and risk
• Contractor identification and supply chain analysis
• Tax risk and HMRC enquiry reporting
• Self serve CEST/SDS repository or managed service
• Restructure engagements for maximum compliance

Benefits

• Pinpoint worker classification accuracy at scale
• Total visibility in risk and compliance reporting
• Reduction in IR35 risk and non compliance
• Cutting edge, seamless UI and user experience
• Dedicated legal expert support
• Compliantly engage specialist contractor talent
• Increased control and oversight over off-payroll workforce
• Platform compatible with other third party suppliers
• Advanced prevention of system and IR35 status manipulation

£10 to £15 a unit a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  ODT

• Skills Framework for the Information Age rate card

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael@cocomply.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

807994015415103

Contact

Michael Cleavely
07830163267
michael@cocomply.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: VMS HCM and other party vendor and talent management systems with further integrations ongoing.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: None
• System requirements:
  • Up to date Chrome, Firefox or Edge browsers.
  • Minimum Windows 10 or MacOS 12

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Subject to request type, SLA for critical client service or technology escalation is targeted at 4 hours on 80% of occasions. Critical service issues at the weekend are supported but may have longer response times. ; ; More generic service questions are answered via AI chatbot or customer support within 5 minutes. Limited weekend and out of hours support.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Third party vendor tested.
• Onsite support: Yes, at extra cost
• Support levels: CoComply offers dedicated customer service support for general queries, expert legal support for more complex queries. We offer specialist technical support if there is a system issue or outage. We always aim to offer best in class support, with SLAs dedicated by the customer pricing tier.; Professional tier - instant chat bot. SLA for general queries is under 30 minutes. IR35 Assessment, technical and legal support turn-around 16 working hours. All SLAs are targeted at an 80% success rate. Starting fees £89.00 per month. Specialist legal support may incur additional fees.; ; Premium tier - instant chat bot. SLA for general queries is under 20 minutes. IR35 Assessment, technical and legal support turn-around 12 working hours. All SLAs are targeted at an 80% success rate. Starting fees £399.00 per month. Specialist legal support may incur additional fees.; ; Enterprise tier - instant chat bot. Account manager. Priority queue support. SLA for general queries is under 15 minutes. IR35 Assessment, technical and legal support turn-around 8 working hours. All SLAs are targeted at an 80% success rate. Starting fees £699.00 per month for platform access and inclusive of support. Specialist legal support may incur additional fees.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: To ensure a seamless introduction to our services, CoComply initiates with a thorough pre-discovery and discovery phase to understand each client's unique needs, followed by customised training sessions (in-person and online). Our training is complemented by accessible online videos and walkthroughs, designed to enhance user familiarity and confidence in using our platform. All onboarding processes are bespoke to client requirements and appropriate for the user types, often based on contractor volumes or the complexities of an organisations compliance and monitoring posture, as well as commercial drivers.; ; We establish open lines of communication from the start, providing multiple channels including email, Slack, and Calendly to facilitate responsiveness and adaptability. To support a solid foundation for our collaboration, we schedule weekly meetings during the initial stages of the project, which can be continued as needed by the client.; ; Each client is paired with a dedicated account manager and a worker classification expert to ensure tailored service and expert guidance throughout their journey with us.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Clients can easily retrieve their data from CoComply by submitting a request specifying the information they wish to extract. CoComply promptly processes these requests and provides all requested and relevant data to the client in a comprehensive zip file format (subject to file / volume size) and delivered via a secure manner to be agreed with the clients at the time. ; ; This ensures a straightforward and secure method for clients to access their data at contract end. In terms of extraction format, this can vary but is often in CSV or PDF format with carefully constructed naming conventions.
• End-of-contract process: At the conclusion of a contract, clients have the flexibility to either continue with CoComply’s services or transition to an alternative provider. ; ; Should a client terminate their contract, they can request a copy of their data. Cocomply will process this request and make the data available to the client. We will retain data in accordance with UK and international regulation or regulatory requirements to ensure compliance with applicable laws and standards.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our web app currently allows additional reporting and configuration features over a mobile interface. There is currently no mobile application however this is anticipated to available by February 2025.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: 1. Log-in page (email / Google); 2. Main Dashboard; 3. Assessment Details; 4. Supplier details and contacts; 5. Assessment tools; 6. Reporting; 7. Notifications and Alerts; 8. Account Management; 9. Help and Support; 10. PSC / Supply Chain Audit tool
• Accessibility standards: None or don’t know
• Description of accessibility: Our service prioritises accessibility through alternative access methods like screen reader compatibility and keyboard navigation. Users can easily access content and navigate interfaces with these features. Users may face challenges with some elements lacking sufficient color contrast and descriptive alt text for images. To address this, we plan to implement simple yet impactful changes: adding alt text to images, enhancing keyboard navigation, ensuring colour contrast compliance, and optimising form accessibility. These improvements aim to make our service more inclusive and user-friendly for all individuals as we work towards WCAG 2.1AA certification.
• Accessibility testing: We haven't conducted dedicated user testing focused on accessibility. However, we recognize the importance of such testing to ensure inclusivity. Feedback from general user testing highlighted potential accessibility challenges, such as insufficient color contrast and missing alt text on images. While we haven't conducted specific accessibility-focused testing, we remain committed to addressing these issues through planned improvements.; ; Our development plan includes implementing simple yet impactful changes, such as adding alt text to images and enhancing keyboard navigation, to enhance accessibility. Additionally, we're open to engaging in future user testing initiatives to validate accessibility improvements and ensure our service meets the needs of all users.
• API: No
• Customisation available: Yes
• Description of customisation: Key customisation options include:; ; Tailoring the IR35 Assessment Process: We adapt our assessment methodologies to align with the client industry and requirements, ensuring compliance and accuracy. (CoComply or Client Driven); Data Gathering and Reporting: Our systems are equipped to collect and report data in a manner that suits clients internal protocols and data analysis needs. (CoComply or Client Driven); Reassessment Cadences: We offer flexible reassessment schedules that can be adjusted according to the evolving demands and cycles of clients' business. (CoComply or Client Driven); Bespoke Training: We provide tailored training solutions designed to educate internal teams on IR35 implications and best practices, ensuring staff remain well-informed and prepared. (CoComply or Client Driven); ; By offering customisable elements, we ensure that our service not only integrates smoothly into business operations but also enhances compliance and operational efficiency.

Scaling

• Independence of resources: Built-in auto-scaling and replication capabilities driven by metrics such as CPU and memory utilisation.; ; Data Read: We maintain read replicas to ensure high availability.; Data Write: we maintain write-guaranteed queues. All writes are saved automatically every few seconds to ensure minimal loss.

Analytics

• Service usage metrics: Yes
• Metrics types: Client usage will detail:; Number of contractors/suppliers; Number of agency partners; Number of assessments undertaken; Number of checks undertaken; Number of engagements; Statuses of engagements; Average CoComply response times; Other service usage metrics can be provided.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data directly through a request through the Cocomply account manager.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Pdf
• Data import formats:
  • CSV
  • Other
• Other data import formats: Pdf

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.95% (4 hours and 22 mins down time in a year).; Customers are refunded pro-rata platform fees if service SLAs are not met.
• Approach to resilience: 1) Segregation of internal portal from external client portal; 2) Auto scaling based on resource utilisation; 3) Managed database (RDS) with automatic backups, replication and failover
• Outage reporting: Propagate cloud watch and other monitoring tools to our tech team and share with customers if/when needed.; ; Our system promptly reports outages through automated monitoring tools, detecting deviations in service metrics and triggering alerts to our technical team. Users can also report issues via email, our ticketing system, or our support portal. We provide regular updates through email notifications, in-app messages, and status updates. After resolving outages, we conduct post-incident analysis to prevent recurrence. This proactive approach ensures users are promptly informed and supported during s; service disruptions.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: We control user access via a permissioning model granting different access rights (e.g admin, user, viewer). Admin users can grant or revoke access rights.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Funded by IASME, we are working with kit365.co.uk towards Cyber Essentials Plus. We are expecting to be certified by the end of Q2-24.; ; We are working towards ISO 27001 by December 2024.
• Information security policies and processes: We have an Information Security Policy in place. In terms of processes we have:; 1) Access control to company resources (Google Drive, AWS, GitHub, Jira, and Confluence) including joiners, movers, leavers; 2) Password management (complexity, expiry, recycling); 3) Data handling and storage; 4) Security awareness training; 5) Transmission security (encryption); 6) Incident response (employee reporting); 7) Endpoint protection

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: 1) New user receive a pre-configured laptop based on user type (tech/non-tech); 2) Users are required to raise a request for new software before installation ; 3) We conduct periodic spot checks for unapproved software and either add software to the approved list or remove the item; 4) Leavers return their laptop and lose access to resources immediately; 5) SaaS - all code and infrastructure changes are reviewed and tested prior to released to ensure stability and security are not compromised.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: 1. Create and maintain inventory of the assets in our environment ; 2. Assess vulnerabilities across monitored devices ; 3. Prioritise vulnerabilities by severity and potential impact ; 4. Remediate vulnerabilities as soon as appropriate fix has been identified, implemented and successfully tested. ; 5. Monitor vulnerabilities internally and obtain information about emerging vulnerabilities from approved industry-recognised sources such as MiTRE, MISP.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Endpoints are centrally monitored by SentinelOne SOC solution allowing an immediate disconnect of the endpoint. We receive an incident report and investigate the incident. We can respond to incidents immediately by disconnecting the endpoint.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We follow these steps:; 1) Detect --> Manage --> Record incidents and breaches; 2) Assess --> Report to nominated person --> Notify affected parties and provide incident report. ; 3) Review and monitor

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity

  Fighting climate change

  CoComply's headquarters in Macclesfield it has created an eco-friendly workplace that encourages remote collaboration. Data is hosted on net-zero-certified cloud servers, which offset any environmental impact. We regularly assess our economic, social and environmental impact with negative implications addressed and mitigated as they arise.

  Equal opportunity

  Our service offerings encapsulates Equality, Diversity, and Inclusion (EDI) in that it does not consider individuals data but rather the contract and practices at hand, thus eliminating bias ensuring fair treatment and classification regardless of age, disability, gender, sex, race or belief.; ; Some organisations introduced blanket determinations on contractors, categorising all as inside IR35 without due care or consideration and in an attempt to mitigate their own risk. Our platform seamlessly and fairly classified contractors to assess them correctly ensuring retention within the UK market. Statistics produced by IPSE (2023) highlight the severe constraint IR35 and associated worker classification issues had on the UK off-payroll workforce: 62% of contractors will never agree to work ‘inside IR35’, 22% now work for overseas companies and 10% are unemployed as a direct result of IR35 our solution is an enabler for retaining this talent in the UK.

Pricing

• Price: £10 to £15 a unit a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 14 day free trial allowing access to and use of the platform. All features are accessible. Clients are unable to obtain a Status Determination Statement, but can obtain an indicative status result.

Service documents

• Pricing document

  ODT

• Skills Framework for the Information Age rate card

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael@cocomply.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.