DEBIT FINANCE COLLECTIONS PLC

Legend by Xplor - Leisure Management Software

Our leading, easy-to-use software helps sports, leisure, and recreation centres, communities, clubs,federations attract and retain customers, spend less time on admin,deliver a great experience. With online booking, scheduling, access control, payments, reporting, management, self-service, and automated mareting, Legend is everything needed to run business, grow your revenues, build leisure community.

Features

• Fully managed SaaS solution
• Fully hosted service
• Disaster recovery and backup as standard
• Fully responsive online member portal
• Built-in KPI dashboards and Business Intelligence (Reporting)
• 24x7 support with remote access to system
• Open architecture with full access to API library
• Integrated DD solution with realtime updates
• Software upgrades every 4-5 weeks
• Self-Service capabilities including online and mobile platforms

Benefits

• Configure multiple sites from within the one database
• Reduce third party integrations with single solution
• All users have access to the staffed support desk 24x7
• Schedule reports to be produced and sent via email
• Track company progress with dashboards and targets
• Automate customer journey marketing campaigns
• Reduce front desk staff pressure with Self-Service software
• Members manage their own account through online portal
• Optional outbound calling campaigns to re-engage and retain members
• Access to end-to-end service for revenue collection with contact centre

£79.00 to £119.00 a user

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@xplortechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

844178261729126

Contact

Melissa Thirtle
02038 301 400
bids@xplortechnologies.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No, all maintenance is conducted with no downtime experienced
• System requirements:
  • Supported Microsoft Windows Operating Systems (Windows 10 or above)
  • Latest versions of Microsoft Edge, Google Chrome
  • Browser: IE 11.0 (or later)
  • Citrix Receiver 4.9 LTSR
  • Processor: Pentium 2 upwards
  • Hard Disk: minimal500 MB of available space is required
  • Display: 1024 X 768 high colour, 32 bit or higher
  • Mozilla Firefox, Safari – must support TLS 1.2 and above
  • Google Chrome (preferred)
  • Tablets for use with the Program Registration software

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Incidents are acknowledged depending on their Priority, as detailed below:; Priority 1 = 1 business hour; Priority 2 = 3 business hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Legend provides a support desk 24 hours a day 7 days a week to all customers at no extra cost. We also provide an online service to raise and monitor tickets as well as 'Legend Bytes' which is an online Wiki which provides documentation on Legend modules. Legend Bytes supports a 'fuzzy search' to enable customers to be directed to the exact documentation they require.; All staff users have access to Legend support.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Legend has adopted the internationally recognised project methodology of PRINCE2 for delivering projects in partnership with our clients. Legend conducts training onsite with the customer in groups of up to 15. The training is split into specific categories and is tailored to the specific customer and the modules they have selected. As standard Legend will conduct Front of House, Back of House and Super User training and all training sessions are supported with documentation. If the customer selects added value modules such as KPI reporting or Active Outcomes then an extra days training is required to ensure they are fully trained in the specialised modules.; Legend also has the option to provide online training which can be used for initial set up or ongoing training for new starters. All new customers will be given a project manager through out the implementation and a project tracker which is managed by the Legend PM and customer PM ensuring the project is delivered on time and implemented exactly how the customer requires.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data is readily available for extraction by using the Legend Reporting tools. The format of the extract will be CSV. Where specialist intervention is required from Legend, you should expect to pay the full daily rate. Legend will always work to minimise the likelihood of this additional cost being incurred.
• End-of-contract process: Legend shall:; a) return all Customer Data held by the Supplier to the Customer within thirty (30) days of termination in an industry standard format and on an industry standard media, or as otherwise mutually agreed;; b) destroy or delete any copies of the Customer Data on the earlier of: (i) ninety (90) days from the date of termination and (ii) fifteen (15) days of the request of the Customer, and provide; and; c) upon written request of the Customer, execute and deliver to the Customer a certification that all Confidential Information of the Customer including all Customer Data, has either been returned, deleted or destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All of Legend's web modules are fully responsive and therefore no difference between mobile and desktop service.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Legend has a robust API library which is available upon request which allows customers IT teams to access the APIs they require.; Legend's integration options currently include the following:; RESTful WebApi APIs for retrieval of prices, timetables, Member information and supporting data.; RESTful WebApi APIs for creating members account-holders and prospects.; SOAP based APIs for creating accounts, discovering pricing, polling for changes (these are being deprecated in favour of RESTful services).; Timed export of reports in various formats to (secure) FTP, email or shared Legend folders.; Synchronisation service to export data to SOAP or RESTful WebApi services on internal changes.; Interface points for querying external systems for account synchronisation, payment card updates and other data from point of sale.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Legend offers a heavily customisable service that is configured alongside our customers staff throughout the implementation project. There are numerous areas of Legend that can be customisable some highlights being:; -Front of House; -Memberships; -Sports Courses Module; -Active Outcomes (GP Referral Module); -Customer Communications; -Prospecting and joining; ; In each instance there is a massive amount of functionality that allows customers to configure their own workflows, layout and configuration. Legend allows the configurable areas of the system to be extremely granular for example Active Outcomes can be built by the customer from available schemes to the individual healthcare workers that could refer a member.; ; Users can customise Legend in a easily in separate configuration sections of the system that is reflected instantly on their live system. Legend provides a fully managed SaaS solution including its own active directory user setup. Customers are then responsible for the assignment of security groups. It is only staff who have the relevant security clearance (selected by the customer) that can configure the system, it is completely down to the customer who has access to do this. The security groups are as well completely configurable.

Scaling

• Independence of resources: All Legend’s systems are scaled to meet enterprise performance levels of responsiveness and redundancy.; Legend is a Windows Enterprise solution running on a virtualised infrastructure in a private cloud run on Legend’s servers with load balancing within the infrastructure and capacity planning.

Analytics

• Service usage metrics: Yes
• Metrics types: Logins over time and data volumes are provided through real-time dashboards and regular reports.; Legend also provides customers with monthly dashboards keeping them updated with the amount of support tickets that have been raised, investigated and closed. The dashboards allow customers to see detail on how the tickets were closed and by which department.; Legend also supplies a customer scoresheet which shows the spread of bookings I.e. online, self-service or in house. Legend also provides details on the amount of users, risk scores and financial income.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: Optional TDE
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Legend provides full access to Legend reports where customers can extract all member data from the system and export in XLSX, CSV or PDF.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • XLSX
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), monthly network scans and periodic external penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed, and server hardening and patching policies in terms of our ISO 27001 processes. All key systems are monitored 24x7 ongoing.

Availability and resilience

• Guaranteed availability: Our standard uptime target is 99.95%
• Approach to resilience: High Availability (HA) configurations with redundancy in all aspects including databases clustering, enterprise SAN, virtualization and load balancers, along with N+2 host server configuration.
• Outage reporting: Outages are reported to our customers through incident notifications, via e-mail

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Users are initially authenticated within our Active Directory domain. Once successful at this stage, they must also authenticate against the Legend database. Their workstations must also be registered within the system otherwise, access will not be granted.; 2FA is available as an optional service.
• Access restrictions in management interfaces and support channels: Management access is restricted to specific pre-authenticate users. Some areas are only accessible over a VPN (with IP based whitelisting) and other areas are only accessible through MFA (mobile token)
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: All management access requires usernames and passwords to gain initial access onto the system. For certain functions, this must take place over a dedicated VPN (with IP based termination). For sensitive areas of the system, users must also use MFA to gain access (second token is a mobile device)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 21/07/2019
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Self certified
• PCI DSS accreditation date: 04/02/2022
• What the PCI DSS doesn’t cover: All services provided by Legend relating to Membership Management are included in the scope.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO27001/ISMS. The Management team reviews the ISMS quarterly looking closely at risk, new standards, incidents, audits and corrective actions seeking to continuously improve the system; All staff are given training on Information Security and the Legend ISMS as part of their induction process. Annual refreshers are conducted in the form of briefings and staff surveys to test understanding and awareness. Developers regularly hold briefing sessions on threats pertinent to coding and system administrators regularly review infrastructure threats. Management periodically tackle scenarios to role-play situations and ensure preparedness to respond swiftly in event of an incident.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: As part of our ISO27001 and ISMS procedures, a full change control process is followed for any change in components, services or configuration. This includes a full security assesment.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Legend solution has a number of independent security measures to detect and block any attacks originating from an outside source. This includes firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), quarterly internal network scans and quarterly ASV scans, and annual penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed. Server hardening and patching policies are also in place and governed by our ISO 27001 processes. All key systems are monitored 24x7.; All known vulnerabilities are logged in a risk register as part of our ISMS processes and tracked until closure.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.; This will be dependant on the failure, if for instance there is total failure, whilst waiting for system recovery through Disaster recovery or other means, it will not be possible to send a system message to users through Legend. However, Legend has a documented process for contacting your key staff members to inform and help disseminate information on system status.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  We have made a commitment to net zero by 2025.; We plan to scope, publicly report on and reduce our scope 1, 2 and 3 carbon emissions globally as part of our Environment, Social, Governance (ESG) strategy. We will be commencing that work in 2022.; We have identified that our major sources of emissions are business travel, offices and cloud computing. Our first step will be carbon offsetting for all our business travel which we will do in 2022. Our cloud computing partners (Microsoft and AWS) have measurement tools that can help us measure, track and offset our emissions from cloud computing

Pricing

• Price: £79.00 to £119.00 a user
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@xplortechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.