KOOTH DIGITAL HEALTH LIMITED

Kooth: Digital Mental Health Platform for Children and Young People

Since 2001 Kooth Digital Health has been the UK’s leading provider to the NHS and Local Authorities in effective online mental health support. Providing a safe, anonymous and welcoming space for young people to explore their mental health through a tailored clinical model and vibrant online community offering therapeutic choice.

Features

• Safe, clinically moderated and age gated support.
• Available 24/7, 365 including out of hours support.
• Vibrant community providing moderated peer to peer support.
• Self help tools and clinically evidenced psycho-educational content.
• Text-based chats through a drop-in ‘function’.
• Pre-booked chats with the same practitioner, supporting continuity of care.
• 24-hour Messaging - access asynchronous support.
• Fully digital platform, compatible with all devices (including apple, android).
• Dedicated local engagement leads promoting wellbeing within the community.
• Robust Clinical Governance and Clinically Evidenced Outcome measures.

Benefits

• A humanistic, integrative, ‘whole-person’ approach to digital therapeutic support.
• Wellbeing and early intervention focus to support improved population health.
• Anonymous platform to support increased access and remove stigma.
• Data-rich insights - regular reporting on population mental health.
• Goals-based outcomes for service users to track their progress.
• Ease of access, self referral or be referred by clinicians.
• NHSE MHSDS reporting as standard.
• BACP-accredited.
• Experienced safeguarding team and proven systems to support risk.
• YHEC-demonstrated economic value.

£64.57 to £72.64 a unit an hour

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@kooth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

856367693070802

Contact

Kooth Tenders
02039849337
tenders@kooth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: As our service is a web-based platform, service users need an internet-enabled device to access support.
• System requirements: Service users need an internet-enabled device to access the platform.

User support

• Email or online ticketing support: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: We provide one homogenous level of support for all customers. Our site and workforce are nationally accessible, differentiated only for the service user. The core site is the same. Any reported issues are dealt with by our in-house team of on-call engineers as soon as possible.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We provide materials and workshops, in person and virtually, to help users understand how to access and use the service
• Service documentation: No
• End-of-contract data extraction: Kooth plc has a privacy section service users can access when signing up to the service which details information relating to accessing records, clearly written for all service users. Where appropriate, practitioners can explain to service users that they have a right to see their files, to give further clarity and support with any access request or process, explaining about anonymity being compromised through this process due to having to evidence who they are. This right to see information is known as a Subject Access Request. ; Subject Access Requests should be made to Kooth plc’s data protection officer at DPO@kooth.com and service users should be informed about the consequences of submitting these requests, as they will be providing email addresses and other identifiable information, compromising their anonymity. ; Parents/carers do not have the automatic right to see records kept by Kooth plc. under the Educational Records Act 1989.; Where adults are unable to exercise control over their records due to not having mental capacity to do so, applications for access can be made on their behalf by an Independent Mental Capacity Advocate (IMCA), appointed under the Mental Health Act, or next of kin where appropriate.
• End-of-contract process: Off-boarding is a technically simple process for Kooth as a Commercial off-the-shelf (COTS) web-based platform. If a commissioning authority decides to decommission Kooth, the platform itself can simply be "turned off" for the region and the sign up flow adjusted to no longer contain the related locations and sub-locations for which Kooth was previously commissioned.; For service users, the process requires clinical and safeguarding governance. Initially the site will no longer accept new registrations for the specific locations while existing Service Users are slowly off-boarded to other local services that align with their specific needs. This is done in conjunction with commissioning authority to ensure service user safety. Service User data will also be deleted to ensure compliance with GDPR. This process is conducted in line with the guidelines set out in the NHS Data Security & Protection Toolkit on which Kooth is registered/assessed.; All is included in the price of the contract at no additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: N/A All functionality is retained on the mobile version of the platform.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Kooth's user interface allows service users to, among other things, join an impromptu or scheduled one-to-one chats with mental health professionals, participate in forums, read and write magazine articles, set goals. All the content users see is pre-moderated to avoid any trigger content.; ; The whole interface is based on HTML CSS and JavaScript user interface component. We've designed and built a fully WCAG 2.1 compliant library of re-usable User Interface components, leveraging the usability and accessibility research and patterns from the GDS Design System.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Over the past two years, most of our accessibility testing has been done directly by the team working on designing and building Kooth.; ; Our lead frontend engineer is a NVDA (screen reader) Certified Expert, IAAP-certified Web Accessibility Specialist and a keyboard (rather than mouse) user. We also hire an experienced accessibility specialist full time as a frontend developer.; ; They've trained most people on our product management, design and development team to test Kooth using screen readers, and accessibility features provided by Windows, macOS and web browsers.; ; As part of our day-to-day release process, new pages and features are tested with macOS VoiceOver, NVDA, and a range of assistive features (page zoom, keyboard accessibility, ..).; ; At least once a year, we also do a thorough audit of at least 50% of Kooth. At that time Kooth is checked in depth with more accessibility technologies (e.g. JAWS, VoiceControl) to avoid assistive technology support bugs.; ; Our lead frontend developer worked for a year as part of the W3C ARIA-AT Community Group, to help identify gaps in how well Assistive Technologies support the Accessible Rich Internet Application (ARIA) specification.
• API: No
• Customisation available: Yes
• Description of customisation: Buyer specific landing pages can be provided.

Scaling

• Independence of resources: Due to the nature of our service, service users all use a single instance of the service.; ; We regularly perform load testing to ensure that we can handle volumes of traffic larger than historical peak usage.

Analytics

• Service usage metrics: Yes
• Metrics types: A broad range of service usage and journey metrics broken down by service type and user cohort
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: All Kooth data is stored at rest within Google Cloud Platform (GCP). All disks are encrypted by GCP to protect against loss of disks. Data with higher security levels is stored with a further layer of encryption, using CBC-AES-256.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users can export their data by making a subject access request through their account to a practitioner who will then escalate this via internal processes. This is done so users can maintain their anonymity, in contrast with direct email approach. Users can also email the Data Protection Officer at DPO@kooth.com with such a request, although in doing so will compromise their anonymity as a user.
• Data export formats: Other
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Kooth does not commit to specific Service Level Agreements (SLAs) for our service. We do however use SLO (service level objectives.) Our SLO for the core service is 99.65% availability across a seven-day period. This is equivalent to a single five-minute outage per day. In practice our availability never falls below 99.95%. During core service hours we maintain higher levels of availability, in practice. Our response time for an alert is 10 minutes for a P1 during service hours and 30 minutes for a P1 during all other times.; We run our services as high availability which ensures that data and other resources are stored across at least two availability zones within the Google Cloud Platform region. Kooth data is hosted in the europe-west-2 region (London) of the Google Cloud Platform. Data hosted at this location is used for service delivery.
• Approach to resilience: Kooth's service compute infrastructure is run on Google Cloud Platform and provisioned across three availability zones. Each zone runs separate physical infrastructure and is resilient to other zones becoming unavailable. Kooth's data infrastructure is run on GCP (Cloud SQL) and configured to be high availability. Each database runs with an active master and a passive standby in different availability zones. Data is replicated at a disk level between the zones. In the event of the master failing (e.g. due to utility failure) the database would fail over to the stand-by zone and continue running. All services are run in Google Cloud data centres with redundant power supplies and back-up generators.
• Outage reporting: Customers will be regularly informed of incidents and outages that have affected the system after the fact. As the system isn't directly utilised by the customer, this is not real time. Instead, the Regional Manager in charge of the contract will reach out to the commissioning authority to ensure they have complete transparency.; For planned outages Customer will receive two weeks notice in advance.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: All Kooth staff and contractors must have sufficiently complex passwords. Access to email, documents and service infrastructure is controlled by Google Single Sign On and all staff are required to have enabled two-factor authentication. Source Code is stored in GitHub and engineering staff are required to have two factor authentication enabled. Staff are required to use a password manager for storing passwords and system credentials. System credentials are securely generated according to industry best practice. If access is required, a secure solution using Google Single Sign-On credentials is used.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute (BSI) Assurance UK Limited
• ISO/IEC 27001 accreditation date: 10/11/2023
• What the ISO/IEC 27001 doesn’t cover: All activities are covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have a standard set of policies and processes to maintain and review the security of our platform. We operate continuous automated outside-in penetration testing, two levels of firewalls inside our network, and automatically raise alerts for investigation when an attack is detected. We have a set of processes and policies for managing our systems. This includes defining clear owners, the sensitivity of the data managed, the processes to maintain the systems, and processes for periodically reviewing access using audit logs.; ; Ultimate responsibility for information security rests with the CFO, but on a day-to-day basis the CTO will be responsible for managing and implementing the policy and related procedures. ; Line Managers are responsible for ensuring that their permanent and temporary employees, trainee and contractors are aware of: information security policies applicable in their work areas, their personal responsibilities concerning information security, and how to access information security advice.; All Users shall comply with information security procedures including the maintenance and management of Data confidentiality, Data integrity and Data erasure. Failure to comply with policies may result in disciplinary action being taken against one or more individuals.; ; All of this is encapsulated in DP-04 (A) Data Security & Information Governance Policy.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes are agreed and documented in Kooth's quality management system (QMS). References to changed code or configuration are tracked in there. Changes are programmatically applied to test environments managed by automated configuration management. Signed off changes are released to production environments and recorded via an automated process. All changes to production pass through technical quality reviews: code review, quality review, product sign-off and continuous external security review and monitoring. Engineers review OWASP principles as part of design and implementation activities.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to notifications of vulnerabilities from all providers. Vulnerability notifications are assessed for impact and are patched by engineers or automatically via our public cloud provider, Google Cloud Platform, which hosts our data and service infrastructure. Most patches can be deployed within an hour. We engage an external provider to test our technical systems for vulnerabilities once per quarter as well as performing larger-scale ad-hoc security tests. We use monitoring to alert the engineering team to any attack taking place.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In the event a breach should occur, we have a comprehensive data breach policy. We monitor the usage of our enterprise data storage for any potential accidental or malicious leaks of data. We have monitoring for compromises which alerts engineers. We monitor our service for common attacks and block them at the edge of our network. All actions on our infrastructure are logged for auditing purposes. Any employee has a responsibility to report suspected data breaches. An investigation will be started within 24 hours of a breach being discovered, following steps laid out in our data breach policy.
• Incident management type: Supplier-defined controls
• Incident management approach: During service hours, P1 incidents are acknowledged within 10 minutes. During all other hours, P1 incidents are acknowledged within 30 minutes. A P1 incident is defined as any incident preventing use by a significant number of practitioners or service users. We have comprehensive documentation for on call engineers on how to respond to alerts. Customers can report incidents to their customer contact but most incidents are caught by automated monitoring. Incident reports are routinely created and available on request. We notify customers of major impacts to their services or data after the fact.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Kooth is committed to reducing carbon emissions and reaching net-zero by 2030. As a primarily digital company, our environmental footprint is low due to service users not having to travel to appointments, low physical office presence, and digital casenotes.; ; We are committed to understanding our emissions and consequently reducing them. We have received and are considering a final proposal from a third party environment and sustainability consultancy following an extensive procurement process. Once complete, we will work alongside the consultants over a number of months to calculate our Scope 1, 2 and 3 GHG emissions and build a CO2e report. This will help inform a co-produced Carbon Reduction Plan, an example draft of which is available on request.; ; Kooth and the consultants will submit our findings for independent verification by a Carbon Certification scheme like Natural Carbon Solutions. This work will help form the basis of our Sustainability Strategy and Policy (in draft) and sustainability page on the Kooth PLC webpage. This work will all be captured and communicated to the wider Kooth organisation through a series of workshops and training sessions with the consultancy. These will present our Sustainability Strategy and up-skill our workforce on their contribution to reducing carbon emissions and net-zero.; ; In the meantime, we are taking internal steps to decrease our carbon footprint. We have implemented a new travel booking system, designed a new mileage expense system to support climate positive decision-making on employee travel. In offices, printing is minimised, recycling readily available, and fair–traded & environmentally sound goods are purchased. ; ; To ensure accountability and transparency, we will establish clear metrics and benchmarks to monitor the progress of our climate initiatives. Regular reporting will be conducted to share our achievements, challenges, and areas for improvement with our stakeholders, including users, commissioners, and the wider public.

  Tackling economic inequality

  Pay disparity and unequal compensation are critical issues for businesses to understand, especially along the lines of gender. Kooth recognises this, and has developed an unbiased, fair and continuous review system that includes the employee, manager, people team and executive to ensure each employee feels valued, fairly compensated, and that high performance is rewarded. During our last salary review, we invested in a salary survey by Towers Watson, in addition to benchmarking against NHS banding for clinical staff. Together, these provided a salary comparison with an industry benchmark across all roles and levels to ensure that all salaries sat at market value. This benchmark is conducted using the NHS banding system for our clinical and service delivery teams, competitors and industry leaders for the wider team, and internally to ensure cross functional equity. This complements our fair and transparent internal promotion and salary increase process based on criteria and past performance. We utilise a scoring system within end-of-year reviews, which considers job performance, values, and behaviours.; ; Locally, our engagement leads work with job centres and other community hubs in economically disadvantaged areas as a priority. This reflects the prevailing evidence that socio-economically disadvantaged individuals over-index in mental health issues but are less likely to engage with support.

  Equal opportunity

  To ensure we reach disadvantaged groups within our recruitment, we run campaigns through various platforms, including targeted hiring through BACP/NHS job boards. This is supported by an unbiased recruitment process, as well as ongoing training for hiring managers to reduce bias and support safe recruitment practices. Our recruitment process includes:; - Blind CV screening; - Psychometrics tests ; - A three-panel interview process including structured interviews, a competency-based assessment and a skills-based task. ; - Our talent team is investigating a guaranteed interview scheme for disabled people to build on the commitments we are looking to make through the Disability Confident Scheme (see below).; ; We also provide alternative entry-level opportunities, including apprenticeships, practitioners in training and internships.; ; Our recruitment data shows that this approach is effective at building an inclusive, diverse and accessible business. Across the past year-to-date, 7% of all hires (n=100) declared an awareness of a disability, 28% identified with an ethnic minority/global majority group, and 13% identified with a sexuality other than heterosexual. 73% of all newly on-boarded employees identified as female or non-binary. In areas of the business that reflect male-dominated professions, we have increased female representation: within our engineering team, of the 26 hires this year (2023) 46% identify as female or non-binary, and we continue to work to bring this to 50% in Q2 of 2024. We ensure that all our subcontractors have the same standards and values, too. Digit, the web design agency supporting the website build, only includes requirements that are necessary and justifiable for the effective performance of the job. They ensure that job descriptions do not restrict applications from candidates as a result of a protected characteristic, and review selection steps and tools to ensure they remain inclusive.

  Wellbeing

  Our people team’s focus has been the promotion of psychological safety and inclusion in our workplace. We have created a wellbeing hub, which brings together articles, videos, and activities to support mental and physical wellbeing both in the workplace and beyond. The Wellbeing Hub is our gateway to mental health services through EAP provision, and a contact point for our Wellbeing team accessible to all employees. Our Wellbeing Champion team is currently 52 employees strong from across the business, all of whom are trained in mental health and wellbeing, and can escalate issues to line managers and the People team, and the dedicated Freedom to Speak up and Wellbeing Guardians. 26 of these Champions have been upskilled as Mental Health First Aiders, with all 52 scheduled to receive the training by the end of Q4 2023. Our dedicated Wellbeing Guardian, Dr Matthew Patrick, reports directly to the board and oversees our commitment and alignment to the NHS Wellbeing Guardian Framework.; ; We have launched “KooMA”, our Management Academy, designed to train, help and support our managers to lead their teams. This includes early-stage manager training focused on best practice techniques, familiarisation with company policy, ongoing support, and ‘refreshers’ for experienced managers, specifically including diversity and equality training.; ; Locally, Kooth engagement leads routinely raise awareness for wellbeing opportunities and mental health support alongside the Kooth service in a locality. They concurrently share insights with other providers, the NHS, and local government to support overall population wellbeing and inform strategic health and commissioning decisions.

Pricing

• Price: £64.57 to £72.64 a unit an hour
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@kooth.com. Tell them what format you need. It will help if you say what assistive technology you use.