DEBIT FINANCE COLLECTIONS PLC

Legend by Xplor - Leisure Management Software

Our leading, easy-to-use software helps sports, leisure and recreation centres, communities,clubs and federations attract and retain customers, spend less time on admin, delivering a great experience. With online booking,scheduling,access control,payments,reporting,client relationship management,self-service,and automated marketing, Legend is everything you need to run your business, grow revenue and build your leisure community.

Features

• Fully managed SaaS solution
• Fully hosted service
• Disaster recovery and backup as standard
• Fully responsive online member portal
• Built-in KPI dashboards and Business Intelligence (Reporting)
• Extended support with remote access to system
• Open architecture with full access to API library
• Integrated DD solution with realtime updates
• Software upgrades every 4-5 weeks
• Self-Service capabilities including online and mobile platforms

Benefits

• Configure multiple sites from within the one database
• Reduce third party integrations with single solution
• All users have access to the support desk
• Schedule reports to be produced and sent via email
• Automate customer journey marketing campaigns
• Track company progress with dashboards and targets
• Reduce front desk staff pressure with Self-Service software
• Members manage their own account through online portal
• Optional inbound membership management service
• Access to end-to-end service for revenue collection with contact centre

£288 to £980 a unit a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@xplortechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

869719401337652

Contact

Melissa Thirtle
02038 301 400
bids@xplortechnologies.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No, all maintenance is conducted with no downtime experienced
• System requirements:
  • All Windows operating systems that are in main-stream support
  • Browser: must support TLS 1.2 and above
  • Citrix Receiver 4.9 LTSR
  • Processor: Pentium 2 upwards
  • RAM: 256 MB
  • Hard Disk: 500 MB of available space is required
  • Display: 1024 X 768 high colour, 32 bit or higher
  • Tablets for use with the Program Registration need Android OS
  • IE 11.0+; Latest versions of Edge, Chrome, Firefox, Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Incidents are acknowledged depending on their Priority, as detailed below:; Priority 1 = 1 business hour; Priority 2 = 3 business hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide all staff users with access to:; 1. Support portal 24 hours a day 7 days a week where users can raise and monitor tickets. ; 2. A staffed help desk 7 days a week. ; 3. Legend Bytes which provides online documentation repository for all Legend modules. Legend Bytes supports a 'fuzzy search' to enable customers to be directed to the exact documentation they require.; The support service is included free of charge with the Core licence fee.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Legend has adopted the internationally recognised project methodology of PRINCE2 for delivering projects in partnership with our clients. Legend conducts training onsite with you in groups of up to 15. The training is split into specific categories and is tailored to meet your business needs. As standard Legend will conduct Front of House, Back of House and Super User training and all training sessions are supported with documentation. If you select added value modules then additional training is required to ensure your staff are fully trained in the specialised modules.; Legend also has the option to provide online training which can be used for initial set up or ongoing training for new starters. You will be given a project manager throughout the implementation and a project tracker which is managed by Project Managers from both teams to ensure the project is delivered on time and implemented exactly how you require.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data is readily available for extraction by using the Legend Reporting tools. The format of the extract will be CSV. Where specialist intervention is required from Legend, you should expect to pay the full daily rate. Legend will always work to minimise the likelihood of this additional cost being incurred.
• End-of-contract process: Legend shall:; a) return all Customer Data held by the Supplier to the Customer within thirty (30) days of termination in an industry standard format and on an industry standard media, or as otherwise mutually agreed;; b) destroy or delete any copies of the Customer Data on the earlier of: (i) ninety (90) days from the date of termination and (ii) fifteen (15) days of the request of the Customer, and provide; and; c) upon written request of the Customer, execute and deliver to the Customer a certification that all Confidential Information of the Customer including all Customer Data, has either been returned, deleted or destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All of Legend's web modules are fully responsive and therefore no difference between mobile and desktop service.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: Legend has an open architecture and also has a fully documented API library to enable customers to have secure integrations with 3rd party systems. Being an open system, Legend supports numerous 3rd party integrations with a growing list. Examples include Brief Your Market, Cap2, Dotmailer, Nortech Controls, Retention Management, Technogym MyWellness, TRP, VeriFone, 4Global, TRP and Savvy Gift Card. ; ; Public API; Provides public data, such as publicly available timetables. This conforms to OpenAPI.; The OpenAPI specification is here: https://publicapi-uk01.legendonlineservices.co.uk/swagger/; ; Customer API; Provides sensitive functionality and data, such as joining a member. This does not conform to OpenAPI, but is RESTful.; The documentation can be found here: https://api.legendonlineservices.co.uk/Help; ; Our integration options currently include the following:; ; RESTful APIs; Retrieving prices, timetables, member information and supporting data; Creating members, account-holders and prospects; SOAP based APIs (these are being deprecated in favour of RESTful services); Creating accounts; Discovering pricing; Polling for changes; Other Integration Options; Timed export of reports in various formats to SFTP, email or shared Legend folders; Synchronisation service to export data to SOAP or RESTful services on internal changes; Interface points for querying external systems for account synchronisation, payment card updates and other data from point of sale.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Xyz, a user-friendly system for managing large multi-facility, multi-site organizations, offers intuitive configuration options. It allows centralized changes at the enterprise, regional, or site level. The booking module enables authorized users to create activities, assign resources, and set prices. Xyz streamlines workflows across sites, making it easy to edit locations and activities. Detailed pricing structures for members and non-members are also part of the system. Additionally, Xyz provides a time-saving bulk import feature for quick additions to the booking timetable.; The first part of the implementation is understanding your business requirements, how you want the system work and planning in key milestones for the project. Your team will work alongside our experienced implementation team in a series of configuration workshops to customise the system, add resources, locations, inventory items, memberships and agreements to ensure that from the first day, all bookable resources are available on all platforms (Front of House, Online, and Native App).

Scaling

• Independence of resources: All Legend’s systems are scaled to meet enterprise performance levels of responsiveness and redundancy.; Legend is a Windows Enterprise solution running on a virtualised infrastructure in a private cloud run on Legend’s servers with load balancing within the infrastructure and capacity planning.

Analytics

• Service usage metrics: Yes
• Metrics types: Logins over time and data volumes are provided through real-time dashboards and regular reports.; Legend also provides customers with monthly dashboards keeping them updated with the amount of support tickets that have been raised, investigated and closed. The dashboards allow customers to see detail on how the tickets were closed and by which department.; Legend also supplies a customer scoresheet which shows the spread of bookings I.e. online, self-service or in house. Legend also provides details on the amount of users, risk scores and financial income.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Legend provides full access to Legend reports where customers can extract all member data from the system and export in XLSX, CSV or PDF.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • XLSX
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), monthly network scans and periodic external penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed, and server hardening and patching policies in terms of our ISO 27001 processes. All key systems are monitored around the clock.

Availability and resilience

• Guaranteed availability: Our standard uptime target is 99.95%
• Approach to resilience: The infrastructure has been designed and configured to ensure that security is handled and risks are minimised in case of malicious attack. ; As a minimum, Legend ensures web applications are protected against OWASP Top 10 vulnerabilities. The infrastructure has been designed and configured to ensure that security is handled and risks are minimised in case of malicious attack. We use Trend Deep Security anti malware/anti-virus software.; The Legend solution has a number of independent security measures to detect and block any attacks originating from an outside source. This includes firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), quarterly internal network scans and quarterly ASV scans, and annual penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed. Server hardening and patching policies are also in place and governed by our ISO 27001 processes. All key systems are monitored 24x7. ; DDoS protection is handled within the facilities of our data centre partners. One of the criteria for our choice of data centre partner is based on the standard of their centres, TIER III plus, their capacities, and their ability to handle large scale DDoS attacks.
• Outage reporting: Outages are reported to our customers through incident notifications, via e-mail

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Users are initially authenticated within our Active Directory domain. Once successful at this stage, they must also authenticate against the Legend database. Their workstations must also be registered within the system otherwise, access will not be granted.; 2FA is available as an optional service.
• Access restrictions in management interfaces and support channels: Management access is restricted to specific pre-authenticate users. Some areas are only accessible over a VPN (with IP based whitelisting) and other areas are only accessible through MFA (mobile token)
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: All management access requires usernames and passwords to gain initial access onto the system. For certain functions, this must take place over a dedicated VPN (with IP based termination). For sensitive areas of the system, users must also use MFA to gain access (second token is a mobile device).

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 21/07/2019
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Cianaa Technologie
• PCI DSS accreditation date: 10/10/2023
• What the PCI DSS doesn’t cover: All services provided by Legend relating to Membership Management are included in the scope.
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO27001/ISMS. The Management team reviews the ISMS quarterly looking closely at risk, new standards, incidents, audits and corrective actions seeking to continuously improve the system; All staff are given training on Information Security and the Legend ISMS as part of their induction process. Annual refreshers are conducted in the form of briefings and staff surveys to test understanding and awareness. Developers regularly hold briefing sessions on threats pertinent to coding and system administrators regularly review infrastructure threats. Management periodically tackle scenarios to role-play situations and ensure preparedness to respond swiftly in event of an incident.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: As part of our ISO27001 and ISMS procedures, a full change control process is followed for any change in components, services or configuration. This includes a full security assesment.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The Legend solution has a number of independent security measures to detect and block any attacks originating from an outside source. This includes firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), quarterly internal network scans and quarterly ASV scans, and annual penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed. Server hardening and patching policies are also in place and governed by our ISO 27001 processes. All key systems are monitored 24x7.; All known vulnerabilities are logged in a risk register as part of our ISMS processes and tracked until closure.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.; This will be dependant on the failure, if for instance there is total failure, whilst waiting for system recovery through Disaster recovery or other means, it will not be possible to send a system message to users through Legend. However, Legend has a documented process for contacting your key staff members to inform and help disseminate information on system status.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  Xplor is committed to achieving net zero by 2025. This will be achieved by:; • Reducing waste, towards zero waste having implemented waste management plans in our office in Newcastle.; • Reducing travel emissions having implemented carbon offsets for all flights staff have to take and encouraging the use of public transport wherever possible.; • Supporting customers in achieving their sustainability goals.; • For Earth Day, we hosted Catherine Uden from ocean conservation and advocacy organisation Oceana to help us learn more about plastic waste and how we can reduce our impact. Reducing waste is part of our commitment to the United Nations Sustainable Development Goals, an international framework and best practice for sustainable business practices.

  Tackling economic inequality

  • Xplor is supporting young people in Newcastle into work by delivering employability support (e.g. CV advice, mock interviews, careers guidance).; • Due to the increased level of remote working, local residents would be welcome to apply for positions within Xplor where we pay above industry standards. ; • We strive to create a globally diverse, high-performing workforce that mirrors the countries, communities, and customers we serve. ; • We are an equal opportunity employer that doesn’t discriminate on an individual’s race, color, gender, national origin, religion, age, sexual orientation, gender identity, gender expression, genetic information, physical or mental disability, pregnancy, marital status, or any other status protected by country, federal, state, region, or local laws.; • Xplor offers employees access to a free training platform allowing them to upskill and develop new skills in areas relevant to their role or with regards to new areas within the business they wish to pursue.; • Xplor offers a healthcare package to all employees with the aim of supporting staff with physical and mental health issues, resulting in reduced absenteeism.

  Wellbeing

  Increasing participation is at the heart of what Legend by Xplor stands for. The software provides the tools to enable the Council to engage with more people in the community and promote healthy living.; ; As the system can aid the Council in increasing participation due to the simplicity of the booking process, simple joining process and ability to book guests into exercise classes, the system can:; • help people live healthier lives; • help older people become more mobile, which in turn reduces the burden on the NHS ; • help reduce falls in the community; • help to reduce the risk of cardiovascular disease and cancer ; • help reduce antisocial behaviour in young people. ; ; Specifically, there are modules within the Legend portfolio that can have a big effect on the above outcomes, and we would suggest discussions are held to explore how these modules could be used to achieve agreed Social Value outcomes.

Pricing

• Price: £288 to £980 a unit a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@xplortechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.