QUALITY EDUCATION SOLUTIONS LIMITED

Chameleon Case Management

Flexible case management and review system for public sector. Supports the sharing of multi-agency information with action tracking, lessons and recommendations, meeting management and instant real-time reporting. Improves security and efficiencies (e.g. automatic chasing of forms) including a chronology tool for automatic consolidation of multi-agency data responses.

Features

• Real-time reporting with visual dashboards, including heat maps
• Lessons, themes and recommendation management
• Multi-agency information sharing via notification and enquiry forms
• Automatic chasing of form completion
• Sophisticated chronology feature to consolidate multi-agency responses
• Action tracking to track task accountability
• Meeting management, including invitation management and secure meeting information distribution
• Flexibility to locally configure forms
• Task management, highlighting forms and actions awaiting progress
• In-depth case word and document search for key fields

Benefits

• Secure and UK GDPR compliant with multi-factor authentication
• Saves significant administrative time, proven to improve efficiencies
• Standardisation of case management with partners
• Unlimited number of user licences and partners
• Future proofed with regular product evolution
• Supported within our customer care team, including training
• Accessible on mobile devices
• Optional ability to customise forms

£6,125 to £9,950 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at emmamoreton@qes-online.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

882748803501365

Contact

Emma Moreton
07889 435679
emmamoreton@qes-online.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Internet connectivity required, using latest supported Microsoft browsers or Chrome.
• System requirements:
  • Internet connection
  • Latest supported Microsoft browsers or Google Chrome

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Severity 1 issues are acknowledged within 1 hour, with updates every 3 hours and resolved within 1 business day.; ; Severity 2 issues are acknowledged within 1 business day, updates every business day thereafter and resolved within 5 business days.; ; Severity 3 issues are acknowledged within 1 business day, updates every 5 business days thereafter and resolution time is to be agreed per item.; ; Severity 4 issues are acknowledged within 1 calendar week, updates every calendar month thereafter and resolution time is to be agreed per item.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Administrator support is provided to the appointed principle point of contact(s), Monday to Friday 9:00-17:00 excluding bank holidays. Administrative users will have access to our customer care team and an appointed Account Manager, who will be available to support users with any enquiries/issues. The initial remote training is also provided to Administrators as part of the service.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Administrator training is available, via a remote 2 hour webinar. This includes a full walk through of the system. User guides available on request.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can extract their own data using the built in extract report.
• End-of-contract process: Users will extract their own data. QES will delete the databases and data backups within 30 days of contract completion. A decommissioning certificate can be available on request.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The system is available on mobile devices. There are no differences to the functionality of the system, only basic styling differences to account for the smaller screen.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Web-based application.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: QES are compliant to WCAG 2.1 AA Accessibility standards. QES use Sonarqube within our automated build process, which has automated checks in place to validate the WCAG 2.1 AA standards, and will flag anything to our developers that does not comply so this can be rectified as part of the live release for new system updates. All QES developers use the Chrome plugins: WCAG Colour Contract Checker and the Wave Evaluation tool. These will help to ensure any technical changes to the system adhere to these international standards. QES also use Google Chrome Lighthouse, which has an accessibility review tool. QES run reports using this tool when required, usually during large projects, to again assess compatibility and compliance. These have all confirmed our compliance against these standards with our system.
• API: No
• Customisation available: Yes
• Description of customisation: Forms can be configured, along with email content and customer logos. Further configurations are available, but may be subject to additional costs.

Scaling

• Independence of resources: The application automatically scales to demand and each client has a separate database which can independtly scale if needed.

Analytics

• Service usage metrics: Yes
• Metrics types: Real-time reports available on a series of fields from the notification form within the system. This includes pie charts, bar charts, heat maps, statistic tiles and more. All available in real-time, with filters available and the ability to extract them.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Physical access control - NCSC access control
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can extract their own data from the extract report in the system.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: QES have an uptime of 99.99%, with the exception of planned maintenance.; ; RPO - Service would be reinstated to within 5 minutes of when the event occurred. ; ; RTO - Return to service time will be <1 hour; ; Planned outages are completed outside of standard office hours and completed within 5 minutes of downtime.
• Approach to resilience: This is available on request. We use Microsoft Azure's recommended approach to resilience.
• Outage reporting: The Customer Care team at QES will notify users via email alerts to report on any outages.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: The application has a role based security model where by only users assigned management roles will be able to access management interfaces.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 24/08/2023
• What the ISO/IEC 27001 doesn’t cover: Not applicable - no exemptions.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our information security policies are externally audited during our ISO 27001 annual audits. QES also regularly review these internally during management reviews.; ; The data protection officer is responsible for the maintenance of the security policy, who reports to the Chief Operating Officer and then to the Managing Director. All three staff members meet regularly throughout the year to ensure the policies are following, assigning actions, and monitoring actions to track progress and completion where needed.; ; Our policies are also compliant to UK GDPR, Cyber Essentials and Cyber Essentials Plus standards.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We have a change management team who review all change requests raised by our user group, and schedule them into a product evolution sprint. All changes are subject to a series of automated test controls (SonarQube static application security testing), build validation, release validation, unit tests requiring 100% pass rate, open source library versions, open source library vulnerabilities, open source library licenses and manual test controls including code review, quality assurance review and project management review.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: QES use a 3rd party pen testing company to annually assess the vulnerability of our solutions, All issues are resolved within 1 month of being raised and the application is externally re-tested with a pass in the same period.; We also use Sonarqube in our automated Devops pipeline to scan for vulnerabilities within our code every time we make a change using OWASPs top 10 vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Microsoft defender for cloud provides threat detection and prevention across the application. QES are notified through the Azure defender portal as well as email and teams alerts. We deploy patches to medium-critical issues within 24 hours and agree a schedule of works for the others.
• Incident management type: Supplier-defined controls
• Incident management approach: Users will raise system issues through the QES Customer Care team and their appointed Account Manager, via email or phone call. The issues will be fixed in line with the service level agreement (SLA), tested with our quality assurance team and released back to the client's environment. Release note documentation will be provided with detail of all issues and solutions ahead of the release with notice.; ; We complete root cause analysis reviews to assess common events, and update the systems back with any fixes to known common events across multiple systems.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  QES are committed to improving wellbeing as a business. Many of our products are leading solutions in the health, wellbeing and safeguarding industry. Our teams are committed to making a real difference to people's wellbeing through the use of software.; ; We are also committed to ensuring the wellbeing of our staff, through conducting regular wellbeing surveys and check-ins, offering counselling support and a range of private health services through Vitality.

Pricing

• Price: £6,125 to £9,950 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at emmamoreton@qes-online.com. Tell them what format you need. It will help if you say what assistive technology you use.