Trustmarque Solutions Limited

Trustmarque Bedrock in Azure Cloud (NHS)

Complete NHS Data and reporting solution as a service. Lower the cost and improve the quality of delivering reporting to NHS England, commissioners and other stakeholders. SUS, Contracting, Finance, returns, internal reporting as needed. Deliver high-quality, on time, 24x7 secure and reliable availability. Frees your team to deliver real value.

Features

• Automates, speeds, improves all NHS data and reporting processes.
• Reliable and Real time. Always on, always available. 24x7.
• NHS reports. SUS, ACM, PBR, Pathways, SLAM and PLICS
• Secure. Audits are all automatically stored. Pseudonymisation always available
• Presents core data as apps need it. Flat, Cube, In-memory.
• NHS Data Dictionary and terminology but add anything needed
• Simple management tool allows complete flexibility and extensibility.
• Data Capture tool validates data at input.
• Full managed service available as option
• Automates Static TRUD and other data collection.

Benefits

• Free-up 80% of data warehouse resources to add-value
• Reduce user issues and unplanned informatics fixing problems.
• All your reports automatically. Concentrate on what matters to you.
• Be secure. All changes controlled and audited. Supply pseudonimised data
• As you Like it! Don’t waste time on the basics.
• Official DQ and names or your own. Or both.
• Collect, validate, store use any data you need. Secure Fast.
• Avoid the hassle of spreadsheet hell, reduce poor DQ.
• Use your data specialists to deliver special. We deliver BAU.
• Use your team to add value. Automated DDCNs, post-codes, GP-codes.

£40,000 to £1,500,000 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@trustmarque.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

893099839860870

Contact

Lorraine Spence
01904 924089
tenders@trustmarque.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Minimum 500Mb internet link.; Rapid Implementation (6 to 12-weeks) requires timely decisions from Subject Matter experts in Finance, contracting, pathways etc. ; Most major clinical systems have existing connectors.; Data access permissions may be needed.
• System requirements:
  • 500Mb Internet access or direct link to cloud provider
  • Subject Matter expertise in finance, contracts pathways required.
  • Access to source data.
  • SQL capable devs needed to support solution development.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Level 1 support by mutual agreement.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide a standard Service Level Agreement to all our customers. In addition, we provide 24/7 Service Levels and custom Service Levels as required. Please contact us directly for further information.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We work with the Data Warehouse and Informatics teams to deliver the solution. ; We train the team to use the the interfaces to manage the Bedrock functions after we have worked with them to configure the data inputs, flows and outputs.; We also provide the cloud infrastructure and design offering a Hadoop based cluster to support limitless scaling.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The users can retain their own data warehouse with standard SQL access to all of their data and tables. We can assist in moving these to an alternative platform as required.
• End-of-contract process: At the end of the contract we can continue to host the data tables for an agreed paid-for period or the the users can download a full extract of all of their data fields including their technical documentation describing field, tables and validation criteria. ; We are happy to work with and support users through this process.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile reports are designed to meet phone and tablet formats.; ; Desktop has more descriptive visuals and a more in depth analysis, where as the mobile version will be more high level at most parts but more detailed when drilling down.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Users have a standard web browser interface. ; ; We use extensions to SQL Server Development server for technical and some management interfaces.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: Run through a set of standard tests. Collated feedback over time to address usability.
• API: Yes
• What users can and can't do using the API: Users can extract and update data using a REST API
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Management users can create and document all types of objects; New tables and link them to existing data; Add new fields. Can set up simple or complex DQ rules that inputs to the fields should meet. ; How the system responds to DQ exceptions; ; Create field synonyms.; They can build and document data processing and aggregations steps.; They can create user accesses; ; End users can change reporting and dashboards as allowed.

Scaling

• Independence of resources: The system is cloud based and can scale to virtually infinite size (and cost). The actual cloud databases is not shared. Each client may choose to have an entirly independent cloud service. ; ; The main shared resources are access from the users to the reporting tools. We recommend a minimum of 500Mb Internet access. Some customers use a dedicated line as needed.; ; There are reporting tools in the system that raise alerts for poor performance. These can be trapped and addressed as needed.

Analytics

• Service usage metrics: Yes
• Metrics types: At an audit level we provide access to tables showing who has used what data.; ; We provide metrics on Cloud costs. Users can tag data uses or users and report costs and usages separately.; ; We also report technical metrics reflecting scloud service loads and capacity.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: NCS-IT

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: End users can be given explicit ability to download their data. This is an audited step. This can be done by selecting the data download button.; For other uses data extracts can be automated as needed.; ; For data sharing it is possible to set up an end user workbench for partners to share your data without using it.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • SQL backups
  • Spreadsheets
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats: Data base access

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer 99.99% uptime. For a reporting service this will generally meet most requirements. ; Other SLAs and all service credits are dependent upon requirements, additional services and the details of agreements with specific customers.
• Approach to resilience: The system uses cloud vendor resilience such as Azure Site recovery.
• Outage reporting: Outage reporting is delivered via emails.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All security is based upon Microsoft AD extensions. Users access is controlled by reference to custom variables.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 06/03/2023
• What the ISO/IEC 27001 doesn’t cover: Anything that is NOT covered in the following: Information Security for the provision and support of the end-to-end IT services; software, cloud, cyber security, managed services and datacentre solutions; including strategy, planning and integration, licensing, deployment, and management of third-party service providers. In accordance with Statement of Applicability version 5.n.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: We maintain and host PCI DSS compliant solutions
• PCI DSS accreditation date: 21/07/2023
• What the PCI DSS doesn’t cover: Trustmarque is PCI-DSS Level 4 Compliant
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • N3
  • PSN
  • ISO22301 (Continuity and Data Recovery)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
• Information security policies and processes: The service is delivered in accordance with ISO 27001.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We maintain a documented Configuration Management policy based on industry best practices to harden SaaS environment and Change Control Policy to manage changes to SaaS environment -- Changes to Configuration Management policy are processed through Change Management policy -- Change Management includes approval, testing, implementation and rollback --- Support staff members initiate change through change control form, which Change Advisory Board team reviews for completeness, impact and scheduling. Severity level of change is categorized. --- Once form is approved, change is scheduled and alert is released to necessary groups; once change is made, it is tested, validated and closed
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We receive threat information and explore threat resolutions from the 3rd parties. ; ; Regular internal and external vulnerability assessments tests performed against the SaaS environment - Risk methodology based on NIST standards, including: -- Identifying and characterizing threats -- Assessing the vulnerability of critical assets to specific threats -- Determining risk (i.e., expected likelihood and consequences of attacks) -- Identifying ways to reduce risks -- Prioritizing risk reduction measures based on strategy
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our cloud support staff have configured the system to notify IT personnel if the central processing unit (CPU) utilization is too high, disk space limited, memory issues, key service failures, bandwidth utilization, power consumption, or other performance items. - IT Operations has subscriptions to pertinent vendor security and bug-tracking mailing lists. - After analyzing the severity and impact, network, utility and security equipment is patched or upgraded
• Incident management type: Supplier-defined controls
• Incident management approach: We maintain an Incident Management Plan as part of our Information Security Program. Incidents are reported to and resolved by the appropriate Cloud Operations team and by senior management where needed. -- Alerts, responses and resolutions are tracked through completion. -- In the unlikely event of an incident, we will notify customers within two business days of any customer data that is affected. - Incident logs are reviewed by applicable support personnel for analysis and remediation to avoid further incidents of similar type. All remediation actions are reviewed and approved by our Information Security Governance Committee.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Trustmarque's Environmental Policy and Carbon Reduction Plan include delivering and supporting actions on reducing our carbon footprint and our impact on climate change. We have set a target to achieve net zero by 2035. Our policies include 'Virtual First 'meetings, energy reduction plans, flexible working, green software solutions and associated services from innovative suppliers to promote digital environmental innovation, promoting sustainable procurement. Please contact Trustmarque to discuss the provision of Social Value. Any Social Value deliverable must be agreed with Trustmarque and be proportionate to the contract value and scope.

  Covid-19 recovery

  Trustmarque can provide re-training for those left disadvantaged by Covid-19 through skills training, CV and interview workshops. We promote employment and skills by working with Buyers to identify individuals who can benefit from our incentives, which can include workshops to develop and help those who face barriers to employment and increase digital accessibility for communities and hard to reach groups. We can also provide access to apply for apprenticeship and work experience opportunities. Please contact Trustmarque to discuss the provision of Social Value. Any Social Value deliverable must be agreed with Trustmarque and be proportionate to the contract value and scope.

  Tackling economic inequality

  Trustmarque tackles economic inequality through operating a diverse supply chain including many SMEs and micro businesses. Our access to a broad range of suppliers ensures both resilience and capacity. Trustmarque is continuously refining our supply chain to meet the ever-changing needs of our customers and to ensure we can always offer the best solution through capability, capacity and resilience at the best price. Our vendor agnostic approach among suppliers allows us to support innovation and disruptive technologies to deliver lower cost and/or higher quality goods and services to customers. Please contact Trustmarque to discuss the provision of Social Value. Any Social Value deliverable must be agreed with Trustmarque and be proportionate to the contract value and scope.

  Equal opportunity

  Trustmarque operates an Equal Opportunities policy that outlines our commitments including creating a workforce that reflects the diversity of our communities. Other initiatives include supporting disabled people to develop skills and supporting in-work progression. Trustmarque is a Level 1 Disability Confident employer, demonstrating our commitment to employing a diverse workforce so all can flourish. We are committed to a policy of treating all its employees and applicants equally. We are committed to creating an environment where diversity is valued and respected and where our people can bring their different perspectives, and whole selves to work. Inclusivity and equal opportunities for all colleagues are paramount. Trustmarque is a Living wage employer, and we offer 14–18-month apprenticeships. In February 2024 we launched Encircle our DEI network – made by colleagues, for colleagues to support Diversity, Equity, and Inclusion in the workplace. Please contact Trustmarque to discuss the provision of Social Value. Any Social Value deliverable must be agreed with Trustmarque and be proportionate to the contract value and scope.

  Wellbeing

  We align our approach to mental wellbeing to the six standards in the Mental Health at Work commitment, including staff work and wellbeing sessions, flexible working, speak-up policy, etc. We have a dedicated team of qualified Mental Health First Aiders who offer support to all Trustmarque Group Colleagues to offer advice regarding how to support and signpost – this is linked to the ALGEE mental health action plan. The Work+Wellbeing team also facilitate workshops or share resources to support wellbeing within the workplace, this can be found on our Work+Wellbeing team via the Trustmarque Hub. We have an Employee Assistance Programme which is available 24/7 to all Trustmarque Group Colleagues. Please contact Trustmarque to discuss the provision of Social Value. Any Social Value deliverable must be agreed with Trustmarque and be proportionate to the contract value and scope.

Pricing

• Price: £40,000 to £1,500,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A basic offer to access elements of the software in the cloud.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@trustmarque.com. Tell them what format you need. It will help if you say what assistive technology you use.