Dynamatix Limited

Audit and Flexy Module

Audit
It will allow audit/ control testing to be planned, executed and post-audit actions tracking. It can integrate with Flexy if data capturing templates are needed for samples in audit checklists.
Flexy
This is for risk & compliance management that allows you to build your bespoke workflows by yourself.

Features

• Flexy : Build Your Own Record Management System
• Flexy : Build your bespoke workflows by yourself
• Flexy : Allow access based restrcitions
• Flexy Record Approval process and customized approval forms
• Flexy : Setup Expiry rules and required actions on Expiry
• Audit: Planning, execution and post-audit actions to be tracked
• Auditors can record observations & findings
• Audit Action Plans & Follow Ups

Benefits

• Flexy : Define Charts that you want for the records
• Expiry actions can be set on flexy records
• Audit Report can be generated to check efficacy of controls

£50 to £250 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kapil.madan@dynamatix.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

899310119342915

Contact

Kapil Madan
07875301828
kapil.madan@dynamatix.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Dynamatix Risk HAWC / DocHub
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements:
  • Need to have Web browser with JavaScript enabled.
  • At least 16 GB RAM available (after accommodating existing applications)
  • Have an Intel Pentium dual core or higher specification CPU.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dynamatix shall use commercially reasonable endeavours to make the Services available 24 hours a day seven days a week except for (a) scheduled maintenance; and (b) emergency maintenance. ; Dynamatix shall provide the Customer with Dynamatix’s standard support services during Working Hours. Any postimplementation change requests would be charged at £50/ hour (minimum of 2 hours per request).
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: We do not provide Onsite Support
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We have a training team which will work with the users at pre and post launch.
• Service documentation: No
• End-of-contract data extraction: Using a Secure Batch file.
• End-of-contract process: Arrangements will be made to securely transfer the data held in the solution to the client and drop it from our database.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile friendly webpages are available in Windows, IOS and Android Mobiles. These can be packaged as Native apps on client demand.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: We provide REST APIs.; All services as per desktop version.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: By requesting any changes to us and we can modify their setup preferences

Scaling

• Independence of resources: Capacity planning in place. Stress testing performed regularly. The solution is stateless and allows for scalability for both horizontal and vertical architectures, depending on where bottlenecks occur within the system changes will be monitored and resources allocated accordingly.

Analytics

• Service usage metrics: Yes
• Metrics types: Users Audit Log
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Other
• Other data at rest protection approach: 1. Role based access; 2. Access log maintained in tamper proof environment ; 3. Intrusion Detection and Prevention Systems; 4. Encryption of all personal data
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export data in Excel/PDF formats
• Data export formats: Other
• Other data export formats:
  • PDF
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON (if direct integration using REST APIs)

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Intrusion Detection and Prevention systems
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Intrusion Detection and Prevention systems

Availability and resilience

• Guaranteed availability: Availability will be 98.75% or above in each calendar month.
• Approach to resilience: 1. Load balancing - running multiple application servers; 2. Daily backups; 3. Raid 1 configuration for disks; 4. 100% Network Uptime guarantee from hosting provider; 5. 1-Hour Hardware Replacement SLA from hosting provider; 6. Hot Swap disk; 7. Predictive hardware failure monitoring ; 8. Availability monitoring of ports and services; 9. Notification preferences and customer-driven specifications; 10. Disk & RAM capacity monitoring and alerting
• Outage reporting: Email Alerts sent to Admin

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Username and password
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI has accredited the ISO/IEC 27001:2013 Certification
• ISO/IEC 27001 accreditation date: 22/03/2020
• What the ISO/IEC 27001 doesn’t cover: The following controls have been excluded as they are not applicable; 1.Protecting application services transactions ; 2.Outsourced development
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: ISO 27001:2013 ISMS

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001:2013; ; Dynamatix CEO will delegate responsibilities and authorities to department heads to carry out implementation and maintenance of Information Security Management System(ISMS) within the Organisation.; ; The ISMS team is made of representatives from different departments and they are responsible for the operation, maintenance and promotion of the ISMS within their area of responsibilities.; ; The needs and expectations of Dynamatix’s customers, suppliers and other interested parties will be clearly defined and reviewed and verified through documentation and reviews.; ; All applicable policies, processes and procedures and standards will be planned, created, approved, implemented, controlled and reviewed regularly to support the ISMS.; ; The ISMS will be risk assessed and the risks and opportunities that are identified will be addressed to ensure that the ISMS meet its intended objectives.; ; The effectiveness and efficiency of the ISMS will be reviewed via independent internal audits, performance monitoring, management reviews.; ; ISMS Training and awareness needs will be identified and conducted on a regular basis.; ; All non-conformances and issues will be reported to and investigated and suitable action will be taken in timely manner.; ; Appropriate corrective,preventive action(s) to improve the efficiency and effectiveness of processes, procedures and activities are carried out within the ISMS.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Application Change and Release Management covers the implementation for changes in the production environment for internal/external requests. Workflow is defined in JIRA tool. Automated email notifications are sent to concerned during the workflow for their action. An approval for every change is required prior to implementation based on overall impact on application. Code is fixed in Development Environment, Unit Testing. It is handed over to Quality Assurance for Testing. Once approved in all environments then deployed in Production. If errors occur there is a Backout Process. If rejected sent back to the assigned developer with required corrections in the code.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Systems will be patched to minimise vulnerabilities; Email alerts received from US-CERT reviewed to identify then remediate any vulnerabilities in systems; Automatic updates enabled for patches on Windows . Controls in place to ensure and regularly update security patches on systems and automatically apply security updates; Controls to ensure that all systems are fully patched and up to date; Penetration testing conducted for identifying vulnerabilities; OpenVas Vulnerability scanning and management tools are used quarterly to ensure that Servers are not vulnerable to known threats. Scanner executes Network Vulnerability Tests; Anti-virus systems for protection from malicious attacks
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: 1. SNORT - Intrusion Detection and Prevention system is in place on Servers to detect and prevent probes or attacks.; 2. Email notifications are sent for all connections / attempted connections to production servers from non-whitelisted external IP addresses.; 3. Controls in our risk tool, such as server access logs and patch logs monitoring, would ensure that senior managers are aware of backend server access by admins along with the rationale for the same
• Incident management type: Supplier-defined controls
• Incident management approach: Incident management process includes identification of incidents, notification of incidents in the event management system(risk tool), classification of incidents based on the impact categories, investigation to recommend and prevent the incident recurrence, action plan to strengthen the existing controls or design new controls if they do not exist, staff awareness and evaluation based on root cause analysis. The risk assessment would be a part of the Investigation process

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  The company will follow Equal opportunity, which refers to treating all individuals fairly and without bias, regardless of their background, characteristics, or circumstances.

  Wellbeing

  The company will prioritize social connections, foster supportive relationships, actively participate in your community, and develop healthier social connections.

Pricing

• Price: £50 to £250 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The full service is available for trial for one month.
• Link to free trial: https://www.dynamatix.com

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kapil.madan@dynamatix.com. Tell them what format you need. It will help if you say what assistive technology you use.