Mvine Limited

Cloud software: Distributed Digital Identity Managment

Mvine implements Content Service Platforms designed and personalised for inclusion of all your customers. Provide customer interaction with cyber-secure digital assets plus voice, video and chat. Set-up Mspaces offering zero trust privileged access to protected information. Deploy digital experience platforms and assistive technologies integrated with cloud and hybrid applications.

Features

• Secure collaboration and communication tools
• Digital asset management for documents video audio and more
• User and content provisioning tools for administrators
• Headless content management, orchestration engine
• Headless data management, orchestration engine
• Active customisable dashboards with presence and real time alerting
• Headless communications orchestration engine
• Dynamic authorisation and authentication orchestration
• Mobile access iOS Android tablets or dedicated app
• Integration with existing apps via web services and native APIs

Benefits

• Publish content from multiple content sources
• Render live data from multiple data sources
• Providing real-time zero trust architecture
• Dynamic role-based access to content and data

£40,000 an instance

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at accounts@mvine.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

917518977786908

Contact

FRANK JOSHI
+44 208 392 4820
accounts@mvine.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: The service doesnt have any constraints as has full deployment and integration flexibility to suite client demands.
• System requirements:
  • The buyer will typically provide the domain name.
  • The SSL certificate is to be provide by the buyer.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: SLA support agreements vary from customer to customer. Mvine offers standard UK support, Monday-Friday 9am-6pm, as well as 24x7x365.; ; Mvine provides a team of support engineers through support@mvine.com, which utilises the Zendesk ticketing system.; ; Clients who email support@mvine.com expect to have a response within 1-2hours for Critical/P1, 4-8hrs for High Priority/P2, and within 24hrs for Medium-Low Priority/P3. Critical/P1 issues are also followed up with a 'heads up call' in order to notify staff through telephone notifications.; ; If requested, all information is contained in the Mvine SaaS Agreement - schedule C.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: In accordance to WCAG 2.1 AAA guidelines, Mvine undertakes 3 types of testing on an annual basis:; ; [01]. Simplified testing, which covers a small sample of pages and uses mainly automated accessibility testing with some manual testing; ; [02]. Detailed testing, which covers a wider range of pages, each tested against all relevant WCAG success criteria; ; [03]. Mobile app testing, which is similar to detailed testing, but across the screens and flows within mobile apps; ; For all test types, Mvine creative and testing IT team documents a findings report to the Mvine development IT team, who then have time (4-8 weeks) to make fixes.
• Onsite support: No
• Support levels: SLA support agreements vary from customer to customer. Mvine offers standard UK support, Monday-Friday 9am-6pm, as well as 24x7x365.; ; Mvine provides a team of support engineers through support@mvine.com, which utilises the Zendesk ticketing system. Customers can also call into the Mvine office for over the phone support.; ; In summary, Mvine Support is typically provided during Standard Support Hours, manned telephone and email allowing notification of an issue by the Customer during agreed Support Hours, monitored email based notification of a substantial incident affecting the Customer, problem assessment and responsibility as provided in the following tables in this Schedule C below: Table 1 – Levels of support and Table 2 – Support Matrix, target response times for support incident reporting as provided in the following table in this Schedule C below: Table 3 – Incident Categories, calls received out of Standard Support Hours will be recorded and responded to within Standard Support Hours, Mvine may action an email received outside of Standard Support Hours but does not promise to do so until the next Business Day.; ; If requested, all information is contained in the Mvine SaaS Agreement - schedule C.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Whilst the service is self-explanatory and users typically do not need extra training, we do provide the following: Online training, onsite training when required as well user and admin guides. The guides are typically a pdf document supported by a video.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Admin users have the facility to extract all user data, usage reports and analytics by downloading those in csv files. Any assets stored within the platform are provided by us to the client via SFTP location that they can access to download them.
• End-of-contract process: The standard pricing invcludes providing the client with full user data and usage report (csv format) plus all assets downloadable from an SFTP location. After the service termination and once the data is provided to the client, the server is completely destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Fully responsive for iPhones, Androids, tablets with the ability to develop for native mobile apps
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: The service interface is a web based portal where depending on the configuration users can securely access products (assetc) and manage those. Admin users have access tro the configuration screens where they can configure the product and users prior to using the service.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: In accordance to WCAG 2.1 AAA guidelines, Mvine undertakes 3 types of testing on an annual basis:; ; [01]. Simplified testing, which covers a small sample of pages and uses mainly automated accessibility testing with some manual testing; ; [02]. Detailed testing, which covers a wider range of pages, each tested against all relevant WCAG success criteria; ; [03]. Mobile app testing, which is similar to detailed testing, but across the screens and flows within mobile apps; ; For all test types, Mvine creative and testing IT team documents a findings report to the Mvine development IT team, who then have time (4-8 weeks) to make fixes.
• API: Yes
• What users can and can't do using the API: We provide restful API that can be used by clients to manage data and assets i.e. add those, read, edit and remove those via API.; Users can also be managed via an API.; Any content within the portal can be extracted via the API.; Usage reports are also available via the API.
• API documentation: Yes
• API documentation formats:
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The portal has a powerful and highly configurable backend, that allows admin users to customise the service to suite their needs.; Using the API the service also allows for customisations to be done on top of it either by the client or we can assist with this.; The service can also integrate with a number of client services to make managing of users and data easier.; The service also allows for the front end to be fully branded to meet the customer branding requirements,

Scaling

• Independence of resources: Each customer has its own database and infrastructure instantiated based on agreed user volumes and activity.

Analytics

• Service usage metrics: Yes
• Metrics types: We store all information about the activity on the platform. User reports provide full user data including number of logins and time last logged in. There is a report providing information on when users have changed their profile data (providing this functionality is enabled). Other reports provide asset data and when each asset has been accessed, printed etc. Finally there is a site activity report showing the full site journey of a user, by listing each click within the portal. All reports are searchable by date, user, section and can be exported in a csv format.
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Admin users can export user data in a csv format, by running the available usage report functionality.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Mvine's uses reasonable efforts to ensure the Configured Software and the Continuing Services are always available to Customers, free of outages. "Outage” is defined as an instance where Customer is unable to transmit and receive IP packets due to failure by Mvine to provide the Configured Software and Continuing Services, excluding service failures relating to Mvine's scheduled (or unscheduled) maintenance and upgrades. An “outage” excludes a failure of the Customer premises equipment or any telecommunications access facilities connecting the Customer's premises to such equipment or facilities. ; ; Reasonable efforts are to ensure that the Average Round-Trip Latency on the Mvine network is 85 milliseconds or less. In this context, “Average Round-Trip Latency”, with respect to a given month, is the average time required for round-trip packet transfers between the Mvine network and major backbone peering points during such month, as measured by Mvine, acting reasonably. ; ; Reasonable efforts are to ensure the Average Packet Loss on the Mvine network is 1% or less. In this context, “Average Packet Loss”, with respect to a given month, is the average percentage of Internet Protocol packets transmitted on the Mvine network during such month that are not successfully delivered, as measured by Mvine, acting reasonably.
• Approach to resilience: Mvine uses a number of secure service providers including AWS and ISO27001 compliant data centres based on client requirements
• Outage reporting: Email alerts via Zabbix monitoring system + Zabbix monitoring dashboard. CTO and senior IT developers are alerted to any issues / outages and have strict protocols to notify internal staff members if a critical / P1 outage arises. The Incident Management process is enacted and documented until incident closure within the post-mortem review meeting.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is strictly reviewed with the senior management team before staff is granted access. This is also part of the compulsory monthly ISMS meeting reviews with senior management in accordance to ISO27001 protocol standards. Access to various systems/platforms are controlled via physical access, role-based access, policy-based access, which enforces strict access policies; a "zero trust" mindset. Mvine actively monitors and tracks those with access to sensitive information, restrict access when necessary, monitor privilege abuse, and develop and implement strong password policies. If requested, all relevant information can be found in Mvine's policy 'MVPD Access Control Policy SEP 23 V1.5'
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA
• ISO/IEC 27001 accreditation date: 27/09/2022
• What the ISO/IEC 27001 doesn’t cover: Applicable to the provision of design, maintenance and support of websites, mobile apps and federated identity platforms for clients.; ; Not applicable to:; ; Equipment siting and protection, Supporting utilities, Cabling security, Equipment maintenance, Removal of assets Equipment, information or software shall not be taken offsite without prior authorization, Security of equipment and assets off-premises, and Segregation in networks.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • NHS Digital Data Security and Protection Toolkit
  • Ico GDPR
  • Amazon AWS Qualified Software

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO27001 certified in September 2022. Annual audit of ISO27001 takes place, along with ISMS monthly meetings with senior management. Internal policies are updated every 6-months [September and March] and mandatory staff refresher training is provided during these months. ; ; Monthly staff notifications and documentations of IT equipment and version control in adherence to IASME, Cyber Essentials and Cyber Essentials Plus.; ; If requested, all relevant information can be found in Mvine's policy 'MVPD-ISP001 Information Security Policy SEP 23 V3.7'

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: A Change Management Process is used to ensure that every change identified is formally:; • Communicated; • Documented; • Reviewed; • Approved; • Implemented; ; Change Management will be introduced to a project through the implementation of five key processes:; 1. The submission and receipt of change requests; 2. The review and logging of change requests; 3. The determination of the feasibility of change requests; 4. The approval of change requests; 5. The implementation and closure of change requests.; ; If requested, all relevant information can be found in Mvine's policy 'MVPD Mvine Change Management Process SEP 23 V3.3'
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Minor: Errors that are not disabling or cosmetic and have little or no impact on the normal operation of Mvine; ; Moderate: Certain non-critical features of Mvine are impaired or are not consistent with the Specification but there is a workaround and is operational and work can continue.; ; Serious: Operation of Mvine is severely degraded or major components of Mvine are not operational and work cannot reasonably continue.; ; Critical: Operation of Mvine is severely degraded or non-functioning and work cannot continue; ; If requested, all relevant information can be found in Mvine's policy 'MVPD-ISP022 Vulnerability Management Process SEP 23 V5.4'
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Mvine monitor sources of information relating to threat, vulnerabilities and exploitation techniques relevant to our services with active Zabbix monitoring through our internal threat intelligence team.; ; Mvine considers the severity and impact of threats and vulnerabilities within the context of the service and use this information to prioritise the implementation of mitigations. Identified vulnerabilities are continuously tracked until mitigations have been deployed using our applicable change management process.; ; If requested, all relevant information can be found in Mvine's policy 'MVPD-ISP022 Vulnerability Management Process SEP 23 V5.4'
• Incident management type: Supplier-defined controls
• Incident management approach: Incident management processes are in place throughout the Mvine service and are actively deployed in response to security incidents. ; ; Mvine has pre-defined processes in place for responding to common types of incident and attack.; ; Mvine has defined processes and contact route exist for customers and external entities to report security incidents and vulnerabilities.; ; Mvine will inform clients if they detect a security incident that affects client data in an acceptable agreed timescale.; ; If requested, all relevant information can be found in Mvine's policy 'MVPD-ISP008 Security Incident Management Policy SEP 23 V1.4'

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  As part of our Most Economically Advantageous Tender based evaluation criteria

  Wellbeing

  As part of our Most Economically Advantageous Tender based evaluation criteria

Pricing

• Price: £40,000 an instance
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at accounts@mvine.com. Tell them what format you need. It will help if you say what assistive technology you use.