INSTANT SYSTEM

Move

White label MaaS solution for public authorities and public transport operators.
The solution consists of a mobile application including a multi-modal real time/predictive journey planner and real time information about transports used by citizens and a back office for the authority/PTO to manage the app.

Features

• Real time transport information
• Journey planner: intermodal, multimodal, real time
• InApp ticketing system for public transport
• Step-by-step guidance
• Mobility services booking
• White label

Benefits

• Using real time information to optimize commuting
• Using a white label app to promote public transport
• Using the app to inform, book and pay mobility services
• Using the app to manage the city's mobility policy
• Smarter way to commute using mobility services

£18,900.00 to £500,000.00 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at appels-offres@instant-system.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

935226436969635

Contact

Alexandre Durand
+33 (0)6 03 44 57 24
appels-offres@instant-system.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The service supports only GTFS format theoretical timetables.; The customer must have a "store" to publish the mobile application.
• System requirements: GTFS format theoretical timetables

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within a week.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: No onsite support.; ; A dedicated team in our organisation is in charge of issues and support request handling. Support team is organised following ITIL recommendations : Level 1, 2 and 3; Level 1 and 2: acknowledgement of requests, configuration issues, configuration assistance, customer assistance; Level 3: bugfix involving development teams; ; Dedicated team and dedicated tool (Redmine) ensure that all requests are acknowledged and processed regarding Service Level Agreements.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: The Customer Success Manager (CSM) in Instant System is in charge of the contract and is your preferred point of contact for every questions. He will help customers start using the service. Support team is in charge of handling customers assistance requests after the service has started.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: At the end of the contract, upon request, the user may retrieve its datas in a CSV format that can be easily imported elsewhere.
• End-of-contract process: At the end of the contract, the service is stopped, Apps are no longer available in the Stores, all data are cleared.; We send back the Stores certificates.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The only frontend is a dedicated mobile application.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The back office is the buyer's interface. It allows to add a launch screen on the app, manage notification push and detailed messages through the app.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Use of JAWS, a dedicated tool for text to speech websites.
• API: Yes
• What users can and can't do using the API: Our mobile applications are based on our APIs which allow to plan journey, locate mobility service providers or book mobility services.
• API documentation: No
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: INSTANT System provides white label solutions. The mobile application has to be branded with the customer's name, logo and color.; Only INSTANT System can customise the app before launching it.

Scaling

• Independence of resources: Each tenant is allocated specific resources constraints. For each application in the tenant namespace, we guarantee a given amount of memory and cpu based on the application scope and we set a limit that can't be exceeded. We rely on native Kubernetes features to ensure those constraints are enforced.

Analytics

• Service usage metrics: Yes
• Metrics types: Business data (Stops, Lines and many data related to mobility) and behavioral data (Retention rate, conversion funnel, insights ...)
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: CSV exports are available from the back office platform.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: IP filtering.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Infrastructure is monitored and can benefit of an high availability level (99,90%) with a 4h guaranteed service restoration time.
• Approach to resilience: The system is hosted at Google Cloud Compute Engine (https://cloud.google.com/compute/sla), based on Kubernetes technology (https://cloud.google.com/kubernetes-engine/sla) provide very high reliability and security.; Disks and databases are managed by Google: they are encrypted, redundant and backed up twice a day to ensure no data loss.; ; SLAs are controlled by the host, and by Instant System with the StackDriver tool.; A SLA is in place in case of a serious incident on the system.
• Outage reporting: Various runtime metrics are collected for monitoring purposes, such as cpu and memory usage, latency. When those metrics exceed a certain threshold ops are alerted and take appropriate measures if needed to bring the services back to their optimal state. ; ; Similarly, we monitor the liveness of both our services and third-party services. When either our service or a partner service become unresponsive, we receive an alert on a private slack channel. If the issue can’t be resolved in a timely fashion, we escalate the problem and notify our users. ; ; All collected metrics are consolidated into private dashboards provided by a self-hosted Grafana instance.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Users connecting to the application to plan a journey don't need to be authenticated to do so.; Our customers managing the backend platform need to authenticate through a user name and password (at least 8 characters, 1 upper case and 1 specific character).
• Access restrictions in management interfaces and support channels: We restrict access in management interfaces and channel support by using user names and passwords.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Every standard GCP complies with.
• Information security policies and processes: Internal user processes require a code review at the coding level by the security manager. The code is therefore not validated if it represents visible flaws. The code is regularly audited either by decompilation or pentest. The last intrusion tests (Pentests) were performed by customers at the end of 2019. ; The level of authorization of users is centralized and procedures exist for the arrival of people, departures and role changes. Access to clusters or volumes containing sensitive data is regulated. Access is by name. Internal operations on data and clusters are logged. All users have a double authentication required at login, and cluster administrators have a double authentication with a token. Access to the production cluster is only possible from a restricted IP list. The backup sets are not all accessible by the same person in order to avoid intentional data deletion.; The rules are regularly checked by an automatic process.; ; User rights are limited per profile in the company. The assignment of a new right (to a group of users) is submitted to the security manager for repeal.; Connections to sensitive partners (such as ticket holders) are IP-filtered. Roaming users go through a dedicated VPN to access remote resources.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We use Jira to track change requirements. Product features are described and tracked in Jira. Code is versioned in Git (Bitbucket Cloud). We’ve set up webhooks to allow both tools to collaborate efficiently. ; ; We follow Git best practices and implement a variant of Git Flow. For each feature created in Jira, we open a feature branch named after the jira ticket id. Before merging the feature branch in the master branch, change goes through a peer review process and a CI build.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Code is statically analyzed with Sonar every two days to check for any security issue and our container images uploaded to Google Container Registry are scanned for additional security issues. We also explore implementing runtime analysis through Arachni.; ; When a security threat is detected, we go through a Hot-Fix process if the problem is not critical. A hot-Fix can be deployed in a matter of hours.; ; If the problem is critical and requires further analysis, we can rollback to a previous version that doesn’t exhibit the same issue. ; ; We can also disable a service altogether (mark it unavailable) if necessary.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Code is statically analyzed with Sonar every two days to check for any security issue and our container images uploaded to Google Container Registry are scanned for additional security issues. We also explore implementing runtime analysis through Arachni.; ; When a security threat is detected, we go through a Hot-Fix process if the problem is not critical. A hot-Fix can be deployed in a matter of hours.; ; If the problem is critical and requires further analysis, we can rollback to a previous version that doesn’t exhibit the same issue. ; ; We can also disable a service altogether (mark it unavailable) if necessary.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We provide a dedicated webapp (self-hosted Redmine instance) through which users can report incidents and requests new features. ; ; Whenever users report an incident in Redmine, a new jira ticket is created. Those tickets are handled by a specific Support team (L1, L2) who's responsible for evaluating them and either hangling them if possible or redispatching them. ; ; At the moment we don’t have any dedicated channel through which we report incidents. Critical incidents are reported directly via either email or phone.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Other
• Other public sector networks: Local public transport network

Social Value

• Fighting climate change:

  Fighting climate change

  From an environmental point of view, our Move MaaS platform allows:; 1. a carbon gain estimated at 1.8kg of CO2 avoided per user per trip.; 2. an energy gain estimated at 1.5 kWh avoided per user.; 3. a reduction in air pollution in the urban areas where the solution is deployed. ; Indeed, by allowing a total simplification of the act of purchasing and consuming public transport and shared mobility in the territory, Move makes it possible to accelerate the transformation of users' travel habits, moving from the use of the private car to public transport, active mobility (walking, bicycles and scooters, electric or not), shared means (carpooling and car clubs), or the car in intermodality, combined with park-and-ride facilities and public transport. These estimates come from an environmental impact study carried out by Carbone 4 for Instant System.
• Covid-19 recovery:

  Covid-19 recovery

  By integrating a public transport mTicketing system in our Move application (Scope 2 of the product), the system allows passengers to buy and validate their public transport tickets within the app, avoiding contact with vending machines and bus drivers.; People then feel more safe and confident in getting back to the public transport network, which helps bus operators in recovering from the covid-19 pandemic and its financial impact.
• Wellbeing:

  Wellbeing

  As also mentioned in the "Fighting Climate Change" section, our Move MaaS platform allows:; 1. a carbon gain estimated at 1.8kg of CO2 avoided per user per trip.; 2. an energy gain estimated at 1.5 kWh avoided per user.; 3. a reduction in air pollution in the urban areas where the solution is deployed. ; Indeed, by allowing a total simplification of the act of purchasing and consuming public transport and shared mobility in the territory, Move makes it possible to accelerate the transformation of users' travel habits, moving from the use of the private car to public transport, active mobility (walking, bicycles and scooters, electric or not), shared means (carpooling and car clubs), or the car in intermodality, combined with park-and-ride facilities and public transport. These estimates come from an environmental impact study carried out by Carbone 4 for Instant System.; This means cities with less pollution, congestion and noise.

Pricing

• Price: £18,900.00 to £500,000.00 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at appels-offres@instant-system.com. Tell them what format you need. It will help if you say what assistive technology you use.