GatenbySanderson Ltd

GatenbySanderson 360 degree feedback system for feedback and development

Highly customisable online 360 feedback questionnaire, for participants and their nominated reviewers. Automated individual reports with benchmarks, plus organisational aggregate outputs. Use your behavioural content or GatenbySanderson’s proprietary Altitude leadership model for public sector leaders / executives. Use for individual or group leadership development/ audit, talent management, performance appraisal, coaching.

Features

• Bespoke fully managed 360 platform assessing your behaviours, values, competencies
• Or use our extensively researched public sector leadership excellence model
• Exceptionally flexible and customisable content, reporting and functionality
• Multi-rater feedback 24/7: manager, reports, peers, external stakeholders, others
• Contributors pre-set and uploaded, or nominated by the reviewee
• Real-time organisational and individual reports featuring benchmarks
• Branding options available with video content where required
• Fully managed UK-based service with automated email invitations and reminders
• High browser compatibility: desktop, tablet and mobile responsive/optimised
• Specialist support via account manager, email / telephone helpdesk

Benefits

• Enhance leadership capability audits, coaching, talent/ development/ succession planning
• Grounded in extensive, continuous research benchmarking public sector leadership success
• Exceptional capacity to customise, tailored to your requirements cost-effectively
• No licence fee: fully managed service with clear pricing
• Drives behavioural change through self-awareness and understanding strengths and weaknesses
• Tailored aggregate reporting supports strategic organisational / HR planning needs
• Guaranteed anonymity of responses supports open feedback, enhances developmental outcomes
• Enhanced completion rates: 24 hour remote access, mobile optimised/ compatible
• Convenient, rapid access to reports; unique, secure GDPR compliant delivery
• Optional psychologist support designing content or facilitating feedback / coaching

£49 to £89 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@gatenbysanderson.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

944343696286628

Contact

Charlotte Jourdon
07530 578920
tenders@gatenbysanderson.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: We keep service down-time to a minimum. For scheduled server maintenance, we display a prominent banner on all our websites, advising of maintenance for a minimum of 24 hours prior, and schedule maintenance for out-of-hours (generally after 11pm). We plan ahead to ensure we identify maintenance windows and timeframes that avoid or minimise client or user disruption.
• System requirements: A modern web-browser with javascript enabled

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 9 to 5.30 (UK time), Monday to Friday, typically within 24 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We can offer a varied level of support depending upon the client requirements. This could relate to configuration options, customisation requirements or assistance relating to execution of activity. We provide a technical account manager and prices over and above our standard offering will be a cost per hour basis, dependent upon the seniority of personnel required. Many aspects of support are included in our standard fees, as outlined in our pricing document.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: An account manager and project coordinator are assigned to each new client project. The project plan will include the process for launch, and we will work with you to ensure that all communications from both us and you are aligned. Configuration requires limited input from the client; your account manager will discuss configuration options with you and provide a test link for your approval once set up. The platform is intuitive and no training is required for those completing the 360. Telephone / online helpesk support is available to all completing the 360. If required, at additional cost, we can run sessions to meet your needs, such as: training your internal team in feedback of 360; orientating individuals to the reports and how to make best use of them; or our psychologists / coaches can facilitate 360 feedback sessions for you. Post launch, the account team are available to answer any questions or provide support to ensure successful implementation of the system.
• Service documentation: No
• End-of-contract data extraction: At the end of any contract, we can provide CSV files of relevant data. Individuals can request copies of personal reports for tools where that is applicable. Where individual data is required to be deleted, we retain anonymous, aggregate data for benchmarking and reporting purposes.
• End-of-contract process: At the end of the contract, we remove user access to the system and can provide CSV data as required, as well as a copy of any website content. There is no charge for this service. Individual users can still access their dashboards (and any personal reports delivered there) but will not be able to access the 360.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Uses a responsive-html design that scales and re-layouts the design for mobile and tablet users.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: We offer a wide range of customisation options.; ; Our white label product comes with our own set of standard 'Altitude' questions, with many customisation options as standard. We will discuss your requirements at project set-up and implement changes.; ; Options include; selection of question levels/competencies from the Altitude model; creation of bespoke 360 using your own question content; mapping of your behavioural/values frameworks to Altitude; email content; all wording throughout; client logo/branding; labels for/addition of contributor categories; setting minimum contributor numbers; adding cohort benchmark on reports; rating scales and descriptions; timing/schedule for reminder emails; customisation of reports; add organisation-specific 'biodata' questions to track organisational patterns on the factors that matter to you (i.e. grade / department etc).; ; Many customisation options are included as standard. Please see pricing document for more details.

Scaling

• Independence of resources: We review each project to gauge expected load and determine whether separate server(s) are required or whether a shared server is more cost effective for the client. We routinely monitor the performance of server(s) and take appropriate action to negate any potential disruption.

Analytics

• Service usage metrics: Yes
• Metrics types: Our managed service and dedicated account team can provide real-time information on completion rates for both participants and their reviewers (not started / started / completed) and nomination rates (i.e where individuals are expected to nominate their own reviewers, whether they have done so and whether they have met any agreed minimums set).
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Data submitted by participants and contributors can only be accessed and/or modified by themselves or within our administration system (requiring a username and password). Passwords are encrypted with bcrypt hashing; Other data is not encrypted due to reporting and analytics requirements. The RDS is encrypted at rest
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Participant data can be exported as CSV files.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our service commitment is 99.9% during office hours. If we fail to reach this level, we would consider the impact upon the client business and agree a level of compensation based upon refunding monthly subscription charges
• Approach to resilience: Daily backups of the RDS are taken daily and retained for 30 days. Our deployment process is also automated so in the event of failure we are able to restore environments in a short period of time. Our service is also monitored to detect any suspicious activity or high traffic volumes.
• Outage reporting: For any outages, we would promptly contact affected clients by telephone or email (depending on time and severity). Public notification would be via our twitter account, and if possible our website(s).; ; Once an outage has been resolved we will investigate the cause and provide an explanation of what happened, with a timeline, and what changes we will be making to avoid a similar outage in future.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: We have a separate internal administration system, currently this is username/password based (with password strength enforced with 'zxcvbn'). Some parts of the system currently require a signed client-side certificate to view.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA
• ISO/IEC 27001 accreditation date: 25/10/2022
• What the ISO/IEC 27001 doesn’t cover: A.14.2.7 Outsourced Development
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials + Certified

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials + Certified; ISO27001 and ISO27701
• Information security policies and processes: We have Data Protection and Data Security Policies that form part of each employee's formal induction process as well as maintaining an ongoing risk register. We formally record when induction modules are complete. Additionally, we communicate any ongoing requirements to protect ourselves from vulnerabilities. This includes reminders about the use and care of laptops and mobiles also the importance of password security.; ; More formally, colleagues are warned of the potential disciplinary action of failing to adhere to these policies and procedures which could result in the termination of employment. As soon as colleagues leave the business, we terminate access rights and delete accounts.; ; All admin pages and logins are via HTTPS and we use HSTS and public-key-pinning to protect and warn users against attempted man-in-the-middle attacks/insecure internet connections.; ; Our policies include:; Cyber security and Data Protection Policy; IT Security Standard; Acceptable Use Standard; Physical Security Standard; Data Security Standard; Risk Management Standard; Incident Management Standard; 3rd Party Supplier Due Diligence; Joiner, Mover, Leaver Process

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change requests and bug reports are directed to defined product owners who evaluate, prioritise and document changes adding them to product backlogs, which are then scheduled into the development cycle.; ; Code is versioned and branched in a git repository, following the Git-Flow practice of feature branches pull-requested into a develop branch, and releases performed on the master branch. Merges into develop and master branches (and deployment to servers) are restricted to the head of development. Testing is performed on the developers' own machines (using virtual machines) and on a staging server before deployment to live servers.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We pro-actively gather information on potential threats from email subscriptions to http://cve.mitre.org & https://www.us-cert.gov/ncas/alerts , along with regular checks of https://www.reddit.com/r/netsec.; ; New alerts are assessed for whether they affect us, For deployment we automatically apply patches to servers on a regular basis to resolve any exploits. If there is a way of mitigating against them (eg rewrite-rules, config changes) we will apply protection to the servers ourselves asap. We will then audit servers to confirm that the exploit had not been used against us.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In terms of our web server, AWS provide us with the monitoring capabilities to monitor access to the servers and inform us immediately if they see any suspicious behaviour. We routinely audit server logins and server errors to identify suspicious behaviour.; ; We are registered with relevant news sites/forums that quickly identify vulnerabilities. We have a fast action response where the Head of Development will allocate and oversee resource to close off any vulnerabilities.
• Incident management type: Supplier-defined controls
• Incident management approach: Users report incidents via phone and email, and these are forwarded directly to the Development team. We deploy the Development team to investigate incidents, exploits or areas of vulnerability and whether a breach as occurred. Vulnerabilities are closed. We have a central breach register, which documents a formal communications plan to inform individuals, organisations and regulators of the potential compromise.; Breaches of security are formally reported at Board Level and documented in monthly board reports. Remedial action required is agreed and executed within specific timeframes. Learnings are documented and any change to best practice implemented.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Being fully online, our tool supports paperless working and lowered carbon emissions as no travel is involved. As an organisation, GatenbySanderson is committed to minimising any negative effects that our business and facilities may have on the environment. We have our own Carbon Reduction Plan in place, and other initiatives include: ; ; Online client reporting (rather than paper-based) and reduced fees to those clients who use this method. ; ; Video conferencing to significantly reduce internal travel. ; ; Movement sensitive lights in meeting rooms and within our main office areas. ; ; Recycling of paper, cardboard plastic and tin. ; ; Our company policy is for staff to use public transport wherever possible. Our offices are purposely close to major railway stations.

  Covid-19 recovery

  Our tool can be incorporated into Covid-19 recovery plans, as it is fully secure online and remote delivery, providing all users with ease of access no matter their shielding status, caring arrangements, or working pattern. Supporting staff, and especially managers to understand how their behaviour impacts on others in the new hybrid working world post-pandemic has become increasingly important. Our 360 feedback system will support individuals to understand how they can work effectively with others, and gather feedback from the teams they manage to support them in ensuring success in the a post-Covid world.

  Tackling economic inequality

  GatenbySanderson works exclusively within the public sector and our purpose is to ‘help shape a better society’ through our work at local level to bring the best talent into communities. Many of our roles revolve around economic development, enterprise and social cohesion and we are experts in these areas. As an advisory business, we have a small number of suppliers and aim, wherever possible, to use local ethical businesses based close to our offices. We conduct due diligence on our supply chain and are compliant with the Modern Slavery Act. As an organisation, we recognise the importance of data security and risk management to supply chain security, and are Cyber Essentials + Certified (ISO27001 and ISO27701), with all colleagues at GS receiving significant training on cyber safety and using two-factor authentication. ; ; Each member of staff can utilise two working days to participate in community causes. We also promote opportunities centrally to encourage staff to make full use of these opportunities, and as an organisation we select a ‘charity of the year’ to fundraise for. We encourage colleagues to volunteer at local schools, running mock interviews, to support student development and prepare them for HE or life after school, no matter their background.

  Equal opportunity

  GS is a diverse and inclusive organisation, with an extensive programme of diversity training across the organisation, spearheaded by a dedicated Head of Diversity and Inclusion. We are proud to be a Disability Champion, signed up to the Halo Code and Race at Work Charter, and with four thriving affinity groups: Women, Race, LGBT+, and Disability. Each group have their own Chairs and Exec Sponsors, along with frequent collaboration with HR and Marketing to support and engage the wider GS community and advise on our policies and processes. Our level of engagement across the organisation through a number of forums has aided us in achieving our GOLD Investors in People Award. ; ; Though fully online, this does not mean that those with less technological experience are at a disadvantage using our tools, as our friendly and knowledgeable project co-ordination team have significant experience troubleshooting and walking users through the process if needed. We similarly have experience in advising on reasonable adjustments as and when required.

  Wellbeing

  As an organisation, we encourage everyone to be a leader of ‘self’ and make working at GS work for them, with fully agile working policies and mobile working contracts. We do not engage in any zero-hours contracts and pay close attention to mental health and wellbeing, with our number of accredited Mental Health First Aiders above the suggested level. ; ; We can provide suggested feedback guidance to ensure that the 360 feedback is inclusive, specific and growth-focused, in line with our best practice research, to minimise any unconscious bias and allow all users – no matter their background – to thrive and grow in the workplace.

Pricing

• Price: £49 to £89 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@gatenbysanderson.com. Tell them what format you need. It will help if you say what assistive technology you use.