SociaWorks CIC

Care SumFin

Care SumFin automates the delivery of paper banking statements for the audit and review of Personal Budgets and Direct Payments, facilitating greater oversight, improved care times, improved commissioning and reduced carbon footprint. The service is retail bank & payment service independent.

Features

• Cloud Based
• Financial Technology
• Anonymous
• Off the shelf
• No install required
• Customer defined time scales
• Simple
• Machine readable
• Standardised format
• Socially beneficial

Benefits

• Long term support, lower upgrade costs
• Always available
• No GDPR Risk
• Retail bank & Payment card Independent
• Simple procurement
• Audit as frequently as required
• No training required, any user can start immediately
• Data can be loaded into analysis engines
• Data always arrives in the same way
• Defined benefits for the community at large

£15.00 to £25.00 a unit a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at matth@sociaworks.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

945408671055359

Contact

Matthew Charles Harrop
07807607346
matth@sociaworks.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: .xlsx extension or .csv
• System requirements:
  • Microsoft Office - Excel specifically
  • Libra Office

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 1 hour during Monday to Friday 08:30 to 16:30. Additional support hours available as an option
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We have 2 support levels:; 1st level support level is with SociaWorks via email and phone triage; 2nd support level is escalating to software developer
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We will provide onsite training to Public sector employees to help them understand the key system and will run initial setting up workshops for social care clients if required. The system is designed to be extremely simple and uses only off the shelf technology. Other dedicated Microsoft Excel training courses should be sought out as they would be better placed to teach the basic requirements of opening a spreadsheet, viewing the data therein and closing it again.
• Service documentation: No
• End-of-contract data extraction: As the data is held within an Microsoft Excel Spreadsheet, all the data is easily accessible. No data is stored by the Care SumFin Service as the data provided within the spreadsheets, that are delivered, is only retrieved from the banking system at point of request and is never saved. The Public Sector entity that uses the service retains full control over their anonymised data in the Excel spreadsheets delivered. The anonymous connection data can be extracted for a period of 1 month whereapon the data would be purged.
• End-of-contract process: The automated section of the system is switched off and the Microsoft Excel spreadsheets would no longer be delivered. The anonymous connection data would then be purged and logs provided to demonstrate that deletion.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The sign-up web page is slightly larger
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The time scales for delivery can be changed. The spreadsheets can be updated to reflect analysis and visualisation of data. In-depth financial spending analysis can take place with Geographic, time, amount and vendor data being used to facilitate better understandings of social care client expenditure. Through this, comprehensive commissioning decisions can be made to better help provision of services

Scaling

• Independence of resources: The system is built upon Microsoft Azure and the banking system and is, therefore, designed with scaling in mind. If there is a scaling issue, in relation to the sending of Microsoft Excel reports, other Azure functions can be brought online to aid in the delivery of reports.

Analytics

• Service usage metrics: Yes
• Metrics types: We can provide feedback based on keys used which will indicate when clients make use of the service. These could be included in the audit report if requested
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Tarzender LTD

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: The only saved data are anonymous connection keys and dates and times. These keys relate to connections held within the Banking system which is ISO 27001 compliant.
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: As all data is already exported on a timed schedule, decided by the purchasing organisation, there is no need for users to have a data export mechanism
• Data export formats:
  • CSV
  • Other
• Other data export formats: .xlsx
• Data import formats:
  • CSV
  • Other
• Other data import formats: .xlsx

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Anonymisation of Data, Azure Virtual Networks, Azure defender for cloud, Least privileged principle, CORS restrictions, Azure API Management (APIM), Azure Defender Firewalls. We also provide training for our employees and volunteers for data protection. Constant monitoring and vigilance is company policy

Availability and resilience

• Guaranteed availability: A service level agreement is available that defines an availability of 95%, with major service issues rectified within 72 hours. Customers are entitled to 1% refund of monthly fee per 1% down time, below the 95%, as previously agreed.
• Approach to resilience: The service is based upon Microsoft Azure. The service is designed to be as simple and easy to set up as possible. Major set up and configuration is less than a day, with testing and further security checks taking less than a week. The system contains the options for SQL failover clustering and data back-up. The banking system still contains the information being delivered, even after delivery. Data is anonymised and encrypted. No identifying data is held within the service.
• Outage reporting: Key stakeholder emails will be noted and any service outage notifications, planned or otherwise, will be delivered to these email inboxes. To minimise the public footprint of the service there is no Public dashboard and no API to check.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Standard user accounts are created without administrator privilege. Cloud service administration accounts are limited in scope and use System-Assigned identities and Role-Based access control (RBAC) thereby limiting access to services that they only require and use standard Microsoft Entra created roles. Authentication is handled by Microsoft Entra. Through the use of RBAC we ensure that only the appropriate personnel can see the appropriate information to complete their job. Audit logs are kept with regular reviews conducted of access levels and roles required.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: Random 1 time passkey

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Our company maintains its Cyber security essentials certificate and has strict policies and frameworks around cyber security. We follow the OWASP open framework towards cyber security and testing
• Information security policies and processes: An internal Information security policy has been designed with data security at its heart. All information has an owner and a Information Management Committee is maintained. Regular audits are conducted and the results of which are delivered to the Committee. The committee is chaired by the Chairman of the company and Chief executive officer (CEO). Policies are followed through business reporting tools, Internal audits and feedback to the policy owner (The Information committee)

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: A private and secure GitHub is used to manage development and track changes to code. Azure Change analysis is used to track changes in Azure Functions, Azure SQL Server and Azure Key Vault. Any development changes are staged and tested within a secure environment before brought to production. Furthermore activity logs are kept and monitored for each service. It is a company policy that only Microsoft libraries are used when developing and deploying any code. Furthermore, we perform various security tests, including Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to ensure services are secure.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: OWASP Best practices and procedures are used to identify and assess potential threats (Specifically the OWASP Web application security framework). When identified, issues are immediately dealt with and patches are issued as fast as possible. Information regarding vulnerabilities is generated through testing, as part of the OWASP best practice guides.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: NCSC best practices are followed in line with OWASP frameworks for the detection and identification of service compromises. Logging and monitoring are used to track changes to services. Public service users will be notified of compromises and incidents will be responded to within 24 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: ITIL best practices are followed for IT Service management (ITSM). These include processes for incident management. Users are able to use both Phone and Email services to report incidents and a template will be used for the delivery of incident reports, delivered via email. We conduct emergency triage and then discuss severity, priority and escalation

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Due to the nature of direct payments and personal budgets requiring paper statements to be made available to NHS and local government by direct payment clients, the climate cost of current services is high. This is due to the production, shipping and management of statements and their attendant data control requirements. We have been able to automate this process and use electronic means to manage the delivery of paper statements. We have calculated that the UK can save per month, when calculated against the current total number of clients receiving direct payments and personal budgets, a total of 13,200KgCO2. Over the course of a year this will slash the UK’s carbon footprint by 158TonnesCO2.

  Tackling economic inequality

  In our preliminary research into financial technology and adult social care we found that there was a large disparity in adult social care clients in those that have skills for the digital age and those that don’t. With the drive for social care clients to use pre-payment cards, this divide has been made larger. We have sought to address this by using standard, simple interfaces and processes which can be used by those with no skills at all. Furthermore, as we are retail and payment card independent, it no longer matters if physical accessibility is an issue. These key issues are helping us to address the matters of Economic inequality by delivering a standard service regardless of income, standing or background. Finally, as we have incorporated ourselves as a Community Interest Company (CIC) we have legally dedicated ourselves to putting people before profit. Finally, through the use of our product we will be able to deliver digital banking to all enrolled in the Care SumFin service through an online banking portal, regulated by the FCA

  Equal opportunity

  Through interviewing social care clients, we have been able to determine that there is a considerable social and digital divide between those that are able to handle the paperwork associated with maintaining the audit records for their Direct payment or personal budget. We have eliminated this divide by ensuring everyone gets the same service, delivered simply and only once a year, thereby removing the need to keep paper statements. Further, the tools being used for social care clients are presented with many different accessibility options and, therefore, are able to be used by almost anyone, regardless of their abilities.

  Wellbeing

  There is a considerable impact, both mentally and physically, for those that receive an audit letter detailing that they must send in their paperwork. As such, a measurable impact is had upon the mental wellbeing of the most vulnerable. We have been able to eliminate this by computerising the process, thereby making a potentially month-long process take 5 minutes. This, therefore, delivers a reduction in stress (which is linked to many life-threatening long-term conditions) and helps the most vulnerable live longer more fulfilling lives.

Pricing

• Price: £15.00 to £25.00 a unit a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at matth@sociaworks.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.