Truespin Digital Limited

Sums.org Grant Management Platform

A powerful & affordable solution for UK-based commissioners, funders and grant givers.

Sums.org is designed to help you facilitate and keep track of all your commissioning and grant making activity, allowing you to manage and oversee unlimited budgets, recipients, agreements and performance with ease.

Features

• Build online funding application forms via a drag-and-drop interface
• Deploy fully brandable, online Funding Hubs
• Review applications online with colleagues and external stakeholders
• Monitor spend against unlimited budgets and custom policy areas
• Manage bids and agreements via a simple but flexible UI
• Scheduling and recording of payments
• Automated scheduling and recording of provider performance
• Easy sharing of real-time dashboards and data
• Multi-user collaboration
• Document and email templating system

Benefits

• Access your data from any device from anywhere
• Understand the position of all your budgets at a glance
• Promote public transparency with powerful data sharing options
• Improved experience for those applying for funding
• Improve management oversight of funding activity
• Prevent administrative delays with automatic alerts
• Retain full control of your data with comprehensive export options

£2,400 to £2,400 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@truespin.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

953057597644456

Contact

Damian Markland
07807089415
hello@truespin.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: We aim to achieve a Monthly Uptime Percentage of at least 99.5% for any calendar month. Users are notified of any scheduled maintenance in-advance and such work is undertaken outside of business hours.
• System requirements: Sums.org is compatible with any modern web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support is available, Monday to Friday.; ; We use all reasonable endeavours to resolve issues raised through the Support Services promptly, and in any case in accordance with the following time periods:; ; (a) critical: 4 Business Hours; (b) serious: 1 Business Day; (c) moderate: 4 Business Days; (d) minor: 10 Business Days
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: All account holders are able to log issues and bugs from within their account. When logging a request, the user can specify the criticality of the issue which will determine prioritisation for support.; ; Available criticality levels are: minor, moderate, serious and critical.; ; There are no additional costs associated with support.; ; We do not offer clients a dedicated technical account manager, but support is always available when needed.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Users are able to create their own account by completing a short form. Once approved, the account can be accessed immediately via username and password.; ; The software includes a support portal, which introduces new users to the available functionality.; ; Online training is provided to all new users purchasing a professional package. This includes an initial session and a follow-up session to address any issues that arise in the initial months.; ; Day-to-day support is also available by email and phone.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Users can download all or selected elements of their data at any point. Data is exported in a CSV or JSON format, depending on the specific data being extracted.
• End-of-contract process: At the end of a contract and if a user chooses not to renew, the account owner will be provided instructions explaining how to extract all their data from the system. Additional support can be provided to undertake this process, if required. There are no additional costs associated with the end-of-contract process.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The platform embraces responsive web standards and remains useable on any modern device. The mobile and desktop layouts make use of exactly the same assets which are scaled according to screen size.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The service is accessed via web-based front-end. Users are able to browse data in a variety of formats, including dashboards, data tables and reports, complete with filtering and search options. Data can also be exported in a variety of formats for offline processing.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: The service has been tested by users of assistive technology across its customer base to ensure ease of use.
• API: No
• Customisation available: Yes
• Description of customisation: The platform can be customised to meet customers' grant-giving and commissioning processes. This includes custom approval stages, spend areas and options. Deployed forms and branded Funding Hubs also allow users to upload their organisational logo and custom content.

Scaling

• Independence of resources: We carefully monitor server load to ensure fast response times for users. Our hosting solution allows us to scale up server resources to meet increased demand.

Analytics

• Service usage metrics: Yes
• Metrics types: Account access logs and server uptime data.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: We make use of a UK-based ISO 27001 certified data-centre. AES-256 encryption is used to protect sensitive data and all backups.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: On all pages where user data is displayed, there is an export button that allows data to be exported for offline storage. Data can also be exported in bulk, if required.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • JSON
  • HTML
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: During the term of any paid subscription, we will use reasonable efforts to achieve a Monthly Uptime Percentage of at least 99.5% for any calendar month. If we do not meet the Service Provider SLA customers are eligible to receive credits. At the end of the paid term, the Customer will have the option to receive any credits as a monetary refund, or against the cost of the next paid term if they wish to continue using the service.; ; The full SLA can be read here: https://sums.org/sla.php
• Approach to resilience: Daily, off-site backups.; ; Use of a Linux Virtual Private Server (VPS) model, providing a high level of security.; ; Network intrusion detection system and proactive IP banning, combined with full access logging.; ; UK-based servers administered by a ISO 27001 certified, G-Cloud provider.; ; Enforced TLS, ensuring that data exchange between users and our servers is fully encrypted.; ; Optional IP address whitelisting to only allow access to account whilst using corporate network.; ; Every interaction with data stored on the platform requires a unique validation key, which is destroyed and regenerated after every user action, providing an added layer of security.; ; When sharing data between accounts or publicly, further cryptographic checks are employed in order to ensure appropriate user authorisation.; ; Sensitive user credentials such as passwords are fully hashed before being stored in our database.
• Outage reporting: We use an independent third-party service to monitor service uptime. Monthly statistics are made available to all users on their dashboard. Information about scheduled maintenance is also provided.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Users can enable IP whitelisting on their account, preventing access from non-approved networks.
• Access restrictions in management interfaces and support channels: Users are assigned configurable roles and permissions to limit or allow access to functionality within the software. Account holders can share their data with other users via a secure delegation system whilst specifying access levels.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: IP Whitelisting

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Managed Host ISO/IEC 27001 certification
  • Data Centre ISO/IEC 27001 certification

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: CyberEssentials; Managed Host and Data Centre are ISO 27001 certified
• Information security policies and processes: Use of a Linux Virtual Private Server (VPS) model, providing a high level of security.; ; Network intrusion detection system and proactive IP banning, combined with full access logging.; ; UK-based servers administered by a ISO 27001 certified, G-Cloud provider.; ; Enforced TLS, ensuring that data exchange between users and our servers is fully encrypted.; ; Optional IP address whitelisting on accounts.; ; Every interaction with data stored on the platform requires a unique validation key, which is destroyed and regenerated after every user action, providing an added layer of security.; ; When sharing data between accounts or publicly, further cryptographic (SHA-2) checks are employed in order to ensure appropriate user authorisation.; ; Sensitive user credentials such as passwords are salted and hashed before being stored in our database.; ; Policies, procedures, workflows and work instructions are managed as part of our Quality Management Standards.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The platform is designed on a modular basis, with upgrades to specific functionality isolated from the core system. Upgrades and new functionality are thoroughly tested prior to release, followed by isolated live testing with selected users. All upgrades require Managing Director approval, are communicated to users via the platform's change-log and can be rolled-back if required.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We conduct regular internal penetration testing of our platform, with external, third-party penetration testing conducted annually. Our policy is that security critical patches are deployed within 24 hours to remove any vulnerabilities discovered, with any issues further refined through the ongoing development cycle.; ; With regards to our servers, use of custom firewall rules, intrusion prevention, Anti-DDoS, VPN, Anti-malware & application security ensure a high level of data security.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use a combination of industry standard and application specific monitoring of the platform and its associated services to ensure system integrity and security. Platform and server access is captured using a number of methods including web and event logs. The application itself utilises a number of real time monitors and security logs that are used to automatically alert us of problems. Technical staff are available 24 x 7 to address issues.
• Incident management type: Supplier-defined controls
• Incident management approach: Users report incidents from within their account via a dedicated support portal (or by email if access is not possible) and these are logged, prioritised, tracked and actioned as required via a dedicated portal.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Truespin Digital is fully committed to becoming a more sustainable company. Our aim is to minimise our environmental impact wherever possible.; ; All of our data centres are certified to the international standard, ISO 14001. This standard specifies the requirements that must be met to achieve an effective environmental management system. Our data centres are also ISO 50001 accredited and compliant.; ; Examples of where this has been put into practice include the installation of LED lighting and the deployment of advanced cold aisle contained, data centre cooling systems.; ; Our data centre operations are compliant with the Streamlined Energy and Carbon Reporting (SECR) regulations.; ; Paper communications have been almost eliminated at Truespin Digital. This has reduced our impact on deforestation and the environmental effects of manufacturing and transport.

Pricing

• Price: £2,400 to £2,400 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@truespin.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.