Phew

Learning Management System

Phew’s Learning Management System (LMS) is built to make a big social impact. This industry-leading software system is proven to save professionals time and resources, adding to an organisations value and efficiency.

Features

• Real-time reporting
• Cloud based
• User friendly
• Central hub
• Automation of administration tasks
• Flexible and transparent licensing
• Optional eLearning add-on
• Anytime, anywhere learner access

Benefits

• Dynamic reporting
• Time saving
• Connection with all stakeholders
• Positive impact on learning welfare and learning outcomes
• Delegate self-service and profile management

£8,200 an instance

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@phew.org.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

957892512046004

Contact

Matthew Burgess
01234779050
sales@phew.org.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: N/A
• System requirements:
  • Access to Internet Browser
  • Wifi Access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Phew offers a four-hour SLA for response to cases raised via Support within business hours (9am to 5pm weekdays). In addition, our systems offer full online manuals, how to guides and video explanations. We have numerous troubleshooting guides for administrators to deal with common user-related problems, which usually relate to password recovery and access to certificates. All of these can be accessed by the administrator following training.; Support can be accessed via email and telephone.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Support is included with the LMS License costs. ; ; Phew offers a four-hour SLA for response to cases raised via Support within business hours (9am to 5pm weekdays). ; ; Online training is provided to the organisation and access to our Knowledge Base granted. Trained users also have access to our Support Desk via email or telephone . ; ; A dedicated Account Manager would be assigned to the organisation.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Following an online demo, the platform is built remotely. Online training is then provided to the organisation and access to our Knowledge Base granted. Trained users also have access to our Support Desk.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Reports can be downloaded.
• End-of-contract process: If a client terminates a contract, written notice is required with a minimum of 30 days notice. The client is advised to download all reports and databases from the system. 30 days after the contract is terminated all data is removed and securely destroyed in line with our Data Retention policy. There is no additional charge to terminate a contract providing all outstanding invoices are paid.; Additional training can be purchased at a cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our systems are accessed as an online service from any conventional desktop, tablet or mobile web browser.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: Branding and questions can be customised by the client. Branding is added as part of the build by the Phew technical team. ; Organisation's courses can be added by admin - we do not provide course content.

Scaling

• Independence of resources: Our hosting service operates a 99.9% availability and monitor CPU disk usage as part of internal control dashboard and critical maintenance process.

Analytics

• Service usage metrics: Yes
• Metrics types: Monthly license usage reports
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: We use AES-256-CTR algorithm for symmetric encryption and the RSA algorithm for asymmetric encryption via the well established 'Defuse' PHP package
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Download as PDF or Xcl.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Our hosting service operates a 99.9% availability.
• Approach to resilience: The Phew solution is cloud-based and hosted within UK datacenters. Phew can demonstrate compliance with the NCSC cloud-based principles and the GSC Policy underpinned by our ISO 27001 and Cyber Essentials Plus accreditations. Level 3 DDOS Mitigation and 7 layers of physical security are in place in our data centres.
• Outage reporting: All services have a 24-hour internal monitoring dashboard, any outages are notified internally. Outages are managed via our critical process. External client lead contacts will be notified of any incidents and have regular updates.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access on product is provided to identified super administrators. Restricted employee access is provided for maintenance and support. Access is password restricted to all users. Audit of logged activities is recorded.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 30/06/2020
• What the ISO/IEC 27001 doesn’t cover: While ISO 27001 provides a framework for addressing information security risks, it does not guarantee complete immunity from security breaches or incidents. Therefore, while we strive to align our practices with ISO 27001 standards, it's essential to recognise that certification does not address every aspect of our organisational risk or operational compliance.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: As a company accredited with ISO27001, we adhere to a comprehensive set of information security policies and processes to protect sensitive data and maintain system integrity. Our policies encompass access control, data encryption, incident response, risk assessment, and ongoing monitoring. We enforce strict access controls to prevent unauthorised access, utilise encryption methods to safeguard data both in transit and at rest and maintain a robust incident response plan to address security breaches promptly. Regular risk assessments and audits are conducted to identify and mitigate potential vulnerabilities, ensuring compliance with ISO 27001 standards and the continual effectiveness of our security measures.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: When the change has been approved to work on it will be; retained to our work tracking system. Released logs are retained and online notifcation is provided to administrators within the platform. ; During development lifecycle changes to the service are assessed for potential security impact within our testing and QA process. Changes to platform are made to be least disruptive to service. Should on occasion the service require to be taken offline formal prior notice will be provided to users and scheduled with least disruption to service.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our vulnerability management identifies, prioritises, and mitigates vulnerabilities in an organisation's systems and networks to reduce the risk of cyber attacks and protect against potential threats. Our platform is monitored 24/7 and alerts business with a traffic warning of risk. The security measures in place will identify online threats such as brute force or denial of access which will immediately restrict IPs . Identified vulnerabilities identified by crest accredited annual penetration testing, monthly penetration automated reporting, monthly maintenance and update alerts will be assessed on risk and deployed patches executed in timely manners in accordance to risk.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our approach is underpinned by our standard ISO/IEC 27001:2013 requirements. Monitoring tools are in place to report any potential comprise to service via dashboard, online channels and email alerts. Scheduled monthly checks of audit logs are retained for 30 days, the audit logs of activities can be analysed promptly during an identified incident of concern. Incidents are promptly responded to. Immediate action to maintain security, communication plan internally and to external users is activated. Action is taken to resolve and future prevent reoccurrence following investigation.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our approach is underpinned by our standard ISO/IEC 27001:2013 requirements. An incident management processes are in place for the service and are actively deployed in response to security incidents. An incident report is created at point of identification and communication internal and to users is activated. Timely updates are made as part of the communication plan until resolve and following further investigation. Communication plan accommodates the manner of the incident and to whom. The product has an alert system for users, internal process in place for communicating to senior management, regular interval email report and phone calls to clients.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As a cloud-based system, our service contributes to fighting climate change by promoting energy efficiency through the use of optimised data centres and renewable energy sources. By reducing the need for on-site hardware and dynamically scaling resources based on demand, our service minimises energy consumption and carbon emissions. Overall, our cloud-based system supports sustainable practices and aligns with efforts to mitigate the impacts of climate change.

  Covid-19 recovery

  By encouraging remote and flexible working conditions, our service supports efforts to adapt to the challenges posed by the pandemic. This can help businesses maintain operations

  Tackling economic inequality

  We support local businesses, and recycling equipment, and contribute to charities that help less fortunate people in our community, this demonstrates our commitment to addressing economic inequality. These actions contribute to local economic development and support marginalised groups.

  Equal opportunity

  Our strict equal opportunity policy ensures fairness and exclusivity within the organisation, promoting diversity and providing equal opportunities for all employees regardless of their background, beliefs or identity.

  Wellbeing

  We offer healthcare benefits, electric car schemes, life assurance, and promoting work-life balance contributing directly to the well-being of our employees. These initiatives help in fostering a healthy and supportive working environment.

Pricing

• Price: £8,200 an instance
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@phew.org.uk. Tell them what format you need. It will help if you say what assistive technology you use.