JS Group

Aspire Cash

Aspire Cash is an open banking solution used by universities to make cash awards to staff and students. It is also used by other public and private sector organisations.

Features

• An open banking solution
• Payments are made near real-time
• Payment authorisation built in
• Payment parameters and limits can be set
• Audit log is provided

Benefits

• Payments can be made to students in minutes
• No need to collect or store recipients' bank account details
• Administrative time is reduced by over 50%
• Recipients can choose which account monies are paid into
• Data is provided on how funds are used by students
• Payments can be staged
• Different cohorts can receive different awards

£1,750 to £150,000 a licence

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at peter.lake@jsgroup.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

962896952035441

Contact

Peter Lake
07841367167
peter.lake@jsgroup.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: NatWest PayIT
• Cloud deployment model: Hybrid cloud
• Service constraints: Payments can only be made in GBP.; Payments can only be made to a UK bank account.; It requires a UK mobile number for 2FA.
• System requirements:
  • UK mobile for 2FA
  • Standard modern web browser support TLS 1.2 or above

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Initial response within 2 hours, weekend and bank holidays within 4 hours.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Standard email support to end users of the service. Enhanced support to service authorisers and fund managers through our account management team.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a) a dedicated project manager b) an implementation plan and c) an on-site account manager to provide training and first line support. There is full documentation available.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All data is covered by a Data Processing Agreement and users retain this data as well as providing to JS Group. For compliance reasons, JS Group retains a record of transactions after contracts ends but all data is anonymised.
• End-of-contract process: No additional costs at the end of any contract. When a contract ends, a client simply stops using our service to make payments. Any remaining funds are returned to the client with a record of all relevant transactions

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The site has been designed to be responsive to the users device display restrictions. For the end recipient laptops / tablets or mobile phones can be used to access the service. For authorisers or fund managers a laptop / tablet is recommended.
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: The service supports a standard SOAP API allowing accounts to be created and funds assigned. Reporting and auditing is not supported in the API this needs to be carried out within the portal.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: The service runs on a load-balanced pool of service, and that scale is dependent on load.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide metrics on the usage of our application, Aspire Cash, by users. This includes when the service is used to withdraw funds and the purpose for the withdrawal. This data is provided both in aggregate and by user cohorts.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Export functionality exists in the authorisers and fund managers portal. A restrictive set of user permissions controls it. Users run a report from a standard set of reports to export data.
• Data export formats: Other
• Other data export formats: Excel
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The service achieves a 99.8% uptime level. SLAs are agreed as part of the contract discussions.
• Approach to resilience: High availability of redundant hardware. Load-balanced clustering. High availability of redundant SAN units for data storage.
• Outage reporting: Account managers will manage outage reporting depending on its severity. Access portals have maintenance pages to inform end users.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: All users are assigned to a role type which defines a default access template for that role. Overrides can be assigned to the permissions, allowing hybrid roles to be defined.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We are working towards Cyber Essentials+ certification and follow its best practices internally.
• Information security policies and processes: Security policies are reviewed each year. Staff undergo yearly training on GDPR and Cyber Security awareness with an external training partner and take associated tests for which a minimum of 80% pass mark must be achieved.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes to configuration or coding are reviewed and authorised by line management. The project management team carries out UAT before any service change goes live.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: An independent scanning service runs vulnerability tests each month, scanning for emerging vulnerabilities in the month. Patches are rolled out depending on severity and CVE rating. Threat information comes from our vulnerability scanning service provider and Microsoft.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Automated systems monitor infrastructure and services. We monitor compliance and risks using a SIEM system. Incidents are assessed and responded to dependant on their severity.
• Incident management type: Supplier-defined controls
• Incident management approach: Users report incidents through our helpdesk ticking system. High-priority issues or risks are escalated by line management. Daily and weekly automated reporting helps with management prioritisation. Monthly board-level reporting summarises high risk or service impacting issues.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Aspire Cash is used by universities to make payments to students and the majority of recipients are Widening Participation students from low income households. The data we provide on how fuds are used allow universities to better target their financial support to address the impact of economic inequality.

Pricing

• Price: £1,750 to £150,000 a licence
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at peter.lake@jsgroup.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.