MIXD

NHS website design (Ready Mixd WordPress website)

Ready Mixd is a feature-rich, out-of-the-box WordPress solution designed specifically for NHS organisations. Ready Mixd is secure. It’s flexible and it provides an engaging, mobile friendly, accessible website solution that adheres to the NHS Design System and brings together the latest user research, design and development from across the NHS.

Features

• Configurable design to match your branding
• WCAG 2.2 accessibility compliance
• Built with WordPress
• NHS Design System components
• Responsive design (i.e. mobile friendly)
• Comprehensive feature set based on user research
• Secure online forms
• Approval and Publishing workflow
• Customise functionality to meet your specific needs
• Fast, accessible, responsive front-end code

Benefits

• Out-of-the-box WordPress website for NHS
• Combines the ease and flexibility of WordPress
• Rapid deployment and configuration
• Build on an enterprise platform designed for the NHS
• Helps NHS teams build websites quickly and securely
• Compliance with NHS Service Manual
• Compliance with NHS Identity Guidelines
• End-to-end WordPress guidance, training and support
• Fully managed WordPress hosting
• ISO27001, ISO9001 and Cyber Essentials Plus certified

£12,960 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@mixd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

968002897088048

Contact

Phil Shackleton
0113 360 8250
info@mixd.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Mixd Managed Hosting is a managed hosting platform built specifically for public and third sector WordPress websites. We provide secure hosting, maintenance, support and development services to cover all your WordPress needs. In order to provide security assurance, websites being migrated to the service must be audited by Mixd before being deployed onto the platform. Planned maintenance will be agreed in advance and any required downtime will be scheduled with timescales to suit both parties.
• System requirements:
  • Browser
  • Internet connectivity

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: For urgent priority support requests, the initial response is 1 hour. For high priority, the initial response is 2 working hours. For normal priority, the initial response is 8 working hours. For low priority, the initial response is within 5 business days.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Testing completed by our support software provider Zendesk.
• Onsite support: Yes, at extra cost
• Support levels: Support plans can be customised to meet individual client needs depending on their in-house technical capabilities with our optional support time add-ons. Please refer to the attached pricing document for support costs. Our support helpdesk is available 09:00-17:30 Monday to Friday, excluding UK public holidays for routine support requests and 24/7 for emergency out-of-hours support. By raising a support ticket, you can ask for assistance with any problem you come across, from a bug on the website to help using WordPress. All plans include a dedicated account manager and quarterly performance review meetings.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will assess your likely capacity and support requirements. Based on this we’ll recommend a combination of support options and infrastructure that we believe best meets your needs.; ; Questions about our service can be raised through the G-Cloud clarifications question process to help you make an informed decision.; Hosting, maintenance and support can be tweaked to fit your changing needs throughout the life of the contract.; ; We can also offer help with more complex migrations that may require functional changes or assurance work to be completed, as well as supporting any internal assurance work that you might need to do within your organisation.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Mixd will supply a full export of your WordPress website (including the database and uploaded files such as images and documents) on request at any time, via a request to our Helpdesk. Mixd will provide support to you and/or any authorised new supplier to migrate the site to a new environment or successfully extract data from it. Should you and/or your authorised new supplier require further assistance, we can, for an additional fee, remain involved with the migration to a new hosting environment to help you and them become more familiar with the service and complete a thorough handover.
• End-of-contract process: If you decide to move on we will maintain close contact with you throughout the offboarding process to ensure quality of service from beginning to end. We will arrange a meeting to discuss the date you want to leave and outline the steps we will need to take in order to provide you with an export of any data required. Our Change Control Procedure outlines the process we would follow including; migration of any data, decommissioning your service, liaison with other suppliers (if required) and issuing final invoices. Usually, the off-boarding process will take a few weeks.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences. Users can use whatever device or browser they choose to use. We use responsive design to make sure your site works on different browsers and devices.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The WordPress REST API provides an interface for applications to interact with your WordPress site by sending and receiving data as JSON (JavaScript Object Notation) objects. It is the foundation of the WordPress Block Editor, and can likewise enable your theme, plugin or custom application to present new, powerful interfaces for managing and publishing your site content.
• API documentation: No
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: You can customise the colours and logo of the Mixd Intranet to match your organisation's branding. You also have full control over all content pages and we can further customise and extend the site structure and functionality as required. Our default modules can also be disabled if not required. Costs are reflective of our existing Mixd Intranet framework and are based on using existing components and functionality. If you want to change how something works or add new functionality, we will agree to a revised project fee to reflect the additional work.

Scaling

• Independence of resources: All sites are served via a world-class Content Distribution Network, ensuring our service can cope with significant increases in demand. As part of our dedicated hosting tier, we have strict separation of customer instances, ensuring an increase in demand from other users of our Mixd Managed Hosting service does not affect your site.

Analytics

• Service usage metrics: Yes
• Metrics types: Administrators may see reports on what terms staff are unsuccessfully searching for and what’s most popular, providing insight that enables the intranet to be improved over time to continually meet user expectations.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Our underlying infrastructure is provided by Google Cloud. Google Cloud adheres to numerous independently validated privacy, data protection, security protections and control processes, and is responsible for the physical security of the hardware powering its services. We rely on them for management of physical media. Where appropriate, we also add layers of logical encryption to our services; for example, to protect backups at rest and information in transit.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Request to support team is made.
• Data export formats: Other
• Other data export formats:
  • File system
  • Database
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide a 99.99% uptime SLA. We provide a service credit of 3% of the monthly fees paid for any period of downtime longer than 1 minute (this is calculated in 30 minute blocks, so, 1-30 minutes of downtime equates to a 3% credit).
• Approach to resilience: Mixd Managed Hosting is designed to be extremely resilient. All hosted clients benefit from multiple layers of caching, daily backups with the ability to quickly rebuild individual machines, load-balancing for redundancy which permits downtime-free continuous improvement and extremely straightforward scaling options where additional capacity is required.
• Outage reporting: Mixd Managed Hosting is comprehensively monitored. For any outage incident, we alert clients via email and conduct a post-incident review.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Support and management interfaces require a username and password login over HTTPS. WordPress Admin access is restricted to Mixd only.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 24/01/2024
• What the ISO/IEC 27001 doesn’t cover: Our certification covers all areas of the business and operations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Non-police personnel level 2 (NPPV 2)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our information security management system covers every aspect of Mixd's operations, including Mixd Managed Hosting. Day-to-day security decisions are managed by our Information Security Manager, who reports to the Operations Team. The effectiveness of the system is reviewed at least annually. We are also subject to an annual ISO27001 audit. We take a continuous improvement approach to all our internal processes as we learn lessons.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We control our configuration and change management processes through our ISO27001 and ISO9001 policies. We monitor announcements of issues related to the system-level and application-level components that we use and treat all security-related updates as high-priority work. We constantly monitor and improve the platform as we gain experience operating it, and we consider the security impact of our changes at all stages of our work.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We perform regular internal security testing and can optionally engage with third parties to perform application and network vulnerability assessments to assess any weaknesses and threats to our services upon request. We also regularly review and update security policies; provide our employees with security training; perform application and network security testing; conduct risk assessments; and monitor compliance with security policies. Our Disaster recovery and Business continuity policy is available on request.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor a wide variety of metrics across our infrastructure. We also monitor for anomalous log events and review these alerts centrally. Our actions based on these events vary. Our most frequent action is to refine and extend our set of rules for dropping malicious traffic and/or generating bans for the originating IP addresses. As necessary, we also carry out investigations into underlying issues, and take appropriate remedial action. We respond to these issues as they arise during business hours, at the start of business hours for non-emergency alerts, and 24/7 for critical alerts.
• Incident management type: Supplier-defined controls
• Incident management approach: Following the initial incident response by our operations team, we carry out a post-incident review. This review is published internally and shared with clients when there is a client impact. The review identifies the nature of the incident, documents the initial response, explains the timeline and circumstances of the incident and lists agreed remedial actions. These actions are then fed into ongoing operations work. Users are able to report incidents via the support desk and are encouraged to use our emergency address and/or follow up by phone where appropriate.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Mixd have published a Carbon Reduction Plan and are committed to achieving net zero emissions by 2030. Since 2022 we have a Carbon Reduction (CR) team supporting robust, ambitious climate change activity and accountability for meeting our reduction targets. Our environmental protection and improvement activities have broad focus, including: training and education events, internal and supplier audits, community awareness activity, accreditation activities, environmental improvement volunteering and an increasing focus on mindset shifts through concepts like 'conscientious coding' and design, where efficiency of code is viewed as a way to reduce carbon emissions. As further evidence of our commitment to reductions in greenhouse gas emissions, water use and waste-to-landfill, we: measure our emissions, including tools we use and hosting services for clients, through an independent assessor; promote low tech, carbon reduction strategies, offsetting where possible to clients, such as faster-loading websites; consider travel throughout contracts. We are experienced at working remotely and promote remote meetings by default; have launched initiatives for staff to reduce their personal carbon footprint, including a cycle to work scheme and electric vehicle (EV) scheme. We also encourage and support staff to minimise carbon emissions associated with working remotely including switching to green home energy providers and turning lights and appliances off at mains when not in use.

  Covid-19 recovery

  During the COVID-19 pandemic and recovery phase, Mixd offered its services for free to any public sector organisation that needed help developing websites to support the COVID-19 recovery phase. For example, we developed a WordPress COVID-19 communications platform that could quickly and easily be deployed for NHS Trusts, Clinical Commissioning Groups (CCGs), Councils and Police Forces across the UK. The goal was simple – design and develop a website platform that would facilitate clear communication.

  Tackling economic inequality

  We have diversified our hiring practices by recruiting talent at graduate and junior levels to nurture new skills. Since 2014, Mixd have worked with Universities across the UK to bring together young digital talent for an intensive three day event called Work in the Web which is focused on the skills and techniques that help students get a head start in our ever changing industry. Additionally, working directly with the University of Leeds and Leeds Beckett University has enabled us to create more job opportunities in the Northern region. We have made our job opportunities more accessible to those facing employment barriers by advertising on platforms that target underrepresented groups such as Ladies of Code. Flexible and remote working options are offered by default. Once individuals join our team, we support their skill development by providing a substantial learning and development budget, assisting them in obtaining recognised qualifications and identifying opportunities to create new roles during ongoing operational reviews. Contracts awarded under this framework will be used to create more employment opportunities for those facing barriers to employment. To enhance supply chain resilience and capacity, we collaborate with a diverse range of trusted partner organisations. This collaborative approach allows us to leverage market-leading expertise to solve client problems and increase our capacity and resilience in delivering services.

  Equal opportunity

  Diversity and equality are the cornerstone of our business, and we are fully committed to promoting both in all aspects of our work. We value people and want them to feel free to be themselves. We embrace each other’s differences, in gender, religion, beliefs, ethnicity, disability, age, sexual orientation, neurotype, nationality, and identity. We are diverse - like the people we build, design, and create for. We want to design and build inclusive services for all, fully empathising with all types of users and sharing and harnessing cultures and values often held by our clients. In practice, this means we: work to inclusive and accessible recruitment practices, and retention-focused activities: provide working conditions which promote inclusion and promote retention and progression: mask candidate data around protected characteristics to ensure fair/equal selection process with a broad range of accessible skill-based assessments available to identify candidates: conduct regular equal pay audits, reviewing and changing as appropriate and proactively create employment, re-training,and other return to work opportunities. Amazing things happen when we collaborate together. We work in the open and believe everyone’s voices should be heard. We recognise individual needs and aim to provide a work environment that is accessible, welcoming, and empowering for all. We want everyone to feel supported and included in our wider community. We’re committed to being transparent with our diversity information and regularly assessing the impact of all our policies and practices. Our approach is set out in our Equality and Diversity Policy.

  Wellbeing

  We provide support for our team's wellbeing and professional development, including an annual learning and development budget (£1000) and paid support for professional qualifications/study leave, as well as personal wellbeing measures such as eyecare and paid time off for COVID vaccinations. We offer flexible and part-time working options, office modifications for accessibility and mentoring opportunities. To monitor and evaluate our team's wellbeing, we empower line managers and delivery leads to check in regularly with their staff, encourage a sustainable working pace and conduct weekly line management check-ins and daily project standups to address issues promptly. Additionally, we provide a dedicated online space for discussing wellbeing, where individuals seeking help receive support from their manager, teams and HR. We also monitor the uptake of wellbeing benefits through our HR tools and measure company-wide sentiment through quarterly surveys, using anonymized data to inform the evolution of our HR policies.

Pricing

• Price: £12,960 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@mixd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.