Genial Compliance Systems Ltd

iPassport QMS

iPassport is an electronic quality management system designed to significantly reduce the time, frustration, costs and risk associated with achieving and maintaining recognised quality standards.

iPassport digitally centralises documentation and compliance records and helps improve the day to day management of quality and compliance.

Features

• Document Management including automating document review and approvals processes
• Schedule and monitor internal and external audits
• Non compliance and CAPA Management
• Competency management to monitor staff training and qualification records
• Supplier management including performance reviews and audits
• Risk management to raise, mitigate and monitor risks
• Asset and stock management including maintenance events
• Customer management for feedback and complaints
• Task driven for comprehensive reporting, data trending and metrics
• Configurable change management module for planned and unplanned changes

Benefits

• Ensure a full and correct document management cycle
• Work from any location with internet connectivity
• No local IT support or VPN access required
• Easily demonstrate evidence of compliance to standards and regulations
• Time savings with intuitive tasks and reminders
• Track and trend events to ensure continuous improvement
• Receive continual system improvements as standard
• Partition Organisational Units (OUs) to scale organisational and departmental access
• Provide access to all records from a central controlled environment

£630 to £1,895 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@genialcompliance.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

980841475517368

Contact

Rob Christie
01244757155
sales@genialcompliance.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Reliable internet connection
  • Modern web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All support requests acknowledged including a ticket reference within one working day (Monday - Friday 09:00 - 17:30 GMT).; ; All requests then triaged and prioritised as documented within our SLA
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Unlimited telephone, email and online product support is included as standard within any managed services agreement. Support is accessed through a dedicated link within the system as well as a central email address and telephone number.; ; Access to support is available 09:00 - 17:30 (GMT) Monday - Friday, excluding public holidays.; ; Genial will aim to respond to product related questions within one working day. Technical support requests are triaged and prioritised as outlined in our service level agreement. A short summary is below; ; Level One - Blocker - Highest Priority, aim to resolve within one working hour; Level Two - Major - High Priority - aim to resolve within one working day; Level Three - Low/Normal - aim to resolve within seven working days; ; A named account manager is assigned to all new accounts who will act as primary contact during implementation.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: An initial implementation kick-off meeting is arranged to ensure a good understanding of training and implementation requirements.; ; Training is then provided remotely, typically in hourly sessions on a "train-the-trainer" approach, however on-site training can also be provided on request.; ; Users are also provided with access to a dedicated training account for testing before deploying new processes in the live environment.; ; Users are also provided with access to a comprehensive set of online user guides, as well as validation documentation which can be downloaded in editable Word format.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can subscribe to the iPassport export service which provides an export of all documents, including previous versions and associated attachments through a password protected download.; ; Any further export of data can be discussed with our professional services team.
• End-of-contract process: At the end of the contract, access to the iPassport live and training accounts will be disabled. Data is stored for a further 1 year as part of our backup cycles, after which, the data is overwritten. Should there be requirement to purge the data immediately after cessation of iPassport then this can be facilitated on request.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: -Admin users can create their own Organisational Units to group records and then manage and share securely; -Staff access levels and permissions are highly configurable by admin users. This is done via creating User Groups which are given Roles (a group of permissions) which determine what users within that group can and cannot do within an OU; -Modules and sub modules can be enabled/disabled via preferences; -Names of those modules/sub modules can be amended via preferences; -Cover pages/document footers/spine information can be customised if desired; -iPassport includes customisable workflows which can be applied to document reviews and publishing processes and non conforming events; -Configurable dashboards are available to users, comprising of user defined metrics and widgets which can be defaulted to be the landing page when logging in to the system

Scaling

• Independence of resources: IPassport is a containerised application managed by Kubernetes, running on AWS. It is completely scalable.

Analytics

• Service usage metrics: Yes
• Metrics types: Administrator overview of user activity which includes: last login, session duration, licences being used, and the number of logins over time per user.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Documents, including previous versions and attachments can be exported through the export service. Result sets of searches can also be exported via CSV through the application.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: IPassport's availability SLA is 99.9% uptime, excluding planned maintenance work. We achieved 100% uptime in previous 12 months at the time of writing. ; ; Service level penalties can be negotiated into the contract.
• Approach to resilience: IPassport is a containerised application running on AWS servers managed by Kubernetes. Resilience is built into the application, with multiple nodes continually and automatically monitored. If any worker node becomes unresponsive (e.g. due to a slow process) then traffic is routed to a different node. Should the node remain unresponsive for a period of time the node will be killed and a new node initiated.; ; iPassport can be updated several times a day with zero downtime and no impact on live customer traffic. Whenever the system is updated Kubernetes will load up a new node and ensure it works before replacing all nodes with the updated code. Should any issues occur the system will automatically roll back. this all happens without any impact on users.; ; Our Kubernetes engine utilised the power of AWS EC2 servers and the inherent resilient offered by AWS. Databases are all RDS, with Amazon managed redundancy and backups and files are stored in S3 buckets, again with backups and resiliance managed by Amazon.
• Outage reporting: Outages would be reported to customers via email alerts. ; ; Pre-planned maintenance work is typically notified via in-application all-user popup notices at login.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is provided on the least privilege level to ensure that only employees who require access to the management interfaces have access, access is then controlled through role-based permissions. Only dedicated members of the support team have access to the system, while only the developers have access to the system database to provide technical support. ; ; Additional access is granted to the quality manager and the information security manager for audit purposes but as they are independent of the operation this is restricted to read-only.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: SOCOTEC
• ISO/IEC 27001 accreditation date: 11/01/2019
• What the ISO/IEC 27001 doesn’t cover: All aspects of our service are covered under the scope of the certification. For reference the scope of certification covers "The development, supply, data migration, support and hosting of compliance process and data management software and associated services. Statement of Applicability version 1.n."
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Genial Compliance operates a comprehensive set of information security policies and procedures as part of our ISO 27001:2015 certification and our own best practice. This includes Information security policy, information transfer policy, acceptable use policy, risk management which includes classification, secure development, teleworker. ; ; All our policies and procedures are reviewed on an annual basis, with a full audit trail stored against them which is reviewed as part of our external ISO 27001:2015 certification. ; ; Our core documents are communicated to new starters and any significant changes are communicated through our internal quality management system, each user then has to read and acknowledge the changes to the policy or procedure. Staff members have access to a version comparison tool which highlights the changes between versions making it easy for staff members to identify these adjustments. Acknowledgement is reviewed at internal audit in these policy and procedure areas and is validated at external audit.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Software; iPassport development goes through multiple levels of peer review and testing. System updates can only be triggered if all tests pass. During the update process the system automatically deploys an instance of the new code and ensures it works before bringing up new nodes and retiring old ones. ; ; IT Systems and Databases; Our change control process requires significant infrastructure changes to be peer review and risk assessed. Typically any such change would be preceded by a trial run, identifying issues and allowing detailed step-by-step instructions to be documented.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Static code analysis is performed against every major and minor release and penetration testing is performed against every major release. High priority items are addressed before the code is released. Medium and low items are assessed and prioritised accordingly.; ; Code images are scanned within Google Container Registry and are periodically reviewed.; ; In addition, we subscribe to multiple vulnerability mailing lists
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: IPassport is hosted on AWS and utilised Web Application Firewall. In addition to blocking malicious traffic our development team are alerted to any suspicious activity. These are reviewed immediately and action is taken according to our Information Security Incident Management procedure.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: All staff are required to report information security weaknesses and events to the Information Security Manager.; ; Events and weaknesses are immediately upon receipt logged within Genial's own iPassport system where they are assessed and categorised. Depending on the severity, the item will be prioritised and resources will be assigned to action and resolve the issue.; ; Incidents reported by customers would be treated as above but would be reported via our support email or phone line. ; ; The Information Security Manager is responsible for closing out the incident, managing reporting and preventative actions.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  The hosting provider for iPassport, AWS, was specifically chosen not only for its security and reliability but also for its environmental credentials; its stated aim is to obtain 100% renewable energy for its operations by 2025. All servers are located within the UK and as such, they are also subject to any UK-based laws and/ or regulations on carbon emissions. In addition to this, Genial promotes and offers remote working, this was started prior to the pandemic and has continued. We are actively removing vehicles from the road in an attempt to reduce our carbon emissions, we are also promoting remote auditing for our customers which reduces travel for them and their external auditors which again helps to reduce the carbon footprint of the operation. Genial has also switched to a predominantly paper-free environment, with all of our policies and procedures accessed online by all of our employees. As part of our iPassport system we also actively promote a reduced paper environment for our users.

Pricing

• Price: £630 to £1,895 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@genialcompliance.com. Tell them what format you need. It will help if you say what assistive technology you use.