Open Source Web Development and Drupal CMS Design
Nudge specialises in delivering innovative digital consultancy, strategy and design; implementing our solutions using open-source PHP web development tools.
We specialise in Drupal and WordPress content management systems and are highly-experienced using agile and user-centric design methodologies, GDS principles and helping our clients successfully navigate and pass GDS assessments.
- Concept development and consultancy
- Digital strategy and service design
- User experience development and user testing
- Drupal 7 & 8 content management system (CMS)
- 3rd party systems integration
- GDS compliant project methodology
- Drupal support and maintenance packages
- Conversion rate optimisation / split (A/B) testing
- Highly user-centric design and development methodology
- WordPress content management system (CMS)
- Highly user-centric design and development methodology highly-effective and engaging websites
- Highly-effective and engaging websites
- Resilient and cost-effective digital solutions
- Experts in GDS process and assessments with demonstrable experience
- Best possible UX achieved by using dedicated user-testing exercises
- Full digital marketing services to help you promote your website
- Quick and cost-effective delivery from Drupal experts
- Responsive and agile service as small-medium sized agency
- Ensure widest possible audience reach by delivering multi-platform solutions
£600 to £750 per person per day
- Education pricing available
- Free trial available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
Nudge Digital Ltd
0117 325 3200
|Software add-on or extension||No|
|Cloud deployment model||
There are no known service constraints.
Drupal is a widely adopted enterprise level CMS, open source software platform with no recurring licence fees.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Response time for critical issues - within 4 working hours.
Response time for serious issues - within 1 working day.
Response time for non-critical issues - within 2 working days.
Working days are Monday-Friday.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||WCAG 2.1 AA or EN 301 549|
|Web chat accessibility testing||N/A|
|Onsite support||Yes, at extra cost|
Nudge provides dedicated support and maintenance to many clients, which includes all security patches and CMS module updates, changes to /and or new features and functionality, on-going user testing, conversion rate optimisation services and full telephone and email support, and hosting provider liaison.
Our standard support includes all security patching and upgrading modules to the latest versions, testing of all upgrades on a development environment, bug fixes, enhancements to the site functionality and content updates where required.
We regularly review the support agreement to ensure the level of support matches your actual requirements / usage. Following the review we can increase, decrease or maintain the support level.
Performance measuring and reporting - All of our work is logged, tracked and reported against within our project Management System. Our clients are granted access to the system and can track our work and performance against our KPIs in near real time. This transparent approach is design to allow the client team complete visibility on Nudge’s work, costs and performance.
|Support available to third parties||Yes|
Onboarding and offboarding
Following contract award , the internally project team is briefed and given access to all tender documents, our submission, clarifications and presentation slides. This gives us an opportunity to gain initial further feedback and questions from our team before we arrange our first introductory meeting with the client.
The project is also set up on our project management system and any notes / questions are recorded. Access to our project management system will be granted to the client and training provided following the kick-off session as detailed below.
In this first meeting, we discuss a wide range of relevant project topics, all of which will help us get to know each other and gain a mutually aligned understanding of the services we’re providing and the project we’re delivering.
We’ll lead this important session with the aim of discussing every aspect of the new solution, your aims, goals and aspirations for the new portal, identifying all key internal and external stakeholders within the project, defining and agreeing timelines and milestones for the project plan as well as discussing and provoking thoughts about the functionality needed on your system and much more.
|End-of-contract data extraction||Any data kept in any associated database can be extracted at the end of a project.|
Inevitably, some contracts come to an end and it is essential that Nudge supports its clients in whichever path they decide.
In order to support this, Nudge will ensure we do the following where necessary:
- Have an up-to-date summary of the project solution,
- Detailed project and technical requirements,
- Well-documented code adhering to best practices and using standard APIs and libraries, allowing for portability,
- Documentation of server architecture (hosting environment including server specifications),
- List of contact and access details (key contacts and details on how to access the code / servers),
- Migration plan (checklist to be followed when migrating to a new supplier / internal team),
- List of known / outstanding issues (list of any known or pending issues with the code or server environment),
- Training for new development team / internal Orison resource,
- Access to project management history,
- Access to code repositories
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
We're very conversant with mobile design principles to ensure great user experience across a range of devices, ensuring maximum usability and accessibility by a large daily audience focusing on an intuitive and logic interface.
Our prototypes are designed using fully responsive wireframes. This appreciation of mobile access and UX from day one ensures our designs are meeting the needs of your audiences using their mobile devices.
Responsive wireframes allow us to rapidly prototype and showcase the structure of the proposed website on each device, including representations of pages, features and functionality, to users at a very early stage.
|What users can and can't do using the API||
There is no 'off the shelf' API.
We are, however, able to build a custom API if required. Any API we develop would be bespoke and based around your organisational and data interchange needs.
|API sandbox or test environment||Yes|
|Description of customisation||
We also utilise off the shelf systems such as Drupal; an open source Content Management Framework (CMF), unlike a typical Content Management System (CMS); which is geared more towards customisation and configurability.
Out of the box Drupal (7 and 8) provides key features to meet most common requirements such as users, roles, permissions, content management, workflow, clean URLs, a multi-level menu system, user comments, user registration & authentication and built-in caching & optimisation, content publishing rules, user directories and search etc.
These ‘out of the box’ benefits mean we can focus your budget, not on creating core functionality, but on customising and creating a great user experience and creative design for your audiences.
We also use WordPress where appropriate as this sometimes allows a quicker route to market when functionality requirements are very simple and straightforward.
|Independence of resources||
Nudge builds in contingency time and flexibility where possible. This includes the responsibilities of each resource at each stage / milestone throughout the project, an appreciation of the client’s availability.
By using a detailed project plan and Gantt chart both parties will be able to monitor the project progress across all of the project milestones and plan for such contingency with adequate notice.
All scheduled and upcoming work across all clients is reviewed at a global level on a weekly basis, allowing us to plan for unforeseen circumstances, accommodate known changes and to prioritise certain projects.
|Service usage metrics||Yes|
Alongside many other standard Google Analytics website stats, we’ll track and report on specific user events and conversions using Custom Event Tracking. This enables us to gain invaluable insights into the behaviour of your users and the website's performance against key goals, metrics and desired outcomes.
The percentage of visitors to your website that produce a positive action is known as your conversion rate. This can be further broken down to the number of page components or tools (features and functionality) required to facilitate that conversion.
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Any data associated with any database can be exported in a file format that suits the clients requirements.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||Legacy SSL and TLS (under version 1.2)|
|Data protection within supplier network||Legacy SSL and TLS (under version 1.2)|
Availability and resilience
There are two main aspects of Continuity / Availability Management:
Service continuity / availability - ensures that the solution can always (so far as possible) provide the minimum agreed Service Levels, by reducing the risk from disaster events to an acceptable level and by planning for the recovery of IT services. Nudge also plans to ensure that all contracts with suppliers support the needs of the business, and that all suppliers meet their contractual commitments.
Management continuity - ensures that the client can receive continual service / support from alternative providers or through internal resource.
|Approach to resilience||
We use frameworks and content management systems rather than writing bespoke code, since these frameworks enforce good security practices, are well tested, and have regular patches and updates available to fix known vulnerabilities. We evaluate the choice of 3rd-party systems by reviewing how frequency of updates, their security methodology is, and historic security record.
We use the OWASP top 10 (https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) to guide our approach to building secure websites and applications.
Protecting against injection - for example, by enforcing input field type and lengths, validating fields and always sanitising user input.
Strong authentication and session management - for example, by validating users and their roles, and adding CSRF tokens to forms.
Prevent XSS - for example, by canonicalising data and only processing data that is input by trusted users.
Avoid security misconfiguration - for example, ensuring web servers are hardened and configured with security in mind, and through regular penetration testing.
Encrypt sensitive data - for example, using secure hashing algorithms to hash passwords, enforcing TLS 1.2 or later with an EV SSL certificate, and protecting cryptographic keys.
Robust access control - for example, ensuring all non-web data is outside the webroot and implementing role-based access control for all pages.
|Outage reporting||Email alerts originating from the server hosting environment|
Identity and authentication
|User authentication needed||No|
|Access restrictions in management interfaces and support channels||Two factor authentication as required|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users receive audit information on a regular basis|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users receive audit information on a regular basis|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Plus|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||Cyber Essentials Plus|
|Information security policies and processes||
We take our responsibility for security very seriously and ensure all members of staff are aware of and trained in information security best practices and apply this throughout their work.
We have a comprehensive data protection policy (available upon request) which ensures our staff, processes, systems and overall approach always focussed on data security.
The key points of this policy are:
All computer systems and information contained within must be protected against unauthorised access.
Secret and confidential data should not be shared or distributed without process or prior authorisation.
In the event that staff find a system or process which they suspect is not compliant with this policy or the objective of information security, they have a duty to inform a Director so that appropriate action can be taken.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
The steps below are followed for any change.
All change requests (including rejected requests) shall be and logged.
A documented audit trail must be maintained at all times.
Change Classification - All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact.
Approval - All changes shall be approved prior to implementation.
Risk Management - A risk assessment shall be performed for all changes and dependant on the outcome, an impact assessment should be performed.
Changes affecting SLAs - The impact of the change on existing Service Level Agreements (SLAs) shall be considered.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Nudge adheres to industry best practice with respect to security, ensuring we protect against common threats such as SQL injection and cross-site scripting.
However, as with any software product, it is inevitable that security vulnerabilities will exist. Thanks to the large open source community, these vulnerabilities are rare and any vulnerability that does exist is quickly patched and distributed to the community.
Drupal have a dedicated security team and a comprehensive security announcement and release process. Nudge are on the Drupal security-mailing list (see https://www.drupal.org/security-team), so we receive updates about security vulnerabilities almost immediately after they are discovered.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Drupal have a dedicated security team and a comprehensive security announcement and release process. Nudge are on the Drupal security-mailing list (see https://www.drupal.org/security-team), so we receive updates about security vulnerabilities almost immediately after they are discovered. With our recommended support package, we can apply these updates to the website as they are released, ensuring the website is always patched against the latest vulnerabilities.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
When a service is disrupted or fails to deliver the promised performance during normal service hours, it is essential to restore the service to normal operation as quickly as possible. Also any condition that has the potential to result in a breach or degradation of service ought to trigger a response that prevents the actual disruption from occurring. These are our objectives of incident management.
Level 1 - Incident identification / Incident logging / Incident categorisation / Incident prioritisation / Initial diagnosis
Escalation to level 2 support - Incident resolution / Incident closure / Communication with the client throughout incident.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£600 to £750 per person per day|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Free strategic consultancy.
If you're unsure as to the best approach to meet your objectives, our senior team will spend time with you discussing potential project, your requirements and digital strategies to achieve your objectives.