Nudge Digital Ltd

Open Source Web Development and Drupal CMS Design

Nudge specialises in delivering innovative digital consultancy, strategy and design; implementing our solutions using open-source PHP web development tools.

We specialise in Drupal and WordPress content management systems and are highly-experienced using agile and user-centric design methodologies, GDS principles and helping our clients successfully navigate and pass GDS assessments.


  • Concept development and consultancy
  • Digital strategy and service design
  • User experience development and user testing
  • Drupal 7 & 8 content management system (CMS)
  • 3rd party systems integration
  • GDS compliant project methodology
  • Drupal support and maintenance packages
  • Conversion rate optimisation / split (A/B) testing
  • Highly user-centric design and development methodology
  • WordPress content management system (CMS)


  • Highly user-centric design and development methodology highly-effective and engaging websites
  • Highly-effective and engaging websites
  • Resilient and cost-effective digital solutions
  • Experts in GDS process and assessments with demonstrable experience
  • Best possible UX achieved by using dedicated user-testing exercises
  • Full digital marketing services to help you promote your website
  • Quick and cost-effective delivery from Drupal experts
  • Responsive and agile service as small-medium sized agency
  • Ensure widest possible audience reach by delivering multi-platform solutions


£600 to £750 per person per day

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

1 1 0 4 9 5 7 7 4 0 6 5 7 3 9


Nudge Digital Ltd

Luke Aikman

0117 325 3200

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
There are no known service constraints.

Drupal is a widely adopted enterprise level CMS, open source software platform with no recurring licence fees.
System requirements
  • LAMP stack hosting environment
  • Modern browser to access the website

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response time for critical issues - within 4 working hours.

Response time for serious issues - within 1 working day.

Response time for non-critical issues - within 2 working days.

Working days are Monday-Friday.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Onsite support
Yes, at extra cost
Support levels
Nudge provides dedicated support and maintenance to many clients, which includes all security patches and CMS module updates, changes to /and or new features and functionality, on-going user testing, conversion rate optimisation services and full telephone and email support, and hosting provider liaison.

Our standard support includes all security patching and upgrading modules to the latest versions, testing of all upgrades on a development environment, bug fixes, enhancements to the site functionality and content updates where required.

We regularly review the support agreement to ensure the level of support matches your actual requirements / usage. Following the review we can increase, decrease or maintain the support level.

Performance measuring and reporting - All of our work is logged, tracked and reported against within our project Management System. Our clients are granted access to the system and can track our work and performance against our KPIs in near real time. This transparent approach is design to allow the client team complete visibility on Nudge’s work, costs and performance.
Support available to third parties

Onboarding and offboarding

Getting started
Following contract award , the internally project team is briefed and given access to all tender documents, our submission, clarifications and presentation slides. This gives us an opportunity to gain initial further feedback and questions from our team before we arrange our first introductory meeting with the client.

The project is also set up on our project management system and any notes / questions are recorded. Access to our project management system will be granted to the client and training provided following the kick-off session as detailed below.

In this first meeting, we discuss a wide range of relevant project topics, all of which will help us get to know each other and gain a mutually aligned understanding of the services we’re providing and the project we’re delivering.

We’ll lead this important session with the aim of discussing every aspect of the new solution, your aims, goals and aspirations for the new portal, identifying all key internal and external stakeholders within the project, defining and agreeing timelines and milestones for the project plan as well as discussing and provoking thoughts about the functionality needed on your system and much more.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Any data kept in any associated database can be extracted at the end of a project.
End-of-contract process
Inevitably, some contracts come to an end and it is essential that Nudge supports its clients in whichever path they decide.

In order to support this, Nudge will ensure we do the following where necessary:

- Have an up-to-date summary of the project solution,
- Detailed project and technical requirements,
- Well-documented code adhering to best practices and using standard APIs and libraries, allowing for portability,
- Documentation of server architecture (hosting environment including server specifications),
- List of contact and access details (key contacts and details on how to access the code / servers),
- Migration plan (checklist to be followed when migrating to a new supplier / internal team),
- List of known / outstanding issues (list of any known or pending issues with the code or server environment),
- Training for new development team / internal Orison resource,
- Access to project management history,
- Access to code repositories

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
We're very conversant with mobile design principles to ensure great user experience across a range of devices, ensuring maximum usability and accessibility by a large daily audience focusing on an intuitive and logic interface.

Our prototypes are designed using fully responsive wireframes. This appreciation of mobile access and UX from day one ensures our designs are meeting the needs of your audiences using their mobile devices.

Responsive wireframes allow us to rapidly prototype and showcase the structure of the proposed website on each device, including representations of pages, features and functionality, to users at a very early stage.
Service interface
What users can and can't do using the API
There is no 'off the shelf' API.

We are, however, able to build a custom API if required. Any API we develop would be bespoke and based around your organisational and data interchange needs.
API documentation
API sandbox or test environment
Customisation available
Description of customisation
Nudge is an open source web development agency, working with a broad spectrum of PHP, MySQL, XHTML, CSS, JavaScript, jQuery based technologies

We also utilise off the shelf systems such as Drupal; an open source Content Management Framework (CMF), unlike a typical Content Management System (CMS); which is geared more towards customisation and configurability.

Out of the box Drupal (7 and 8) provides key features to meet most common requirements such as users, roles, permissions, content management, workflow, clean URLs, a multi-level menu system, user comments, user registration & authentication and built-in caching & optimisation, content publishing rules, user directories and search etc.

These ‘out of the box’ benefits mean we can focus your budget, not on creating core functionality, but on customising and creating a great user experience and creative design for your audiences.

We also use WordPress where appropriate as this sometimes allows a quicker route to market when functionality requirements are very simple and straightforward.


Independence of resources
Nudge builds in contingency time and flexibility where possible. This includes the responsibilities of each resource at each stage / milestone throughout the project, an appreciation of the client’s availability.

By using a detailed project plan and Gantt chart both parties will be able to monitor the project progress across all of the project milestones and plan for such contingency with adequate notice.

All scheduled and upcoming work across all clients is reviewed at a global level on a weekly basis, allowing us to plan for unforeseen circumstances, accommodate known changes and to prioritise certain projects.


Service usage metrics
Metrics types
Alongside many other standard Google Analytics website stats, we’ll track and report on specific user events and conversions using Custom Event Tracking. This enables us to gain invaluable insights into the behaviour of your users and the website's performance against key goals, metrics and desired outcomes.
The percentage of visitors to your website that produce a positive action is known as your conversion rate. This can be further broken down to the number of page components or tools (features and functionality) required to facilitate that conversion.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Any data associated with any database can be exported in a file format that suits the clients requirements.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
There are two main aspects of Continuity / Availability Management:

Service continuity / availability - ensures that the solution can always (so far as possible) provide the minimum agreed Service Levels, by reducing the risk from disaster events to an acceptable level and by planning for the recovery of IT services. Nudge also plans to ensure that all contracts with suppliers support the needs of the business, and that all suppliers meet their contractual commitments.

Management continuity - ensures that the client can receive continual service / support from alternative providers or through internal resource.
Approach to resilience
We use frameworks and content management systems rather than writing bespoke code, since these frameworks enforce good security practices, are well tested, and have regular patches and updates available to fix known vulnerabilities. We evaluate the choice of 3rd-party systems by reviewing how frequency of updates, their security methodology is, and historic security record.

We use the OWASP top 10 ( to guide our approach to building secure websites and applications.

Protecting against injection - for example, by enforcing input field type and lengths, validating fields and always sanitising user input.

Strong authentication and session management - for example, by validating users and their roles, and adding CSRF tokens to forms.

Prevent XSS - for example, by canonicalising data and only processing data that is input by trusted users.

Avoid security misconfiguration - for example, ensuring web servers are hardened and configured with security in mind, and through regular penetration testing.

Encrypt sensitive data - for example, using secure hashing algorithms to hash passwords, enforcing TLS 1.2 or later with an EV SSL certificate, and protecting cryptographic keys.

Robust access control - for example, ensuring all non-web data is outside the webroot and implementing role-based access control for all pages.
Outage reporting
Email alerts originating from the server hosting environment

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
Two factor authentication as required
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We take our responsibility for security very seriously and ensure all members of staff are aware of and trained in information security best practices and apply this throughout their work.

We have a comprehensive data protection policy (available upon request) which ensures our staff, processes, systems and overall approach always focussed on data security.

The key points of this policy are:

All computer systems and information contained within must be protected against unauthorised access.

Secret and confidential data should not be shared or distributed without process or prior authorisation.

In the event that staff find a system or process which they suspect is not compliant with this policy or the objective of information security, they have a duty to inform a Director so that appropriate action can be taken.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The steps below are followed for any change.

All change requests (including rejected requests) shall be and logged.

A documented audit trail must be maintained at all times.

Change Classification - All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact.

Approval - All changes shall be approved prior to implementation.

Risk Management - A risk assessment shall be performed for all changes and dependant on the outcome, an impact assessment should be performed.

Changes affecting SLAs - The impact of the change on existing Service Level Agreements (SLAs) shall be considered.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Nudge adheres to industry best practice with respect to security, ensuring we protect against common threats such as SQL injection and cross-site scripting.

However, as with any software product, it is inevitable that security vulnerabilities will exist. Thanks to the large open source community, these vulnerabilities are rare and any vulnerability that does exist is quickly patched and distributed to the community.

Drupal have a dedicated security team and a comprehensive security announcement and release process. Nudge are on the Drupal security-mailing list (see, so we receive updates about security vulnerabilities almost immediately after they are discovered.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Drupal have a dedicated security team and a comprehensive security announcement and release process. Nudge are on the Drupal security-mailing list (see, so we receive updates about security vulnerabilities almost immediately after they are discovered. With our recommended support package, we can apply these updates to the website as they are released, ensuring the website is always patched against the latest vulnerabilities.
Incident management type
Supplier-defined controls
Incident management approach
When a service is disrupted or fails to deliver the promised performance during normal service hours, it is essential to restore the service to normal operation as quickly as possible. Also any condition that has the potential to result in a breach or degradation of service ought to trigger a response that prevents the actual disruption from occurring. These are our objectives of incident management.

Level 1 - Incident identification / Incident logging / Incident categorisation / Incident prioritisation / Initial diagnosis

Escalation to level 2 support - Incident resolution / Incident closure / Communication with the client throughout incident.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£600 to £750 per person per day
Discount for educational organisations
Free trial available
Description of free trial
Free strategic consultancy.

If you're unsure as to the best approach to meet your objectives, our senior team will spend time with you discussing potential project, your requirements and digital strategies to achieve your objectives.

Service documents

Return to top ↑