Bizagi Limited

Bizagi Automation Service

Bizagi provides cloud-based Intelligent Process Automation software (DPA + AI + RPA). Architected for Microsoft Azure, it offers a secure and reliable intelligent process automation platform-as-a-service, allowing customers to run high-performance business process applications, integrated with existing systems, artificial intelligence services and leading RPA technology.


  • True Cloud, 'Cloud first' architecture, native scalability, security, compliance
  • Designed as a collaboration platform (Business/IT) for digital process automation
  • Business process modelling, simulation, documentation, automation, monitoring and optimisation
  • Data modelling, UI/forms design, business rules engine, work allocation
  • Native integration with Microsoft Office 365 (Exchange, SharePoint, Dynamics, Word/Excel)
  • Native integration with all leading RPA (Robotic Process Automation) vendors
  • Easiest platform to use, highest customer satisfaction with cost/value ratio
  • Native Cloud applications (BI/Business Insights, Machine Learning / Artificial Intelligence)
  • Open, expandable plaform, with vast customisation options (connectors, UI widgets)
  • Model once, run anywhere - native mobility, across all devices


  • Digital Process Automation (DPA) platform to digitise complex, government operations
  • Legacy systems' modernisation, through an agile, connected process orchestration layer
  • End-to-end process orchestration across systems, devices, people, robots (digital workers)
  • Intelligent Process Automation (IPA) through combination of DPA and RPA
  • Contextualised, engaging user experience, providing users with relevant information/actions
  • Agile, layered architecture, promoting re-usability of all building blocks/elements
  • Agility: rapid, controlled innovation through fast prototyping/experimentation
  • Fast, reduced time-to-market to deliver new business applications


£76,900 an instance

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 1 5 8 3 5 0 0 0 4 1 9 1 9 3


Bizagi Limited Tim Weatherall
Telephone: +44 (0) 1753 379270

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
No constraints
System requirements
  • (Optional) Remote Desktop client (Windows/iOS/Android) for process designers only
  • (Optional) iOS 9, Android 5.0 for end users only

User support

Email or online ticketing support
Email or online ticketing
Support response times
Typical response times, depending on severity reported, are as below (hrs are working hours): Premium Service - Gold response time between 1 to 8 hrs (24x7). Premium Service - Silver response time between 2 to 16 hrs (8x5). Premium Service - Bronze response time between 3 to 24 hrs (8x5). Bizagi Basic Support service is not subjected to SLAs on response times.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Support levels
Bizagi offers two support levels (please refer to 'Ongoing Support' question): A) Basic Support Service (with no response time SLAs). The cost of the Basic Support is embedded in the Cloud licenses agreement. B) Premium Support Service (with response time SLAs) which you may purchase separately according to your requirements. Our Premium Support service is offered in three modalities - Gold, Silver and Bronze depending on the service level requirements you may have . Our support service provides you with remote assistance for problems with specific symptoms encountered while using Bizagi process automation suite. All interaction with our Support Centre should be done via our ticketing system which is accessed through our secure support site. If a Customer subscribes to either the Premium Gold or Silver support service tier, Bizagi provides the services of a dedicated UK-based Service Delivery Manager and the availability of a telephone number to facilitate the communication of support severity 1 incidences.
Support available to third parties

Onboarding and offboarding

Getting started
Bizagi provides onsite & online training and user documentation to support getting started with Bizagi Automation Service. Additionally, our Professional Services team are willing to support your users to start to automate your digital processes using our Spark Methodology which will see you deliver business value in as short a time as possible. Please see our Bizagi Digital Process Automation Implementation Service offering in Lot 3 - Cloud Support.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Upon the expiry of the Term, Customer shall not access or use the Bizagi Automation Service, including the Documentation; however, at Customer’s request, and for a period of up to sixty (60) days after the effective date of termination, Bizagi will make available Customer’s Data To be retrieved by the Customer.

At the end of such 60 days’ period, Bizagi will thereafter delete or destroy all copies of Customer’s Data in Bizagi Automation Service or otherwise in Bizagi possession or control, unless legally prohibited for doing so. Bizagi will confirm such deletion and/or destruction in writing within ten (10) days of the Customer’s request for such confirmation.
End-of-contract process
Upon the expiry of the Term, Customer shall not access or use the Bizagi Automation Service, including the Documentation; however, at Customer’s request, and for a period of up to sixty (60) days after the effective date of termination, Bizagi will make available Customer’s Data To be retrieved by the Customer.

At the end of such 60 days’ period, Bizagi will thereafter delete or destroy all copies of Customer’s Data in Bizagi Automation Service or otherwise in Bizagi possession or control, unless legally prohibited for doing so. Bizagi will confirm such deletion and/or destruction in writing within ten (10) days of the Customer’s request for such confirmation.

Bizagi Automation Service relies on a Storage subsystem that makes customer data unavailable upon termination of the contract. All copies of the deleted data item are then garbage collected and the physical bits are overwritten when the associated storage block is reused for storing other data, as is typical with standard computer hard drives.

In addition, Bizagi enforces a Safe disk erase policy, which covers the steps required to safely destroy the information contained in physical disks drives using DBAN software.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Bizagi Automation Service supports a ‘model once, run anywhere’ philosophy – when you design your UI forms in the Forms Designer and then run the application (automated business process), forms will be rendered accordingly and optimally for all current mobile devices, with no need for additional configuration or programming. All of the UI widget controls that you can use in your interface design are intelligent – they understand how to render themselves appropriately for each device, whether it is the desktop device or the mobile device.
Service interface
Description of service interface
Bizagi has an out-of-the-box Web application ("Work Portal") where the business applications (automated processes ) are available to end users for execution. The Work Portal is where end users create new "cases" (business process instances) and access the activities/tasks assigned to them.

End users connecting to the Work Portal, either via a browser or the native mobile app, are presented with their Inbox, which lists all manual tasks currently assigned to them.

Complementing the Inbox is the Me page, which provides a contextualised user experience to different "stakeholders" (classes/types of end users), by showing data/information related to them.
Accessibility standards
None or don’t know
Description of accessibility
Bizagi provides several display features to configure accessibility options such as enabling bigger fonts or using high-contrast colours. Some of these settings are specific to each field in each form, others are global, others are available as a personal preference for each end user.

Bizagi allows the creation of dynamic and flexible electronic forms, following all WCAG guidelines.

Widgets like 'Field Narrator', 'Image Zoom', 'Voice Recognition', 'Text Reader" (all freely downloadable) provide addtional 'WCAG - functionality'. These widgets might be adapted to additional needs, and custom widgets can be designed using the browser-based Bizagi Widget Editor.
Accessibility testing
Bizagi is designed by following guidelines that include usability aspects. While currently there is no conformance level to the WCAG guidelines, most aspects that make the Work Portal operable and understandable follow precisely those guidelines.
What users can and can't do using the API
Bizagi natively exposes 3 SOAP Web Services APIs, which external applications can invoke for the purpose of:
1 - Creating/advancing/cancelling cases (business process instances), performing end-user tasks/activities, triggering events.
2 - Accessing/modifying the entities of the data model
3 - Exposing data gathered via custom reports , typically to be processed by an external BI solution.

In addition, Bizagi provides programmatic access to the underlying business information in the data model via powerful APIs based on RESTful and OData services, oriented towards "stakeholders", i.e. special classes of end users.

There are two types of OData services available:
- Data services, providing access to stakeholder-owned data (e.g. all the cases owned by a civil servant), searches, processes, cases, queries and entities.
- Metadata services, allowing access to information on configured stakeholders.

Access to these OData/REST services is provided via OAuth applications, each with its configured access type (Authorization Code, Client credentials, or all) and allowed scope (full API access and/or Login).

Through the SOAP and/or OData/REST APIs, Bizagi Automation Service can be driven programmatically by an external system.

A RAML descriptor is provided for native integration with MuleSoft.
API documentation
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment
Customisation available
Description of customisation
Bizagi Automation Service customers can customise most options of the Work Portal, including, but not limited to:
1) Branding and "theme"
2) Language and locale (date/currency formats)
3) Access control to menus and specific features (e.g. standard users vs. power users)
4) Dedicated user experience for "stakeholders" (special classes of end users)
5) End-user authorisation choice.

Automated business processes (business applications) executed in Automation Service are built to match the exact requirements from the customer.

Bizagi Automation Service process designers / business analysts can customise business applications (individually or collectively) as follows:
1) Organisational structure (locations, departments, roles, positions, skills)
2) Process maps, i.e. sequence of tasks/activities, decisions, events
3) Data fields/attributes
4) Individual UI form/screen for each manual task
5) Business rules and policies
6) Work allocation/distribution criteria for each manual task
7) Integration points with external systems
8) Ready-made or custom-made UI widgets
9) Ready-made or custom-made integration connectors
10) Custom-made software components
11) Tailor-made scripts/expressions.
12) Number and type of "environments" (development / test / UAT / production / etc.)

Please also see the answer to this question under the "Modeler Services" service, as all those options also apply.


Independence of resources
​The solution is deployed into a multi-tier system architecture (a Data Access Layer and a BPM/Application Layer), providing the elasticity of scaling it out on demand, in order to support tens of thousands of users.
Automation Service is deployed across multiple "scale sets" to be able to assign additional set of resources in a dynamic fashion (i.e. scale out), in real-time.
Each environments is bound to a performance tier, i.e. it has the set of resources (storage and processing) required to process the estimated work load (e.g. volume of tasks/activities), while guaranteeing the desired performance to all users.


Service usage metrics
Metrics types
Bizagi Run (Automation) is a secure site where users who have a subscription (owned or shared), can manage projects, environments and resources.

Users can also monitor environment's resources (storage and consumption in BPUs - Bizagi Processing Units) . Each environment is monitored independently.

A BPU is a unit of measurement for the storage capacity and the performance (processing capacity) of an Automation Service environment. One BPU encompasses the resources needed for an environment to execute 10,000 BPMN shapes per month.

Usage is displayed through charts reporting the daily, monthly and cumulative data for each environment, over the chosen time period.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can export data from any business process via:
1) Cloud-based datasets populated by completed Bizagi "cases". Consumed via OData/REST connection e.g. from MS PowerBI, Tableau.
2) Web Services call into native SOAP/REST(OData) APIs (inbound)
3) Web Services (SOAP/REST) call into external APIs (outbound)
4) Ready-made/custom-made connector (E.g. Salesforce, MS Exchange) (outbound)
5) Custom-made component (DLL) (outbound)
6) Automatically-generated documents (DOCX/XLSX/PDF), based on custom templates (e.g. a purchase order, an insurance policy).

See the same question under the "Modeler Services" service, as all those options also apply on how to export process' meta-data.
Data export formats
  • CSV
  • Other
Other data export formats
  • MS Word (DOCX), Excel (XLSX), Visio (VSDX)
  • Adobe PDF
  • HTML
  • BPMN 2.0 XML
  • Bizagi Modeler (BPM)
  • XML
  • JSON
  • Text file (TXT)
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • JSON
  • MS Excel (XLSX)
  • Text file (TXT)
  • MS Word (DOCX)

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Bizagi provides a Monthly Up-time Percentage of 99,9% to the customer.

Expected service availability does not include planned downtime.

If Bizagi does not achieve the SLA Commitment in any given month, you are eligible to receive Service Credits towards a portion of the monthly service fees, as described below:
Monthly Uptime Percentage < 99.9%, Service credit = 10%
Monthly Uptime Percentage < 99%, Service credit = 25%
Regarding Service Credits:
•The parties acknowledge that each Service Credit is a genuine pre-estimate of the loss likely to be suffered by you and not a penalty.
•The provision of a Service Credit set forth herein represents a Customer’s sole and exclusive remedy if Bizagi does not achieve the SLA Commitment. Customers cannot unilaterally offset their Service Fees for any availability issues.
•Service Credits shall be shown as a deduction from the amount due from the Customer to the Supplier in the next invoice due to be issued under the Main Agreement. The Supplier shall not in any circumstances be obliged to pay any money or make any refund to the Customer.
Approach to resilience
Bizagi is committed to delivering 99.9% SLA uptime. To do so, Bizagi keeps replicas of databases and servers to protect against hardware failures and increase system reliability. Reliability is one of the three main pillars offered by Bizagi Automation Service. The infrastructure behind the service is designed for availability and resiliency, and this includes storage, networks, and communications, among others. Bizagi conducts 24x7 monitoring on the services and underlying technology and has more than 30 data centers around the world to provide higher performance and meet data location requirements.​

Bizagi relies on Microsoft Azure as its IaaS. Microsoft is a tier 1 datacenter.

Bizagi has an available Disaster Recovery Service; it is a separate offering, in which the solution is configured to use redundancy for all components to provide contingency measures in the event of a disaster. Redundant nodes use independent data centers that avoid service disruption while maintaining privacy guidelines according to geographic regions.

Data is synchronized in real-time to achieve a 5 seconds RPO and a 24-hour RTO
Outage reporting
Bizagi Automation Service lies in Azure security Controls, so in case of a service failure, Bizagi's support team will alert via email about the incident.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Access to any Bizagi information asset involved in Cloud Operations Services is authenticated using:
▪ Unique identifiers (to insure individual accountability and auditability);
▪ Together with passwords (of approved complexity) or tokens (collectively known as credentials), before it can be accessed.
Authentication methods are appropriate to the classification of the information and/or functionality being accessed.

Available options for user authentication are:
1) SAML authentication: Azure AD / ADFS / NetIQ / Okta / PingFederate
2) Windows Authentication
3) OAuth authentication
4) LDAP Authentication
5) Bizagi Authentication
6) Custom Authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Bureau Veritas – UKAS
ISO/IEC 27001 accreditation date
June 2018
What the ISO/IEC 27001 doesn’t cover
Our ISO/IEC 27001 certification DOES cover planned processes, procedures and sites.

Reviewed documents include: Information Security and Compliance Manual SC-MA-001, Statement of applicability format SC-FO- 027, Security and privacy training and awareness policy, Workforce security policy, Physical and environmental security policy, Access control policy, Information security incident handling policy, Network security policy, Protection from malicious software policy, Event log and monitoring policy, Data backup and restore policy, Mobile working policy, Information classification and handling policy, Cryptography policy, Information security in project management policy, Information security in upplier’s management policy, Vulnerability management policy, Operations security policy, Bussiness Continuity Manual.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • HIPAA (Health Insurance Portability and Accountability Act of 1996)
  • FedRAMP (Federal Risk and Authorization Management Program)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
​The following specific policies exist to support our Information Security Policy:
• Security and privacy training and awareness policy
• Workforce security policy
• Physical and environmental security policy
• Access control policy
• Information security incident handling policy
• Network security policy
• Protection from malicious software policy
• Event log and monitoring policy
• Data backup and restore policy
• Mobile working policy
• Information classification and handling policy
• Cryptography policy
• Information security in project management policy
• Information security in supplier’s management policy
• Vulnerability management policy
• Operations security policy.

Our Information Security Policy is reviewed on a yearly basis to ensure it remains appropriate for the business and its ability to serve customers in case of influencing changes on the ISMS (Information Security Management System).​

Bizagi enforces security policies at all levels: staff, line managers, senior management.
Periodical reviews are carried out to verify compliance with the security policies. These reviews consider all levels in the organization.
Critical security aspects such as those regarding the Network security policy, Servers security policy, Acceptable use, among others, are being monitored in real-time to raise alarms and take proper actions when violations occur.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our Change Management Procedure defines how to:
1) Create a Request for change (RFC)
2) Verify and analyze RFC
3) Approve RFC
4) Review and implement change
5) Perform Post-implementation review.
The process is initiated when the IT or Cloud department receives a request to perform a change in the systems or platforms, when a schedule change must be performed, or when an emergency contingency plan must be executed. The change initiator defines the type of change (IT, Cloud, or Operations) and the impact of the change (including the downtime in hours), and they assign a change responsible.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our vulnerability management policy (ISO 27001 compliant) defines a vulnerability assessment frequency:
- Common vulnerabilities and critical patch releases are reviewed monthly
- Independent assessments are performed once per year.
- All new information assets to be included as productive are assessed and documented with no critical or high vulnerabilities.
Vulnerability remediation takes into account the severity of the vulnerability (Critical/High/Medium/Low/Information) and it is deployed either manually or by using available and authorized automated software (e.g. patch distribution systems) . An emergency process defines how to install patches outside of the regular patching schedule when high-risk vulnerabilities are identified.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Bizagi's Cloud Operations Team comprises of experts taking care of all underlying infrastructure, components and services, including 24/7 monitoring.

A Security Incident Response Team (SIRT) is established, with effective training, and backed by the Information Security Officer. Incidents are reported to the Information Security Officer.

According to the criticity of the incident, remedy measures (e.g. hotfixes, service packs, patches or updates) undergo immediate action by relying on System Center Configuration Manager.

Whenever any of the above would potentially affect a customer, a bulletin is issued to notify that customers are expected to take actions as well.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident handling procedure defines how to report any security incident of a significant risk:
1) Register a security incident report through the Bizagi Help Desk
2) Analyze a potential security incident, based on
- Attack vector: attrition, Web, Email/Phishing, External/Removable Media, Impersonation/Spoofing, Improper Usage, Loss or Theft of Equipment.
- Functional Impact to business functionality or ability to provide services.
- Information Impact: type of information lost, compromised, or corrupted
- Recoverability: scope of resources needed to recover from the incident: Location/Actors involved/Potential impact
3) Define and execute plan to manage the incident, comprising of:
Risk assessment/Containment Mitigation/Recovery.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£76,900 an instance
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.