Northgate Public Services UK Limited

Jadu XFP (XForms Professional) by NPS

Digital service delivery: build end-to-end digital transactions for service requests, reporting, applications, eBookings and payments. Non-technical tools to build secure, simple-to-use customer forms linked to processing engines and payment service providers; powerful developer tools for integration with extension points to connect to CRM, PSP, FMS, other line of business systems.


  • Highly secure forms: encrypted data transfer and storage
  • Integration-ready with CMS, CRM, payment gateways, databases and more
  • Configurable data retention, apply per form or across all forms
  • Publish forms anywhere - create public, private and embeddable forms
  • Mobile friendly forms - supports responsive design and mobile-only templates
  • Extensible, develop custom data transfer 'Actions' for form administrators
  • Standard data export and transfer methods out of the box
  • Branching rules - logic to shape user's journey through forms
  • Create advanced form inputs like address lookups, maps and calendars
  • PDF generation - export print-ready forms from user submitted data


  • Replace manual processes and drive savings through transactional channel shift
  • Build end-to-end digital services - become 'digital by default'
  • Usable, accessible forms which meet WCAG 2.0 AA as minimum
  • Simplify customer journeys and improve data quality with forms logic
  • Customer accounts providing transaction history
  • Publish new forms instantly; or schedule deferred publication and archival
  • Enable business users to configure complex systems integrations and payments
  • Customer data handled and stored securely for data protection compliance
  • Non-technical form creation tools - create forms without programming expertise
  • Access forms from any device. Mobile, tablet, desktop, large screen


£100 to £4,700 an instance a month

Service documents


G-Cloud 12

Service ID

1 1 7 8 6 1 4 4 9 9 7 3 8 3 6


Northgate Public Services UK Limited Northgate Public Services Frameworks Team
Telephone: 08452 700353

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
  • Internet Explorer (desktop 9+; Windows Phone 8.1)
  • Microsoft Edge (latest version)
  • Google Chrome (latest desktop version
  • IOS 7+
  • Mozilla Firefox (latest version)
  • Safari 7+ (latest desktop version; iOS 7+)
  • Android
  • Mobile Safari (iOS 7+)
  • Android Browser (Android 4.x)

User support

Email or online ticketing support
Email or online ticketing
Support response times
We provide a level of support, which is built into the monthly subscription cost. This provides an online help desk and ticketing system available 24/7 with telephone support during business hours (8am-6pm, Monday to Friday, except English Bank Holidays). On-call engineers will respond to critical availability issues outside of standard business hours. Our support SLA is included in the terms of service document. Our help desk is staffed with dedicated support engineers, with sysadmins, software engineers and other technical experts becoming involved to resolve support issues as necessary.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Web chat accessibility testing. Online support web chat is provided using our own Jadu CXM platform. The CXM user interface is regularly tested with NVDA and JAWs
Onsite support
Yes, at extra cost
Support levels
We provide a Gold level of support, which is built into the monthly subscription cost. This provides an online help desk and ticketing system available 24/7 with telephone support during business hours (8am-6pm, Monday to Friday, except English Bank Holidays). On-call engineers will respond to critical availability issues outside of standard business hours. Our support SLA is included in the terms of service document. Our help desk is staffed with dedicated support engineers, with sysadmins, software engineers and other technical experts becoming involved to resolve support issues as necessary. A Platinum level of support (an additional £650 per month) increases the number of support accounts an organisation can have as well as out of hours deployments and a number of inclusive professional service days for small works. A named Customer Support Advisor is assigned to every customer, irrespective of whether Gold or Platinum support has been chosen.
Support available to third parties

Onboarding and offboarding

Getting started
We perform all necessary setup tasks for the hosting environment and software. We can provide user training as part of a website implementation project; training is available through our Cloud Support service listing.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Tools are provided to export data from within the application. Form structures can be exported as .tar files, user submitted data can be exported in CSV and XML format. Any other data not accessible via the export tools provided in the application can be exported via database export.
End-of-contract process
A service plan can be cancelled at any time. When you do this, your Jadu Continuum platform becomes unavailable and all public-facing content/actions are taken offline – no further usage or subscription charges will apply. You will have access to your Jadu platform for export purposes only, for a further 30 days, following which all content and data will be deleted permanently. We are happy to provide professional services to assist with data migration at our standard day rates.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Forms created using Jadu XFP are fully responsive and so there is no difference between the service whether consumed via mobile or desktop device
Service interface
Description of service interface
Our modern interfaces developed using the Pulsar user interface framework are tested using desktop screenreader software, and our text editor supports a variety of screenreaders including JAWS, VoiceOver, NonVisual Desktop Access (NVDA) and ChromeVox.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Additional testing has been undertaken to confirm that animated backgrounds in the software do not trigger seizure in individuals with Photosensitive epilepsy.
What users can and can't do using the API
The software supplies both a PHP and RESTful XML API. The PHP API is fully functional, allowing both read and write of application data. The RESTful XML API allows users with an authorised API key to access publically available content already published to the website.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
A broad range of settings can be adjusted from within the application user interfaces. Additional custom functionality can be developed to extend the core feature set.


Independence of resources
We have designed the hosting platform with resiliency and scalability in mind. The platform is very flexible and can accommodate increase in user demand by introducing new compute and storage resources if required.


Service usage metrics
Metrics types
Form submissions; received forms; analysis by customer services agent; popular form etc.
Reporting types
Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Jadu Limited

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other data at rest protection approach
Sensitive data is encrypted within the database. 'Sensitive data' includes: - Any data submitted by a member of the public, including their personal details - The personal details of internal users of the system - IP addresses - API access credentials
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Through the service application interface.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Traffic between various network tiers is restricted with the use of physical and local software firewall. Additionally where applicable TLS encryption (Version 1.2 or above) is utilised. Data exchange within various internal networks may use combination of IPSec VPNs, SSH, TLS or Encrypted RDP protocols.

Availability and resilience

Guaranteed availability
We guarantee 99.9% availability excluding planned maintenance. Our SLA is contained within our terms of service.
Approach to resilience
The network is resilient. Application resilience is dependent upon the options chosen by the customer. This information is available on request.
Outage reporting
We use a set of internal (Nagios) and external (Pingdom) monitoring solutions which notify of any outages using dashboards, email alerts and SMS messages.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
The application user interface provides granular access control for forms editor and administator users. The user's experience of the environment can be controlled at multiple levels: - areas of the user interface they can access - type of actions they can take while managing forms - access to submitted data Global access rules can be overwritten on a form by form basis. User permission management are carried out via the application user interface. Individual users can be temporarily disabled when necessary.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
QMS International
ISO/IEC 27001 accreditation date
Accreditation date 7/11/16
What the ISO/IEC 27001 doesn’t cover
The software, platform management and support aspects of this services are covered by our ISO 27001 accreditation. Hosting is covered by our infrastructure suppliers' ISO 27001 accreditation.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Information security policies and processes
We follow a security policy approved and externally audited as part of our ISO27001 accreditation. A copy of the policy is available upon request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Initial service configuration is committed to GIT repositories. Any future configuration changes are first tested on DEV systems from where they are deployed to UAT and finally after customer approval to LIVE.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our sysadmin team members are subscribed to various vulnerability publishing lists e.g. Any published and relevant vulnerabilities affecting the application stack are carefully reviewed. If a vulnerability is discovered that affects any of the stack components and a vendor patch is available Jadu will attempt to contact the customer to establish a suitable time for updating the affected software. If customer data or reputation is at risk and customer is unreachable within a reasonable time window we will apply the patch in emergency immediately.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Jadu uses internal and external monitoring systems to monitor server health in real time. The hosting platform is also protected by a web application firewall which protects web application behind it from various web attacks (eg. SQL injection or cross site scripting). The infrastructure is constantly being monitored by an IDS solution provided by AlertLogic where any suspicious network activities are analysed.
Incident management type
Supplier-defined controls
Incident management approach
An incident will be reported via portal or telephone, or identified by our service desk team. The service desk team will analyse the incident and gather as much information as possible from log files, investigations etc and will at the same time make senior management aware of the incident and escalate appropriately in accordance with our defined escalation procedures Following an incident, a report will be compiled and shared with the customer and any further actions clearly identified. All incidents are reviewed by our security council quarterly and this process is subject to external audit via our ISO27001 accreditation.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£100 to £4,700 an instance a month
Discount for educational organisations
Free trial available

Service documents