Createful Ltd

Website design & build

We specialise in the design and development, support and maintenance of open source CMS driven websites. Our user centric approach allows our dedicated, in-house team to work closely with you to rapidly design, develop and deliver on time and within budget. All work undertaken from our studio in Bournemouth, Dorset.


  • Marketing & brochure websites
  • Multilingual websites
  • Responsive & mobile optimised websites
  • E-commerce websites
  • Bespoke integration websites
  • Bespoke web applications
  • Interactive, experiential and campaign based websites
  • Open-source content management system driven & fully bespoke websites


  • User centred design process
  • Robust agile development process
  • High performance, robust, secure and scalable solutions
  • Rigorous testing and quality assurance process
  • On-going automated monitoring, analytics & proactive support & maintenance
  • Open source technology supported by worldwide development communities


£650 to £750 per person per day

  • Education pricing available

Service documents


G-Cloud 11

Service ID

1 2 5 5 3 6 9 6 9 4 4 6 3 1 6


Createful Ltd

Kriss Bennett


Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Requires a hosting, support and maintenance agreement for a minimum of one year.
System requirements
LEMP stack VPS server

User support

Email or online ticketing support
Email or online ticketing
Support response times
Mon-Fri (excl. Bank Holidays), triage within 1 hour.
Weekends & out of hours, dependant on individual client support package.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support packages are tailored to the requirements of each individual client project.
Support available to third parties

Onboarding and offboarding

Getting started
We can provide in-depth training to help our clients use the service. This can be done on-site or remotely, backed up with supporting documentation.
Service documentation
Documentation formats
End-of-contract data extraction
Full backup of all source files and databases.
End-of-contract process
At the end of contract, if not renewed and the existing site is to be retained, the buyer will need to cover the full cost of migration. This is something we can offer as a service, or can be an activity carried out by the new supplier.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Almost none - websites can be fully managed via a backed admin interface via a mobile phone or tablet device, and the front end themes are designed in such a way as to make them equally accessible.
Service interface
Customisation available
Description of customisation
Every solution we deliver is unique to our clients' needs.


Independence of resources
Every website is deployed on client-specific, dedicated VPS servers.


Service usage metrics
Metrics types
Google Analytics
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
CMS administrators can export site data from the admin interface.
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The Amazon AWS servers we use have a guaranteed Monthly Uptime Percentage (
Approach to resilience
Available on request.
Outage reporting
Email alerts.

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
This is dependant upon client requirements, but typically a website is publicly available. Any administration areas are restricted by IP address to only authorised known list.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication
Plus IP restricted access through Firewall configurations

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials
Information security policies and processes
Details contained within our Information Security Policy and is available upon request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Details contained within our Change Management Policy and is available upon request.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Details contained within our Vulnerability Management Policy and is available upon request.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Details contained within our Vulnerability Management Policy and is available upon request.
Incident management type
Supplier-defined controls
Incident management approach
Details contained within our Support Management Policy and is available upon request.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£650 to £750 per person per day
Discount for educational organisations
Free trial available

Service documents

Return to top ↑