Fivium Limited

FOXopen Cloud Hosting

Fivium will look after all the hosting and software delivery on behalf of the customer with this service. The hosting is ready for secure high quality delivery and the software is ideally suited for the creation, support and maintenance of cross-Government and Government-to-business FOXopen workflow applications.


  • FOXopen framework deployment including modules and toolkit
  • Configuration of regulatory systems, workflows and forms
  • Full document management including PDF generation and digital signing
  • Cloud hosting environment provided through IAAS partners
  • Official accreditation and access via Internet or PSN


  • Streamlined regulatory processes through fully web enabled system
  • Out-of-the-box integration with external systems
  • Collaboration and transparency through open information reporting
  • Fully supported system with associated service desk
  • Highly experienced, friendly support team


£5000 per unit per month

Service documents

G-Cloud 9


Fivium Limited

Anthony Ashton

0844 7365211

Service scope

Service scope
Service constraints None
System requirements Any modern web browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Initial response within one hour, resolution inline with our SLA
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Fivium provide a service desk 8am to 6:30pm Monday to Friday excluding UK bank holidays. We provide a single support service level aligned with ITIL best practices. Where necessary, technical experts are available to deal with calls and help resolve issues.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Fivium provide onsite training and documentation to enable users to get started with the service
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Users can extract their data in XML format when the contract ends.
End-of-contract process At the end of the contract customers can extract their data and request that the service is decommissioned and this may incur extra charges dependent on the nature of the services purchased.

Using the service

Using the service
Web browser interface Yes
Using the web interface Users can login and access the application and services through the web interface. All changes that can be made by users are made through the web interface and this includes workflow changes, template changes, user access and permission changes.
Web interface accessibility standard WCAG 2.0 AA or EN 301 549
Web interface accessibility testing Applications have been tested against JAWS and Dragon assistive technologies
Command line interface No


Scaling available Yes
Scaling type Manual
Independence of resources Fivium will provision dedicated infrastructure for this service.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Databases
Backup controls Backup of the service is arranged in advance with the service desk and this process can be controlled by Fivium but not by the customer.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Fivium have a customisable SLA for this service and this will be agreed between Fivium and the buyer, however it is based on a comprehensive SLA that provides 99%+ availability and support between 8am and 6:30pm Monday to Friday excluding UK bank holidays.
Approach to resilience Fivium provide resilience using a wide variety of solutions including data centre resilience, server hardware resilience and software level resilience.
Outage reporting Fivium provide a monthly service report for customers purchasing the service that details outages and any issues with the service.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Production systems are accessed via secure remote access laptops which can connect over a VPN to a jump-off bastion only. From there, once authenticated, connectivity can be made to the servers in question.
Access restriction testing frequency At least once a year
Management access authentication Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We maintain a HMG IAS 1&2 compliant RMADS document set and SyOPs which implements the ISO27001 principles.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Fivium follow ITIL best practices for configuration and change management
Vulnerability management type Supplier-defined controls
Vulnerability management approach Fivium production environments are proactively scanned on a weekly basis to ensure potential threats to the services are identified and the reports are sent to the service desk for investigation.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Fivium production systems are monitored through a series of tools and processes aligned in part with recommendations from CESG document GPG13 (Protective Monitoring for HMG ICT Systems) and, in particular, Protective Monitoring Controls (PMC 1-12). This includes checks on time sources, status of backups and others. Alerts raised are sent to our service desk for prompt investigation following our event management procedures.
Incident management type Supplier-defined controls
Incident management approach Incidents can be raised by customers through the service desk via phone or email. Any security incident is logged in our security incident register and raised immediately with the security manager. A serious incident would also be escalated to a company director. We provide regular updates to the customer regarding any on-going security incidents. Following the incident we provide a detailed report to the affected customers. We have defined processes for common events such as account lock outs. Our security policy and procedures are externally reviewed and approved.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £5000 per unit per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑