Cloud40 Ltd

Housing Association Tenant Portal

The Tenant Portal provides digital self-service for a tenant to engage with their housing association. Reporting repairs, making a complaint, payment or asking to be removed from all systems to comply with GDPR, are features of the platform. Our integration technology enables legacy systems to be integrated and data accessed.


  • Tenant Portal
  • Online Forms Generation tool
  • Rent Payment web part
  • Case Management Application
  • Repairs Scheduling Application
  • Mobile Repairs Reporting
  • Complaints Management Module
  • General Data Protection Compliance Application
  • Enterprise Service Bus
  • Real Time Reporting Dashboard


  • Tenant channel shift to online self-service
  • Rapid publication of data collection facilities
  • Improved rent collection due to accurate balance information availability
  • Efficient and controlled management of tenant interactions
  • Rapid and accurate repairs scheduling, reducing misdiagnosis substantially
  • Repairs reporting on the move from multiple devices
  • Improved customer service by handling complaints in efficient manner
  • Compliance of GDPR requirements avoiding potential for fines
  • Rapid integration to legacy systems enabling digital online enablement
  • Strong management information proving opportunity for savings and efficiencies


£10000 per instance per year

  • Free trial available

Service documents

G-Cloud 9


Cloud40 Ltd

Guy Hodges


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The Tenant Portal is feature-complete and capable of running as a stand-alone system. Integrating with other housing systems increases its value. For instance, by integrating to housing, finance, asset management and CRM systems the tenant can self-serve virtually all of their needs, driving a significant reduction in contact centre cost.
Cloud deployment model Public cloud
Service constraints None
System requirements Some integration points may rely on vendor-specific APIs

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our standard support model has the following target response times for our initial response to issues:

Severity 1 (Critical): Response time target of 2 business hours,
Severity 2 (Severe): Response time target of 4 business hours,
Severity 3 (Moderate): Response time target of 8 business hours,
Severity 4 (Minimal): Response time target of 16 business hours.

Business hours are defined as 9am - 5pm Monday to Friday not including Bank Holidays.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Our standard support is included within the annual price of the Tenant Portal. Standard support includes up to two support calls per month (then £150/call thereafter).

Unused support calls are carried over to future months up to a maximum of 5 'banked' support calls, after which point they are no longer carried forward.

A 'Support Call Pack' (10 additional calls) is available for £1,000. The calls purchased in a 'Support Call Pack' are valid for 12 months from the date of purchase.

Support calls are only valid for highlighting and resolving problems and issues with the system, asking straightforward questions or setting up users within the system. Password resets are also valid uses of a support call.

Changes or modifications to the system, complex questions or other requests that are not included in the list above will require the purchase of consultancy service days before they can be delivered.

You will be assigned a named technical account manager who will perform a quarterly review with you either by phone or face to face. This review will analyse support calls raised in that period and discuss ongoing usage of the system to identify areas where improvements can be made.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a number of onboarding support services included in the Tenant Portal service to onboard our customers to the platform. These can be delivered either remotely or onsite as necessary and appropriate.

Before starting the onboarding service, we setup the Tenant Portal and perform the initial styling (logo, colour and organisation name).

The onboarding service then consists of training users how to create, edit, modify and delete content, how to modify the forms that are provided as standard with the Tenant Portal and how to create and manage users within the system. This training is supported by user documentation which we also provide.

We will perform the initial configuration of the Enterprise Service Bus (ESB) and help to configure it as appropriate for each customer's environment and systems. This may require the setup of a VPN connection from the customer's data centres to the cloud environment so that systems can interact with one another in a secure way.

Once completed, we provide documentation of how the ESB is configured for that customer's unique circumstances and the details of the API for the ESB (with security keys) should the customer wish to use the ESB for other non-portal related integrations.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction All custom content (which includes modified page content, images and portal user details) can be extracted at the end of the contract using a standard XML format. This can be achieved either directly by the customer or by raising a Support Ticket to our Service Desk requesting the export.

All data stored in the Tenant Portal and the associated Enterprise Service Bus is cleaned down and removed as part of the contract end process in line with our GDRP responsibilities. Similarly all secure keys and user accounts that were used as part of delivering the service will be deactivated and removed.

Where there is a VPN connection in place to provide connecting to back office systems at the Housing Association, this will also be disconnected and any connection details removed.

If necessary, a 12-month audit history of the Tenant Portal and the ESB can also be provided as part of the transfer out of the service although this is provided at an additional cost.
End-of-contract process The ability to export custom content (including modified page content, images and portal user details) at the end of the contract is included within the cost of the Tenant Portal. If the customer requires our team to perform this function, that will require the use of a Support Ticket.

Also within the standard cost of the Tenant Portal is the deactivation and cleansing of the Enterprise Service Bus (in line with our GDRP responsibilities). All secure keys and user accounts that were used as part of delivering the service will be deactivated and removed. Where there is a VPN connection in place to provide connectivity to back office systems at the Housing Association, this will also be disconnected and any connection details removed.

Should there be any DNS entries or TLS/SSL keys in existence that were created as part of the service, these will be either transferred to the customer or repointed at no extra cost. If this needs to happen more than once, an additional cost will be incurred.

There will be an additional cost incurred if a 12-month audit history of the Tenant Portal and the ESB is required as part of the transfer out of the service.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no functionality differences between the mobile and desktop service.

The portal has been designed using responsive web-design in a 'mobile first manner' - this means that the same web content is presented to users in a style that is appropriate for the form factor of the device that they are using.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing The portal has been validated against the WCAG 2.0 AA standards, and has been successfully tested with the Browsealoud web screen reader assistive technology.

Browsealoud is not included as standard within the licence cost, but can be added to the portal at an additional cost.

The portal contains customer configurable and editable components and content. Although the editors for these components are designed to create accessible content by default, it is important that accessibility remains a consideration when editing content so that the appropriate levels of accessibility can be preserved.
What users can and can't do using the API The Tenant Portal has a RESTful API that can be used to create, update and modify content within the portal - this includes pages, users and similar data. This is accessible to customers once provided with the appropriate security credentials.

The Tenant Portal also includes an Enterprise Service Bus (ESB) which provides a strategic integration platform between the Tenant Portal and back office systems such as housing, asset management, finance and CRM.

The ESB can be used for other integration requirement that are not related to the Tenant Portal. This provides our customers with a strategic integration platform for their own integration requirements.

In order to use the ESB for other integration requirements means integrating to its API. The API is a secure interface through which events, commands and data can be sent and retrieved from those back office systems. The ESB's API is a RESTful API by default, but can also be presented using other technologies such as SOAP if required.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The colour, logo and branding (main title, copyright etc.) of the Tenant Portal can be styled to meet each individual customer's design needs.

The Tenant Portal also comes ready built with content and forms. Our customers are able to alter this standard content through the online editor so that it is line with that organisation's relevant policies and procedures. Forms can also be configured to add or remove fields, validation rules or logic flows.

Customers are able to create or remove entire sections of the Tenant Portal if necessary and to modify the navigation used by the portal. We have also provided areas of the Tenant Portal that are always unique for each customer and therefore do not come pre-populated (for example news and events).

Other customisations that are possible through configuration is the manner in which the included Enterprise Service Bus (ESB) is configured to interact with the Housing Association back office systems. Customisations include which systems are involved in particular interactions, the manner in which information flows between systems and the format of the information contained in those information flows.


Independence of resources The Tenant Portal and associated Enterprise Service Bus are created using Amazon Web Services (AWS) micro-services and associated compute power.

The service is monitored using a number of metrics including the overall performance of the platform, and scales through the addition of compute power and storage to meet the ongoing demand requirements of the platform. As such, each customer's demand on the service does not impact any other customer.


Service usage metrics Yes
Metrics types We provide a suite of web metrics including page views, browser/mobile platform access types and demand volumes by date/time. We are also able to provide details of browsing habits of users.

The Tenant Portal includes an Enterprise Service Bus which has its own suite of metrics to monitor its performance and successful operation. Errors pushing or retrieving data from a customer's back office systems are logged and monitored and any connectivity issues or data inconsistencies are reported so that they may be resolved promptly.
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All custom content (which includes modified page content, images and portal user details) can be extracted using a standard XML format. This can be achieved either directly by the customer or by raising a Support Ticket to our Service Desk requesting the export.

Our service is GDPR-compliant. Tenant's information can be extracted in a standard format to transfer to other organisations at the tenant's request. The tenant can also request that their details are 'forgotten'. This functionality works for the portal and for other systems connected by the Enterprise Service Bus.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The Tenant Portal and Enterprise Service Bus have an uptime and availability guarantee of 99.5%. Should the service fall below this guarantee over any continuous three month period, service credits will be issued to the value of three times the duration of any downtime experienced.

In many circumstances, in order for services to be delivered via the Tenant Portal will require that certain customer-managed back office systems are available, working and ready to receive requests via the Enterprise Service Bus (ESB). Where this is not the case, the ESB will queue up messages which will be passed to the systems in question when they come back online.

In the case where back office systems required to deliver a given service are not available, not functioning as expected or are not available to receive requests, this may result in a degradation of the service delivered to the tenant. Such circumstances, when outside the control of Cloud40, will not be eligible for service credits.
Approach to resilience The Tenant Portal and Enterprise Service Bus (ESB) are both developed and hosted using Amazon Web Services (AWS) technology. AWS is designed as an inherently secure, resilient and performant service with high uptime guarantees.

Within AWS, the Tenant Portal is built and implemented using fault-tolerant and resistant techniques. Specifically, the Web Servers are load balanced and split across different AWS Availability Zones and databases are clustered (again split across different AWS Availability Zones).

The Tenant Portal also utilises a number of 'serverless microservices' provided by AWS to increase resilience. These microservices are delivered in a highly reliant manner as standard by AWS, and we use these components to benefit from this resilience as well as their performance and scalability.

Where the service is reliant on other external systems (such as the ESB being reliant of back office systems often hosted by third-parties or the customer directly) resilience has been designed into the core system from the outset. For example, in the case of the ESB, this was achieved by designing the service in line with the Enterprise Integration Patterns (EIPs) to provide an asynchronous and reliable messaging platform.
Outage reporting Outages and other significant platform issues are reported to our customers via our Service Centre which is available online with the appropriate login credentials.

The Service Centre can be configured to send email notifications to interested parties when new information is made available, and therefore our customers can configure their own email alerts on system outages as needed.

The Service Centre also provides a history of service uptime, any outages and issues that are tracked for the systems as a whole which are available to any customers using our service and Service Centre. Where underlying issues have been identified, these are recorded in the Service Centre with details of the resolution or workaround that we have put in place, and details of when a longer term fix will be made available (if appropriate).

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels The service is built and deployed on Amazon Web Services (AWS) and leverages the security and access controls provided by AWS. Access to individual components of the solution is governed by Identity and Access Management (IAM) and the one-time Secret Access Key that was generated to provide access to the servers is stored securely on Cloud40 servers and also backed up in a secure location.

Access to servers and APIs is controlled via a management Secret Access Key, and any access that our customers require to services is securely provided and controlled by a further set of Secret Access Keys.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes We have documented information security policies and processes that all employees of Cloud40 (and any subcontractors that we may work with from time to time) are governed by. These are available to customers on request.

Key points of those policies and processes are:
- All staff or third-parties who have access to sensitive data and information are within the scope of the policies
- The scope of the policies cover all electronic and paper based information whether sourced from a customer or generated directly
- Overall Information Security responsibility resides with the Information Security Officer who is a member of the board
- Reviews, and spot checks are regularly performed to ensure adherence to policies and identify any areas where policies may need to be updated
- An anonymous whistle-blower capability is available for any staff member or third-party to raise concerns regarding behaviours that they do not believe meet either the defined policy or good working practices
- Serious breaches in policy or process will result in disciplinary action for those involved which can include dismissal or criminal prosecution

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The Tenant Portal and Enterprise Service Bus are built and hosted on Amazon Web Services (AWS), and we use AWS procedures and systems to control configuration and change management using DevOps practices.

Components are held under version control and are candidates for release once they pass the full suite of automated and manual tests which include security and performance tests. The automated deployment process is triggered by a senior architect, and deploys to each web server individually before they are reintroduced to the server farm. Updates are either committed or rolled back depending on the success of post deployment tests.
Vulnerability management type Supplier-defined controls
Vulnerability management approach In addition to penetration testing, we apply patches and updates for software components as they become available. We subscribe to the information feeds of our product vendors for notifications of updates.

Our target for deploying security related patches and updates is within a week of them becoming available. We use a suite of automated tests for our systems that allows us to test the impact of patches and updates in our test environments before they are deployed. Our deployment process allows us to immediately rollback any changes as a result of a patch or update that has adverse effects.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use automated monitoring, alerting and incident management support tools. Our tools monitor common hacking or other suspicious activity and blocks access from the source of the suspected threat. An audit log of suspicious activity is maintained for subsequent review, and so that any necessary system changes can be made as a result.

Our systems have failsafe methods to reduce the impact of malfunctioning software. These include special test messages that are periodically sent through the Enterprise Service Bus to ensure its core functions continue to function correctly. These test messages do not impact customer data in any way.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents are reported and managed via our online Service Centre. Incident reports are updated and available by accessing the Service Centre which also provides the history of previous reports. The Service Centre has a common area for incidents that are relevant to all of our customers.

Our software has failsafe components that monitor for malfunction or downtime. In situations where these occur, we have a rapid response process to isolate faulty components and return the platform to an operational state. Occurrences of these events are logged in the Service Centre with resolution targets and updates for all customers to view.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 per instance per year
Discount for educational organisations No
Free trial available Yes
Description of free trial A fully featured version of the Tenant Portal is available as a free of charge 30-day trial.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑