imin platform: search & booking for physical activity

The imin platform aggregates live physical activity information (about what activities are happening in an area, number of spaces, cost etc), and provides a real-time feed of that data to any resident-facing website, creating powerful, up to date activity finder tools for local authorities to make available to residents.


  • Real time Search - live availability for physical activity
  • Real time Booking - seamless booking/payment for physical activity
  • Data Augmentation and quality enhancement
  • Advanced Search - results relevancy, type intolerance etc
  • Provider Selection - choose which providers you receive data from
  • Secure whitelabel checkout - to host on your website, GDPR-complaint
  • Whitelabel live activity Timetable - to add to any webpage


  • Deliver real time information to residents about physical activity
  • Monitor search and booking trends to improve service investment
  • Connect residents to both public and private physical activity providers
  • Enhance the search-ability of local physical activity
  • Tap into a network of public and private booking partners
  • Deliver end-to-end, measureable user journey for public health campaigns


£0 per licence per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

1 8 1 4 9 4 5 4 2 7 5 0 3 2 4



Nishal Desai


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The imin platform integrates with the booking management solutions of physical activity providers - such as those used by many leisure operators, local authorities and smaller clubs.

Local authority websites - we provide live timetable "plug-ins" for sport & leisure pages for residents to see available activities per venue
Cloud deployment model Private cloud
Service constraints The power of the platform is dependent on the booking system software in use by the local physical activity providers (such as leisure operators). Whilst imin has integrated with numerous systems (especially those part of the Government funded "OpenActive" initiative to open up more physical activity data), the imin service will be less impactful in areas where systems are in use that we have not yet integrated with.

However, we have shown in other areas that, with a local authority sponsor, we can rapidly integrate with new systems to enhance the service offering for any area.
System requirements
  • Resident-facing website (although we can provide a whitelabel)
  • Ability to create subdomains or edit existing pages (add plugins)

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Basic tier includes email support:
9am to 6pm (UK time), Monday to Friday.
Best endeavours at the weekend.

Additional support available as part of SLAs at higher tiers.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible We use a product called "Slack" to interface with our consumers. It is an online chat forum for organisations. We invite customers to join Slack, with a dedicated channel for their questions and support. Users can ask questions, query API documentation, send images / screenshots of issues, and have a history of the conversation.
Web chat accessibility testing None to date.
Onsite support Yes, at extra cost
Support levels Our standard SLA is available for customers on the "Standard Tier" of Service, and includes:

- 99.8% uptime.
- For critical issues, during standard working hours response time of up to 1 hour (generally immediate where possible).
- For all other issues, a response time of 4-8 hours during standard working hours.
- For issues outside of standard working hours, best efforts will be made to respond as soon as possible.
- If there is scheduled system maintenance that might result in a pause in the Service advanced notice will be provided with at least 5 working days’ notice.
- (Standard working hours are defined as 9am-6pm Mon-Fri excluding bank holidays)

A custom SLA (based on specific customer requirements) is available on the "Enterprise Tier" of Service.

Both Standard and Enterprise Tiers include access to a Technical Account Manager.

The cost of Standard Tier (where the standard SLA is bundled within) is from £1,250 / month (ex VAT)

The cost of Enterprise Tier (where the custom SLA is bundled within) is dependent on custom requirements and does not have a standard pricing.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Over the phone / online developer support is offered initially at Specific guidance has been created for starting a project using the APIs, as well as use case specific examples and instructions.

Further onboarding documentation provided over email, or in person / phone if using Standard Tier or above.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction For the Search API part of the Service, imin does not hold any User-owned data so there is no extraction requirement on contract termination.

For the Booking part of the Service, imin will be playing a Data Processor role, so at notice of contract termination we will inform the User to ensure they have retained and stored whatever data they require from the Service, and at contract termination date we will destroy any personal data we hold on behalf of the User.
End-of-contract process When contract termination is delivered by either party:
(a) the termination date is agreed by both parties (which is when the API key will become invalid)
(b) the User will be prompted to retrieve and separately store any Service data that they own
(c) at termination date, the API key will be invalidated and any and all personal data held by us on behalf of the User will be destroyed across our systems and sub-processor systems.

The above steps are all included in the price of all Service tiers.

If there is to be any handover to replace the imin Service with a like-for-like Service, we will provide technical resource at a pre-agreed day rate to support this process.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service For Search, the Service is delivered through a set of APIs, which provide data to a front-end application - either web or mobile. There is no difference in the Search API output or performance whether on mobile or on desktop.

For Booking, if the whitelabel Checkout is in use (a front-end flow for secure booking and payment of physical activity by a resident), the checkout has been designed to be fully responsive for any size screen device.

The whitelabel Timetable is fully responsive and is optimised for desktop and mobile screen size.
Service interface No
What users can and can't do using the API The core of the Service is itself a Search API:
(1) Users receive API keys to securely access the Search API
(2) Users are helped using online guidance, or through their account manager, to create the right API calls for the end-user journey the user is wishing to create.
(3) Any restrictions within the API (for example, based on Tier of service purchased, or for custom requirements such as only showing data from certain physical activity providers) will be set up by the imin account manager when providing the user specific API key.

Users can then autonomously make specific API calls to the service, within a set of parameters described in the API documentation, in order to best meet their use case.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can:
- whitelist or blacklist which physical activity providers they would like to access through the Service
- instruct imin to create custom "enhancement rules" based on the user experience being created - e.g. if the resident-facing website is aimed at inactive people, ensuring all images, text etc are suitable for motivating that demographic to engage in physical activity, as well as adding relevant tags such as "suitable for beginners" to enhance searchability by end-users
- whether the secure booking and payment whitelabel checkout is part of the user experience to be delivered
- work with a selection of our partners who have already created whitelabel activity finders integrated with the imin platform (i.e. off-the-shelf brand-able resident facing widgets or whole websites)

Users can choose their customisation during the contracting process - their account manager will present these options to them in order to set up the Service to begin with. Users can liaise with the account manager on-going if requirements change over time and customisations need updating.

The authorised main point of contact between imin and the User will be instructing the account manager about any customisations required.


Independence of resources The cloud infrastructure on which our services are built allows for simple and automatic horizontal and vertical scalability, which responds to varying load. We also have regular monitoring our service response time which allows us to proactively identify and respond to infrastructure bottlenecks. See


Service usage metrics Yes
Metrics types Search trends - number of searches, when, where.
Booking trend - number of searches, when, where, and for what.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Never
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach IASME includes provision for Physical and Environmental Protection
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The relevant data for export is any booking history related data, which can be accessed via the Service dashboard delivered to the User. They can view booking history data, and can choose to export it via CSV.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The SLA provided with the Standard Tier commits to 99.8% uptime.

There are no contractual refund obligations at present, but if uptime performance is significantly impaired in a given month then we will provide 1 month additional free usage.
Approach to resilience We have appropriate SLAs in place with each cloud infrastructure supplier in use. More detailed information is available on request.
Outage reporting We have a public dashboard at

We will also notify users via email if there is a serious outage that has the scope to effect the delivery of their own service to end-users.

We will also notify users ahead of time if there are any expected service outages due to planned maintenance work. The Standard SLA details any notice of maintenance will be sent at least 5 days before any downtime is expected.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Other
Other user authentication Users must supply correct API key credentials when making API calls to the Service.
Access restrictions in management interfaces and support channels Management interfaces / Support Channels are either restricted to email, or for monitoring dashboards a username and password is required.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Other
Description of management access authentication For internal staff, we have a centrally administered 2 factor authentication process - profiles can be denied access remotely.

For clients, they cannot directly access administrative areas of the platform - this is done by communication with their account manager who will set up API options on their behalf accordingly.

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Scheme - re-certifying now
  • IASME Governance Standard (Gold Award) - re-certifying now
  • IASME Governance Standard (GDPR Readiness Assessment) - re-certifying now

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards IMIN LTD complies with the requirements of the Cyber Essentials Scheme and achieved a Gold Award certificate of assurance confirming for the IASME Governance Standard in 2018, with an independent on-site audit (offers a similar level of assurance to the internationally recognised ISO 27001 standard). We are currently undergoing recertification.
Information security policies and processes Acceptable Use of Corporate Property (AUCP) Policy
Administrator Access Tracker
Asset Register - Information
Asset Register - Physical
Breaches of Personal Data Protocol
Bring Your Own Device (BYOD) Policy - Laptops
Bring Your Own Device (BYOD) Policy - Mobile Devices
Business Continuity Plan & Disaster Recovery Plan
Computers & Networks Management Information
Data Classification Policy
Data Privacy Approach for B2B Contacts
Data Protection Policy
Information Security Policy (including Incident Reporting Procedure)
Privacy Impact Assessment
Record of Processing Activities (Article 30 GDPR) - imin as a Data Controller
Record of Processing Activities (Article 30 GDPR) - imin as a Data Processor
Subject Access, Data Portability, or Right to Erasure Requests: Process for Response

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach 1. A System Change Request Form is filed.
2. The proposed change is described with reason for change given.
3. The impact of the change is evaluated (including priority, environment impact, resource requirement, test plan description and rollback description).
4. The change is approved or denied.
5. The change is implemented and tested.
6. The completed change is communicated.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach 1. imin uses Nessus Agent to perform vulnerability scans of BYOD and corporate devices, including reporting unsupported applications, and take immediate action to resolve any vulnerabilities detected.
2. The Company uses a combination of Detectify (penetration testing) and Synk (components with known vulnerabilities - A9 of OWASP Top 10) to detect software vulnerabilities.
3. The results of the scans and any changes made shall be reflected in the Company’s risk assessment and security policy as appropriate.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach 1. Where possible, we aggregate error and event logs from all applications, in addition to Heroku and AWS Cloudwatch native logs. We deal with each incident generated on a case-by-case basis.
2. The Company also has real-time alerts sent to the team to monitor for unacceptable activity and suspicious user behavior.
3. If high volumes, the Company will use cloud-based log analytics service such as AppDynamics.
4. The Company reserves the right to monitor systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach 1. All breaches of policy and all other information security incidents are reported to the Security Officer.
2. If required as a result of an incident, data will be isolated to facilitate forensic examination.
3. Information security incidents are recorded in the Security Incident Tracker and investigated by the Security Officer to establish their cause and impact with a view to avoiding similar events. The risk assessment and relevant policies are updated, if required, to reduce the risk of a similar incident re-occurring.
4. A record is kept of all security incident investigations.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0 per licence per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Everything at the Standard Tier is included - and the trial lasts for 30 days. Typically, organisations use this tier to test out the API, building
an application or adding a Timetable to their webpage, in order to try out the service before committing to a licence.

Service documents

Return to top ↑