Headless Content Management System (CMS), API-first content platform

Flotiq is a headless Content Management System (CMS) which provides an easy-to-use interface for working with content and designing data models and a powerful API for programmatic access to data.

The API-first approach to content management makes it easy to build fast and secure websites and content-based applications.


  • Data modelling, easy to use interface to define data models.
  • Dynamic API automatically generated based on defined data models.
  • Dynamic API documentation generated based on defined data models.
  • High-performance content API able to handle thousands of records.
  • Enterprise integration support, API-gateway compatibility, messages bus support.
  • Powerful full-text search engine.
  • RESTful and GraphQL API interface.
  • Easy-to-use web-based interface for content editors.
  • Extensible workflows.
  • Cloud-agnostic, highly available architecture supporting Amazon AWS, Azure and others.


  • Store different kinds of content - text, documents, media.
  • Easily build and publish API-based microservices, without coding.
  • Easily integrate content with other systems.
  • Ability to publish content to any kind of media (omni-channel).
  • Enhanced security controls - auditing, versioning, access control.
  • Reduces development time for content-based systems and apps.
  • Define and publish dedicated APIs and documentation using OpenAPI standards.
  • Define workflows for different types of content.
  • Deliver content via APIs in a fast and secure way.
  • Easily manage access scope and permission levels.


£300 to £2,000 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 0 6 9 6 9 4 6 7 7 3 8 0 0 5


CodeWave Andrew Partyka
Telephone: 0747 656 28 44

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Required system maintenance is scheduled in off-business hours.
Weekly 1-hour service window allocated, if the window is to be used - the client is informed with 7-day notice.
System requirements
  • Firefox/Chrome latest versions, Internet Explorer 11, Safari, Opera, Microsoft Edge
  • Hardwired broadband/wireless LAN connection, 3G connections dependent on reception/mobile coverage

User support

Email or online ticketing support
Email or online ticketing
Support response times
4 hours for critical support requests during normal working hours,
8 hours for non-critical support requests during normal working hours.

Weekend support and shorter response times available at extra cost.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
WCAG testing conducted by third-party web chat SaaS platform.
Onsite support
Yes, at extra cost
Support levels
Basic support, included in price:

- Helpdesk: 9am to 5pm (UK time) Monday to Friday (excluding bank holidays)
- Hosting support: 8am to 6pm (UK time) Monday to Friday (excluding bank holidays)
- Tickets can be logged 24/7

Out of hours support response (extra cost - see pricing document): 24/7

Service Delivery Manager will be assigned and direct contact will be provided.
Support available to third parties

Onboarding and offboarding

Getting started
In order to help users start using Flotiq CMS we provide the following:
- online training,
- user manuals,
- developer documentation,
- developer tutorials,
- demonstration videos,
- starter applications available through Github,
- onsite training at an extra cost.
Service documentation
Documentation formats
End-of-contract data extraction
When off-boarding the Client will be provided with an export of all the data stored in the system in a JSON format.
Any files uploaded to the system will be provided in a ZIP archive.
End-of-contract process
At the end of contract the Customer will obtain exports of all their content and files that have been stored in the system.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
The API interface provides means to define new data models, author content and interact with content already stored in the system. The API supports typical verbs for operations like create/read/update and delete as well as batch import endpoints and powerful content filtering methods.

The API also provides a full-text search engine, which allows to query the content in the system using natural language and also supports:
- powerful query result aggregation,
- custom search result ranking modifiers (e.g. field and word boosting)
- geographical queries.

The API can be accessed either through a RESTful interface or through a GraphQL one.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
System users with appropriate role can customize the API by designing their own data models. Once a new model is defined in the system - the API is automatically extended with additional endpoints to interact with content of that type. The system API documentation gets automatically updated as well, which makes it easy to define and share content as an API across different teams and systems. Full API specification is also generated using the OpenAPI standard - for maximum interoperability and in order to simplify integrations.
Workflows can be customized through the API and attached to different content models. For example - the system is capable of supporting separate content types for news articles and employment records each of which can have their own workflow assigned.


Independence of resources
The service will be hosted on a single-tenant Virtual Machine instance in public (or private) cloud. The resources will not be shared with other users.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The data can be exported at any time using the system's API, in JSON format.
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Guaranteed Availability: Up to 99.999%

If unscheduled downtime occurs causing the availability to drop below agreed performance level - the monthly charge is reduced by 5% for each full percentage below the agreed level, up to maximum of 100%.
Approach to resilience
In case the service is deployed to Azure or AWS datacentres - the datacentre resilience is provided by the respective cloud operator.

In case of private cloud (or on-premise) deployment - detail available on request.
Outage reporting
The service is fully managed and monitored in real-time by a team of engineers. In case of unplanned outages the Customer will receive e-mail notification immediately after an incident is discovered.

Identity and authentication

User authentication needed
User authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
The API access is guarded using API keys and tokens. Users can define their own API keys and assign access levels to individual content collections stored in the system.

For example:
- API key for read-only access to the course catalog,
- API key for read-only access to the course catalog and read-write access to employee attendance.

The administrative interface of the system can be integrated with Active Directory or OAuth-based identity providers. Multi-factor authentication can be enforced.
Access restrictions in management interfaces and support channels
Access restrictions in the management system rely on a role-based access control.

During onboarding the Customer defines a role-mapping table which includes the named individuals usernames and roles. User accounts are then set up for the listed individuals. If the system is integrated with an external identity service, e.g. Active Directory - group-to-role mapping is defined.

Access to support channels is granted to named individuals during onboarding.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
PCC Cert
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Only the development of the Content Management System is covered by the ISO 27001 certification.
For the platform hosting - we rely on the ISO 27001 certification of the cloud providers (AWS, Azure).
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Every employee is expected to apply the security policies established within the company and to cooperate with their supervisors on proper implementation of the security controls.

Security incidents are reported using company internal systems and investigated with highest priority, with Security Officer's mandatory supervision.

Regular reviews of the security policies and controls are made with top-level management involvement.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change control process implemented in our organization requires a formal Change Request statement with proper justification and approvals. Security impact assessment is a standard part of every Change Request, as required by our ISO-27001 implementation. Changes are also assessed in terms of business impact and potential performance implications.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our implementation of the ISO-27001 standard involves current monitoring of security threats and vulnerabilities disclosed in all software components used in the final Content Management System. Critical security weaknesses are addressed immediately and non-critical patches are deployed on a weekly basis.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our intrusion monitoring is based on
- intrusion detection system deployed on the virtual machines supporting the system
- application log monitoring
- system log monitoring.
Once an intrusion is detected - the team immediately isolates the system and redeploys a new system instance in order to minimize downtime. The isolated system is investigated to determine the attack vector in order to increase the security and prevent future incidents.
Incident management type
Supplier-defined controls
Incident management approach
Security incident management approach is defined as part of our implementation of ISO-27001. Incidents can be reported by Customer's employees (users) through our ticketing system or by our staff using the same method. Incident reports are provided in PDF format as attachments to the original incident reports.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£300 to £2,000 an instance a month
Discount for educational organisations
Free trial available
Description of free trial
A free trial is possible, with limited duration and limited number of objects stored in the system.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.