Headless Content Management System (CMS), API-first content platform
Flotiq is a headless Content Management System (CMS) which provides an easy-to-use interface for working with content and designing data models and a powerful API for programmatic access to data.
The API-first approach to content management makes it easy to build fast and secure websites and content-based applications.
Features
- Data modelling, easy to use interface to define data models.
- Dynamic API automatically generated based on defined data models.
- Dynamic API documentation generated based on defined data models.
- High-performance content API able to handle thousands of records.
- Enterprise integration support, API-gateway compatibility, messages bus support.
- Powerful full-text search engine.
- RESTful and GraphQL API interface.
- Easy-to-use web-based interface for content editors.
- Extensible workflows.
- Cloud-agnostic, highly available architecture supporting Amazon AWS, Azure and others.
Benefits
- Store different kinds of content - text, documents, media.
- Easily build and publish API-based microservices, without coding.
- Easily integrate content with other systems.
- Ability to publish content to any kind of media (omni-channel).
- Enhanced security controls - auditing, versioning, access control.
- Reduces development time for content-based systems and apps.
- Define and publish dedicated APIs and documentation using OpenAPI standards.
- Define workflows for different types of content.
- Deliver content via APIs in a fast and secure way.
- Easily manage access scope and permission levels.
Pricing
£300 to £2,000 an instance a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 12
Service ID
2 0 6 9 6 9 4 6 7 7 3 8 0 0 5
Contact
CodeWave
Andrew Partyka
Telephone: 0747 656 28 44
Email: hello@codewave.eu
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Private cloud
- Hybrid cloud
- Service constraints
-
Required system maintenance is scheduled in off-business hours.
Weekly 1-hour service window allocated, if the window is to be used - the client is informed with 7-day notice. - System requirements
-
- Firefox/Chrome latest versions, Internet Explorer 11, Safari, Opera, Microsoft Edge
- Hardwired broadband/wireless LAN connection, 3G connections dependent on reception/mobile coverage
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
4 hours for critical support requests during normal working hours,
8 hours for non-critical support requests during normal working hours.
Weekend support and shorter response times available at extra cost. - User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 A
- Web chat accessibility testing
- WCAG testing conducted by third-party web chat SaaS platform.
- Onsite support
- Yes, at extra cost
- Support levels
-
Basic support, included in price:
- Helpdesk: 9am to 5pm (UK time) Monday to Friday (excluding bank holidays)
- Hosting support: 8am to 6pm (UK time) Monday to Friday (excluding bank holidays)
- Tickets can be logged 24/7
Out of hours support response (extra cost - see pricing document): 24/7
Service Delivery Manager will be assigned and direct contact will be provided. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
In order to help users start using Flotiq CMS we provide the following:
- online training,
- user manuals,
- developer documentation,
- developer tutorials,
- demonstration videos,
- starter applications available through Github,
- onsite training at an extra cost. - Service documentation
- Yes
- Documentation formats
- HTML
- End-of-contract data extraction
-
When off-boarding the Client will be provided with an export of all the data stored in the system in a JSON format.
Any files uploaded to the system will be provided in a ZIP archive. - End-of-contract process
- At the end of contract the Customer will obtain exports of all their content and files that have been stored in the system.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari 9+
- Opera
- Application to install
- No
- Designed for use on mobile devices
- No
- Service interface
- No
- API
- Yes
- What users can and can't do using the API
-
The API interface provides means to define new data models, author content and interact with content already stored in the system. The API supports typical verbs for operations like create/read/update and delete as well as batch import endpoints and powerful content filtering methods.
The API also provides a full-text search engine, which allows to query the content in the system using natural language and also supports:
- powerful query result aggregation,
- custom search result ranking modifiers (e.g. field and word boosting)
- geographical queries.
The API can be accessed either through a RESTful interface or through a GraphQL one. - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
System users with appropriate role can customize the API by designing their own data models. Once a new model is defined in the system - the API is automatically extended with additional endpoints to interact with content of that type. The system API documentation gets automatically updated as well, which makes it easy to define and share content as an API across different teams and systems. Full API specification is also generated using the OpenAPI standard - for maximum interoperability and in order to simplify integrations.
Workflows can be customized through the API and attached to different content models. For example - the system is capable of supporting separate content types for news articles and employment records each of which can have their own workflow assigned.
Scaling
- Independence of resources
- The service will be hosted on a single-tenant Virtual Machine instance in public (or private) cloud. The resources will not be shared with other users.
Analytics
- Service usage metrics
- No
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2012
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Data sanitisation process
- No
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- The data can be exported at any time using the system's API, in JSON format.
- Data export formats
- Other
- Other data export formats
- JSON
- Data import formats
- Other
- Other data import formats
- JSON
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
Guaranteed Availability: Up to 99.999%
If unscheduled downtime occurs causing the availability to drop below agreed performance level - the monthly charge is reduced by 5% for each full percentage below the agreed level, up to maximum of 100%. - Approach to resilience
-
In case the service is deployed to Azure or AWS datacentres - the datacentre resilience is provided by the respective cloud operator.
In case of private cloud (or on-premise) deployment - detail available on request. - Outage reporting
- The service is fully managed and monitored in real-time by a team of engineers. In case of unplanned outages the Customer will receive e-mail notification immediately after an incident is discovered.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- Dedicated link (for example VPN)
- Username or password
- Other
- Other user authentication
-
The API access is guarded using API keys and tokens. Users can define their own API keys and assign access levels to individual content collections stored in the system.
For example:
- API key for read-only access to the course catalog,
- API key for read-only access to the course catalog and read-write access to employee attendance.
The administrative interface of the system can be integrated with Active Directory or OAuth-based identity providers. Multi-factor authentication can be enforced. - Access restrictions in management interfaces and support channels
-
Access restrictions in the management system rely on a role-based access control.
During onboarding the Customer defines a role-mapping table which includes the named individuals usernames and roles. User accounts are then set up for the listed individuals. If the system is integrated with an external identity service, e.g. Active Directory - group-to-role mapping is defined.
Access to support channels is granted to named individuals during onboarding. - Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- PCC Cert
- ISO/IEC 27001 accreditation date
- 18/10/2019
- What the ISO/IEC 27001 doesn’t cover
-
Only the development of the Content Management System is covered by the ISO 27001 certification.
For the platform hosting - we rely on the ISO 27001 certification of the cloud providers (AWS, Azure). - ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
- Cyber Essentials
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
Every employee is expected to apply the security policies established within the company and to cooperate with their supervisors on proper implementation of the security controls.
Security incidents are reported using company internal systems and investigated with highest priority, with Security Officer's mandatory supervision.
Regular reviews of the security policies and controls are made with top-level management involvement.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Change control process implemented in our organization requires a formal Change Request statement with proper justification and approvals. Security impact assessment is a standard part of every Change Request, as required by our ISO-27001 implementation. Changes are also assessed in terms of business impact and potential performance implications.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Our implementation of the ISO-27001 standard involves current monitoring of security threats and vulnerabilities disclosed in all software components used in the final Content Management System. Critical security weaknesses are addressed immediately and non-critical patches are deployed on a weekly basis.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Our intrusion monitoring is based on
- intrusion detection system deployed on the virtual machines supporting the system
- application log monitoring
- system log monitoring.
Once an intrusion is detected - the team immediately isolates the system and redeploys a new system instance in order to minimize downtime. The isolated system is investigated to determine the attack vector in order to increase the security and prevent future incidents. - Incident management type
- Supplier-defined controls
- Incident management approach
- Security incident management approach is defined as part of our implementation of ISO-27001. Incidents can be reported by Customer's employees (users) through our ticketing system or by our staff using the same method. Incident reports are provided in PDF format as attachments to the original incident reports.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £300 to £2,000 an instance a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- A free trial is possible, with limited duration and limited number of objects stored in the system.
- Link to free trial
- https://flotiq.com