Novacroft Reward & Recognition Platform

Our Reward & Recognition Platform encourages and rewards certain behaviours and activities among target groups of people, including fitness, volunteering, e-learning and using sustainable transport, and provides administrators with a suite of reporting analytics to monitor trends in health and wellbeing of citizens.


  • Activity capture for fitness, volunteering, e-learning and sustainable travel choices
  • Allows user to set activity baseline & goals
  • Data analytics reporting suite showing behaviour shift
  • Gamification through leaderboards and badges
  • Customisable with customer branding
  • Service user/gamification leaderboard
  • Prize draws and rewards for achieving goals
  • Bespoke event calendar
  • Responsive web application


  • Cost effective
  • Highly flexible and configurable
  • Quick to set-up and brand
  • Easily integrated with 3rd party CRM/CMS systems
  • Guarantee uptime and performance levels
  • New feature roadmap guarantees evolution and innovation


£0.10 to £2 per unit per year

  • Free trial available

Service documents

G-Cloud 11



Corin Flett

07966 505387

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Our service is an extension to the following software services: CRM Service, Smart Card Personalisation and Print Services, Digital Print Services, Call Centre Services, Payment Gateway Services, Identity Checking and Document Verification Services.
Cloud deployment model Private cloud
Service constraints Subject to agreed planned maintenance
System requirements PC, tablet or mobile web browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Immediate automatic response and OLA of resolution within 2 business days dependent on complexity.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Our support levels include 99.5% System uptime and Service Desk availability 24/7/365 for contracted customers, access to a Novacroft Account Manager is also available for contracted customers. For members of the public, there is a call centre available 8am-8pm, 7 days a week as an optional extra costed service.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide on-site and online training as well as user documentation.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction No data extraction is performed as no data resides within the web portal itself. The web portal typically interfaces to a back-end system, for example a CRM, data extraction would therefore be performed from within that CRM.
End-of-contract process Access to the web portal would terminate through the removal of any hosting and networking resources which enabled the access.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The mobile service will have a responsive interface which ensures an optimum experience on smaller screens.
Service interface Yes
Description of service interface The service is accessed using a web browser. APIs are also available for core functionality.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing As part of our development and test cycle, we use the following browser plugins: Wave, SiteImprove, Axe.
What users can and can't do using the API The service provides RESTful API for all core functionality. The API service is set up by the back office team at contract agreement. Users of the APIs are IP whitelisted and must call a security service to be issued with a security token for use with all subsequent service calls.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The web portal can be configured in numerous ways, including: custom fields, field selection lists, data validation, business rules, workflow and branding. We also provide bespoke software changes chargeable at our standard rates.


Independence of resources Novacroft’s cloud hosting environment utilises container orchestration and management systems and can be easily scaled to meet the demands of our customers. All cloud infrastructure is fully monitored and has 24x7x365 support by Novacroft’s technical teams.


Service usage metrics Yes
Metrics types We provide service metrics as part of a standard monthly service review report which includes output from Google Analytics and our own uptime monitoring information.

Customers also have access to an personalised administrator dashboard which gives real time information on citizen usage, wellbeing, activity levels, time spent exercising or volunteering, attendance at community or charity events and performance against personal goals.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach No direct data export is available through the web portal, contracted customers using our CRM can export data through the reporting component or bespoke bulk data exports can also be requested.
Data export formats Other
Other data export formats CSV data can be exported from the associated CRM.
Data import formats Other
Other data import formats CSV data can be imported into the associated CRM.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Novacroft’s CRM is provided on a 99.5% SLA with service credits applied when SLA thresholds are breached.
Approach to resilience Novacroft host our services in 2 geographically separate data centres with full replication and failover capabilities.
Outage reporting In the rare event of an incident, our customers are made aware within 24 hours, with an incident report issued within 5 working days. A service-impacting incident is reported within 2 hours.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Our web portal is public user facing and therefore has no management interface.
Access restriction testing frequency At least once a year
Management access authentication Other
Description of management access authentication Our web portal is public user facing and therefore has no management interface.

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 07/03/2019
What the ISO/IEC 27001 doesn’t cover Certification is company wide.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Nettitude
PCI DSS accreditation date October 2018
What the PCI DSS doesn’t cover Certification covers our e-commerce and call centre services.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO 27001, ISO 9001, ISO 14001, PCI V3.2

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach As part of our focus on continuous improvement, Novacroft operates its own change management process where changes are reviewed and assessed at regular Business Impact Assessment (BIA) sessions, these are then prioritised, scheduled and implemented with full tracking and management across the lifecycle. Independent release documents and signoff is also applied.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Novacroft manages vulnerabilities through the use of LogRhythm, Sophos and Threat2Alert to monitor security violations in realtime. We perform quarterly ASV scans via Nettitude, quarterly internal internal scans via Qualys and annually Nettitude perform full external penetration scans. Patches are applied monthly and our realtime monitoring tools and regular scans help identify all potential threats.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use LogRhythm, Sophos and Threat2Alert to monitor our systems in realtime. We have 24x7 internal and 3rd party support teams who respond to text and email alerts immediately on any potential compromise being identified.
Incident management type Supplier-defined controls
Incident management approach Novacroft has a well established ISO9001-aligned Incident Management Process, all incidents are centrally recorded via a dedicated email within one hour of being reported. Incidents are alerted to key internal teams and tracked via an incident manager through to resolution. Full incident reports are sent to customers and third parties and regular updates are issued to internal and external stakeholders through to closure.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.10 to £2 per unit per year
Discount for educational organisations No
Free trial available Yes
Description of free trial 30 days access to Test Environment for evaluation purposes

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Terms and conditions
Service documents
Return to top ↑