Novacroft Reward & Recognition Platform

Our Reward & Recognition Platform encourages and rewards certain behaviours and activities among target groups of people, including fitness, volunteering, e-learning and using sustainable transport, and provides administrators with a suite of reporting analytics to monitor trends in health and wellbeing of citizens.


  • Activity capture for fitness, volunteering, e-learning and sustainable travel choices
  • Allows user to set activity baseline & goals
  • Data analytics reporting suite showing behaviour shift
  • Gamification through leaderboards and badges
  • Customisable with customer branding
  • Service user/gamification leaderboard
  • Prize draws and rewards for achieving goals
  • Bespoke event calendar
  • Responsive web application


  • Cost effective
  • Highly flexible and configurable
  • Quick to set-up and brand
  • Easily integrated with 3rd party CRM/CMS systems
  • Guarantee uptime and performance levels
  • New feature roadmap guarantees evolution and innovation


£0.10 to £2 per unit per year

  • Free trial available

Service documents


G-Cloud 11

Service ID

2 0 8 3 9 5 6 6 7 7 7 9 9 5 2



David Oladiran

07826 357 910

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Our service is an extension to the following software services: CRM Service, Smart Card Personalisation and Print Services, Digital Print Services, Call Centre Services, Payment Gateway Services, Identity Checking and Document Verification Services.
Cloud deployment model
Private cloud
Service constraints
Subject to agreed planned maintenance
System requirements
PC, tablet or mobile web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Immediate automatic response and OLA of resolution within 2 business days dependent on complexity.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Support levels
Our support levels include 99.5% System uptime and Service Desk availability 24/7/365 for contracted customers, access to a Novacroft Account Manager is also available for contracted customers. For members of the public, there is a call centre available 8am-8pm, 7 days a week as an optional extra costed service.
Support available to third parties

Onboarding and offboarding

Getting started
We provide on-site and online training as well as user documentation.
Service documentation
Documentation formats
End-of-contract data extraction
No data extraction is performed as no data resides within the web portal itself. The web portal typically interfaces to a back-end system, for example a CRM, data extraction would therefore be performed from within that CRM.
End-of-contract process
Access to the web portal would terminate through the removal of any hosting and networking resources which enabled the access.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile service will have a responsive interface which ensures an optimum experience on smaller screens.
Service interface
Description of service interface
The service is accessed using a web browser. APIs are also available for core functionality.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
As part of our development and test cycle, we use the following browser plugins: Wave, SiteImprove, Axe.
What users can and can't do using the API
The service provides RESTful API for all core functionality. The API service is set up by the back office team at contract agreement. Users of the APIs are IP whitelisted and must call a security service to be issued with a security token for use with all subsequent service calls.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The web portal can be configured in numerous ways, including: custom fields, field selection lists, data validation, business rules, workflow and branding. We also provide bespoke software changes chargeable at our standard rates.


Independence of resources
Novacroft’s cloud hosting environment utilises container orchestration and management systems and can be easily scaled to meet the demands of our customers. All cloud infrastructure is fully monitored and has 24x7x365 support by Novacroft’s technical teams.


Service usage metrics
Metrics types
We provide service metrics as part of a standard monthly service review report which includes output from Google Analytics and our own uptime monitoring information.

Customers also have access to an personalised administrator dashboard which gives real time information on citizen usage, wellbeing, activity levels, time spent exercising or volunteering, attendance at community or charity events and performance against personal goals.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
No direct data export is available through the web portal, contracted customers using our CRM can export data through the reporting component or bespoke bulk data exports can also be requested.
Data export formats
Other data export formats
CSV data can be exported from the associated CRM.
Data import formats
Other data import formats
CSV data can be imported into the associated CRM.

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Novacroft’s CRM is provided on a 99.5% SLA with service credits applied when SLA thresholds are breached.
Approach to resilience
Novacroft host our services in 2 geographically separate data centres with full replication and failover capabilities.
Outage reporting
In the rare event of an incident, our customers are made aware within 24 hours, with an incident report issued within 5 working days. A service-impacting incident is reported within 2 hours.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Our web portal is public user facing and therefore has no management interface.
Access restriction testing frequency
At least once a year
Management access authentication
Description of management access authentication
Our web portal is public user facing and therefore has no management interface.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Certification is company wide.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
October 2018
What the PCI DSS doesn’t cover
Certification covers our e-commerce and call centre services.
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
ISO 27001, ISO 9001, ISO 14001, PCI V3.2

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
As part of our focus on continuous improvement, Novacroft operates its own change management process where changes are reviewed and assessed at regular Business Impact Assessment (BIA) sessions, these are then prioritised, scheduled and implemented with full tracking and management across the lifecycle. Independent release documents and signoff is also applied.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Novacroft manages vulnerabilities through the use of LogRhythm, Sophos and Threat2Alert to monitor security violations in realtime. We perform quarterly ASV scans via Nettitude, quarterly internal internal scans via Qualys and annually Nettitude perform full external penetration scans. Patches are applied monthly and our realtime monitoring tools and regular scans help identify all potential threats.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use LogRhythm, Sophos and Threat2Alert to monitor our systems in realtime. We have 24x7 internal and 3rd party support teams who respond to text and email alerts immediately on any potential compromise being identified.
Incident management type
Supplier-defined controls
Incident management approach
Novacroft has a well established ISO9001-aligned Incident Management Process, all incidents are centrally recorded via a dedicated email within one hour of being reported. Incidents are alerted to key internal teams and tracked via an incident manager through to resolution. Full incident reports are sent to customers and third parties and regular updates are issued to internal and external stakeholders through to closure.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£0.10 to £2 per unit per year
Discount for educational organisations
Free trial available
Description of free trial
30 days access to Test Environment for evaluation purposes

Service documents

Return to top ↑