GatenbySanderson Ltd

GatenbySanderson 360 degree feedback system for feedback and development

Highly customisable online 360 feedback questionnaire, for participants and their nominated reviewers. Automated individual reports with benchmarks, plus organisational aggregate outputs. Use your behavioural content or GatenbySanderson’s proprietary Altitude leadership model for public sector leaders / executives. Use for individual or group leadership development/ audit, talent management, performance appraisal, coaching.


  • Bespoke fully managed 360 platform assessing your behaviours, values, competencies
  • Or use our extensively researched public sector leadership excellence model
  • Exceptionally flexible and customisable content, reporting and functionality
  • Multi-rater feedback 24/7: manager, reports, peers, external stakeholders, others
  • Contributors pre-set and uploaded, or nominated by the reviewee
  • Real-time organisational and individual reports featuring benchmarks
  • Branding options available with video content where required
  • Fully managed UK-based service with automated email invitations and reminders
  • High browser compatibility: desktop, tablet and mobile responsive/optimised
  • Specialist support via account manager, email / telephone helpdesk


  • Enhance leadership capability audits, coaching, talent/ development/ succession planning
  • Grounded in extensive, continuous research benchmarking public sector leadership success
  • Exceptional capacity to customise, tailored to your requirements cost-effectively
  • No licence fee: fully managed service with clear pricing
  • Drives behavioural change through self-awareness and understanding strengths and weaknesses
  • Tailored aggregate reporting supports strategic organisational / HR planning needs
  • Guaranteed anonymity of responses supports open feedback, enhances developmental outcomes
  • Enhanced completion rates: 24 hour remote access, mobile optimised/ compatible
  • Convenient, rapid access to reports; unique, secure GDPR compliant delivery
  • Optional psychologist support designing content or facilitating feedback / coaching


£39 to £79 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 3 1 6 9 4 1 0 7 0 9 8 1 8 0


GatenbySanderson Ltd Charlotte Jourdon
Telephone: 07530 578920

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
We keep service down-time to a minimum. For scheduled server maintenance, we display a prominent banner on all our websites, advising of maintenance for a minimum of 24 hours prior, and schedule maintenance for out-of-hours (generally after 11pm). We plan ahead to ensure we identify maintenance windows and timeframes that avoid or minimise client or user disruption.
System requirements
A modern web-browser with javascript enabled

User support

Email or online ticketing support
Email or online ticketing
Support response times
9 to 5.30 (UK time), Monday to Friday, within a few days, typically within 24 hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We can offer a varied level of support depending upon the client requirements. This could relate to configuration options, customisation requirements or assistance relating to execution of activity. We provide a technical account manager and prices over and above our standard offering will be a cost per hour basis, dependent upon the seniority of personnel required. Many aspects of support are included in our standard fees, as outlined in our pricing document.
Support available to third parties

Onboarding and offboarding

Getting started
An account manager and project coordinator are assigned to each new client project. The project plan will include the process for launch, and we will work with you to ensure that all communications from both us and you are aligned. Configuration requires limited input from the client; your account manager will discuss configuration options with you and provide a test link for your approval once set up. The platform is intuitive and no training is required for those completing the 360. Telephone / online helpesk support is available to all completing the 360. If required, at additional cost, we can run sessions to meet your needs, such as: training your internal team in feedback of 360; orientating individuals to the reports and how to make best use of them; or our psychologists / coaches can facilitate 360 feedback sessions for you. Post launch, the account team are available to answer any questions or provide support to ensure successful implementation of the system.
Service documentation
End-of-contract data extraction
At the end of any contract, we can provide CSV files of relevant data. Individuals can request copies of personal reports for tools where that is applicable. Where individual data is required to be deleted, we retain anonymous, aggregate data for benchmarking and reporting purposes.
End-of-contract process
At the end of the contract, we remove user access to the system and can provide CSV data as required, as well as a copy of any website content. There is no charge for this service. Individual users can still access their dashboards (and any personal reports delivered there) but will not be able to access the 360.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Uses a responsive-html design that scales and re-layouts the design for mobile and tablet users.
Service interface
Customisation available
Description of customisation
We offer a wide range of customisation options.

Our white label product comes with our own set of standard 'Altitude' questions, with many customisation options as standard. We will discuss your requirements at project set-up and implement changes.

Options include; selection of question levels/competencies from the Altitude model; creation of bespoke 360 using your own question content; mapping of your behavioural/values frameworks to Altitude; email content; all wording throughout; client logo/branding; labels for/addition of contributor categories; setting minimum contributor numbers; adding cohort benchmark on reports; rating scales and descriptions; timing/schedule for reminder emails; customisation of reports; add organisation-specific 'biodata' questions to track organisational patterns on the factors that matter to you (i.e. grade / department etc).

Many customisation options are included as standard. Please see pricing document for more details.


Independence of resources
We review each project to gauge expected load and determine whether separate server(s) are required or whether a shared server is more cost effective for the client. We routinely monitor the performance of server(s) and take appropriate action to negate any potential disruption.


Service usage metrics
Metrics types
Our managed service and dedicated account team can provide real-time information on completion rates for both participants and their reviewers (not started / started / completed) and nomination rates (i.e where individuals are expected to nominate their own reviewers, whether they have done so and whether they have met any agreed minimums set).
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
Data submitted by participants and contributors can only be accessed and/or modified by themselves or within our administration system (requiring a username and password). Passwords are encrypted with bcrypt hashing; Other data is not encrypted due to reporting and analytics requirements. The RDS is encrypted at rest
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Participant data can be exported as CSV files.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our service commitment is 99.9% during office hours. If we fail to reach this level, we would consider the impact upon the client business and agree a level of compensation based upon refunding monthly subscription charges
Approach to resilience
Daily backups of the RDS are taken daily and retained for 30 days. Our deployment process is also automated so in the event of failure we are able to restore environments in a short period of time. Our service is also monitored to detect any suspicious activity or high traffic volumes.
Outage reporting
For any outages, we would promptly contact affected clients by telephone or email (depending on time and severity). Public notification would be via our twitter account, and if possible our website(s).

Once an outage has been resolved we will investigate the cause and provide an explanation of what happened, with a timeline, and what changes we will be making to avoid a similar outage in future.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
We have a separate internal administration system, currently this is username/password based (with password strength enforced with 'zxcvbn'). Some parts of the system currently require a signed client-side certificate to view.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials + Certified

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials + Certified
Information security policies and processes
We have Data Protection and Data Security Policies that form part of each employee's formal induction process as well as maintaining an ongoing risk register. We formally record when induction modules are complete. Additionally, we communicate any ongoing requirements to protect ourselves from vulnerabilities. This includes reminders about the use and care of laptops and mobiles also the importance of password security.

More formally, colleagues are warned of the potential disciplinary action of failing to adhere to these policies and procedures which could result in the termination of employment. As soon as colleagues leave the business, we terminate access rights and delete accounts.

All admin pages and logins are via HTTPS and we use HSTS and public-key-pinning to protect and warn users against attempted man-in-the-middle attacks/insecure internet connections.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change requests and bug reports are directed to defined product owners who evaluate, prioritise and document changes adding them to product backlogs, which are then scheduled into the development cycle.

Code is versioned and branched in a git repository, following the Git-Flow practice of feature branches pull-requested into a develop branch, and releases performed on the master branch. Merges into develop and master branches (and deployment to servers) are restricted to the head of development. Testing is performed on the developers' own machines (using virtual machines) and on a staging server before deployment to live servers.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We pro-actively gather information on potential threats from email subscriptions to & , along with regular checks of

New alerts are assessed for whether they affect us, For deployment we automatically apply patches to servers on a regular basis to resolve any exploits. If there is a way of mitigating against them (eg rewrite-rules, config changes) we will apply protection to the servers ourselves asap. We will then audit servers to confirm that the exploit had not been used against us.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
In terms of our web server, AWS provide us with the monitoring capabilities to monitor access to the servers and inform us immediately if they see any suspicious behaviour. We routinely audit server logins and server errors to identify suspicious behaviour.

We are registered with relevant news sites/forums that quickly identify vulnerabilities. We have a fast action response where the Head of Development will allocate and oversee resource to close off any vulnerabilities.
Incident management type
Supplier-defined controls
Incident management approach
Users report incidents via phone and email, and these are forwarded directly to the Development team. We deploy the Development team to investigate incidents, exploits or areas of vulnerability and whether a breach as occurred. Vulnerabilities are closed. We have a central breach register, which documents a formal communications plan to inform individuals, organisations and regulators of the potential compromise.
Breaches of security are formally reported at Board Level and documented in monthly board reports. Remedial action required is agreed and executed within specific timeframes. Learnings are documented and any change to best practice implemented.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£39 to £79 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.