GoCardless Direct Debit payments

GoCardless is the UK’s leading Direct Debit provider, enabling over 20,000 organisations to take recurring payments however and whenever they want to.

In government, our clients include the DVSA, the Cabinet Office, as well as Peterborough, Harrow and South Kesteven Councils.

Other customers include the Guardian, Thomas Cook and Virgin.


  • Online, phone and paper customer signup forms.
  • No setup costs or fees for cancellations, failures or chargebacks.
  • Flexible payments; collect on any day of the month.
  • Take one off payments, or setup subscriptions.
  • Access to industry leading API including webhooks and client libraries.
  • Connect using pre-built integrations billing and CRM systems, including Jadu.
  • Bacs approved and ISO27001 certified, FCA regulated.
  • Pay only for successful transactions.
  • Real-time notification of failed or cancelled payments.
  • Ability to retry failed payments.


  • Streamline your business systems with our off-the-shelf integrations, including Jadu.
  • Build your own custom integration with our industry-leading API.
  • Improve customer experience: simple online sign-up form, no paperwork.
  • Reduce churn: no more expired/cancelled credit cards and failed payments.
  • Less admin: automated payment collection and real-time payment status notifications.
  • Save time with automatic renewals: no more chasing repeat payments.
  • Improve customer support: instant notifications on payment failures and cancellations.
  • Reduce payment failure rates with automatic bank account verification checks.
  • Hassle free compliance: off-the-shelf online payment pages and email notifications.
  • Own branded payment flow: option to customise payment pages/email notifications.


£0.10 to £0.60 per transaction per month

Service documents

G-Cloud 9




020 8338 9537


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to GoCardless has over 100 off-the-shelf integrations with Accounting, Billing and CRM systems.
Cloud deployment model Public cloud
Service constraints Very occasionally we have scheduled downtime for important database work. Customers are notified via email well in advance of this.
System requirements Access to the internet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All customer support emails are responded to within 1 business day
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Our Support Team is based in London and provides phone and email support from Monday to Friday 9 am to 6 pm. This support is provided as standard to all customers, free of charge. We also provide additional specialist technical support for our API users - also free of charge.

Larger customers and those using our Pro package are also assigned a dedicated account manager to support their requirements.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started GoCardless offers the following help to customers getting started with our service:
- Account set up guided steps in the GoCardless Dashboard
- Getting started section including tutorials and videos by topic in the GoCardless Support Centre: https://support.gocardless.com

- Guide to getting started with building an API integration: https://developer.gocardless.com/getting-started
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction - Extract customer/mandate data via the 'bulk change' process of migrating your customers' mandates from GoCardless to another Direct Debit provider (free of charge)

- Run and export to Excel payment and mandate reports (including dates, amounts and other historic information regarding payments taken, payments attempted, mandates setup and any additional customer information, such as unique reference numbers).
End-of-contract process There is no minimum contract for our standard plan as the fees are per transaction with no fixed payment. For our Plus and Pro plans there is a 30 day rolling contract

To cancel the contract, simply email your Account Manager, or our Support Team on help@gocardless.com, requesting your account to be terminated.

The contract will then be cancelled 30 days post this notice, and fees will discontinue beyond this point.

There are no cancellation fees, and no other associated fees with cancelling the service.

We will 'bulk change' / migrate your customers from GoCardless to another Direct Debit provider at the point of service termination for free, if required.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The GoCardless website is responsive to ensure it can be used across all devices.
Accessibility standards None or don’t know
Description of accessibility The GoCardless platform provides an API to allow you to build our payment capability into your overall customer facing solution. You are free to build your website and applications to address these standards. Separately, we are working to ensure our public-facing website and account admin interface meet these standards.
Accessibility testing The GoCardless platform provides an API to allow you to build our payment capability into your overall customer facing solution. You are free to build your website and applications to address these standards. Separately, we are working to ensure our public-facing website and account admin interface meet these standards.
What users can and can't do using the API The GoCardless API allows you to create a custom integration connected to your existing software in the way that you want to.
To use our API, customers sign up for a GoCardless account and create an access token which provides access to our API.
Requests can then be submitted to our API by providing this access token when sending an HTTP request.
GoCardless provides clear API documentation, pre-built code samples for popular programming languages and a free sandbox testing environment. We also provide free technical support for any questions.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation GoCardless allows you to create a fully customised payment solution. Our modern API enables you to build a custom integration into your existing business systems. This customised solution includes:

1. Own brand payment pages and end customer notification emails.

2. Your name on the customer's bank statement.


Independence of resources We rate-limit the number of API requests for each merchant. All merchants have the same requests limit (we don't provide merchants with custom rate limits / everyone has the same level of the service).


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Merchant end users can export their payment and mandate creation reports to an Excel file.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We have an SLA for platform availability, with the top level of availability being 99.9%. We provide provide service credits in the result of it not being met, on a sliding scale.
Approach to resilience Available on request
Outage reporting Updates in live time are available at:

Merchants are notified via email in advance for scheduled outages.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Admin users need to be on company VPN;
Infrastructure access is also under VPN and on a per user basis.
Access restriction testing frequency At least every 6 months
Management access authentication Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certification Europe (UK) Ltd
ISO/IEC 27001 accreditation date 23/09/2016
What the ISO/IEC 27001 doesn’t cover .
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Security work is coordinated by a designated group of managers and specialists which meets quarterly to assess the effectiveness of ongoing internal audits and security risk management. It is formed of individuals from different business functions, the majority being engineering staff. Progress is periodically reported to the Chief Product and Technology Officer. A security performance report is submitted annually to the CEO and the senior management team for review.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Technical changes and their impact on security are evaluated as part of the project scoping and delivery workflow. Mandatory peer reviews of code and technical stability is evaluated through unit and integration testing.
Code and configuration files are managed using Github for version control, shared ownership and code review.
Software changes are integrated continuously including automated evaluation of code quality and running of unit and integration tests.
All urgent security patches are applied immediately and other updates as soon as reasonably practical.
Business and compliance changes are evaluated as part of routine weekly senior management meetings and quarterly Board meetings.
Vulnerability management type Undisclosed
Vulnerability management approach We use a third party.

GoCardless applies all urgent security patches immediately and applies other updates as soon as reasonably practical.
Protective monitoring type Supplier-defined controls
Protective monitoring approach In the event of a serious incident, GoCardless will inform affected merchants and partners without undue delay, providing a summary of the extent, expected impact and status of the incident. Details for contacting GoCardless about that incident will be communicated with that information. Status updates will follow at regular, frequent intervals to be determined on the day.
Incident management type Undisclosed
Incident management approach A team of experienced site reliability engineers is responsible for responding to technical and security incidents, and they follow a pre-defined process. The duty engineer role rotates weekly and the designated engineer is available to respond 24/7. Additional members of the team, including engineering managers can be contacted in the event of a particularly complex incident. Users can report issues via our normal support channels.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.10 to £0.60 per transaction per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑