Tractivity Ltd

Tractivity Stakeholder Management & Consultation Software (CRM/SRMS)

Tractivity is a cloud-based, UK stakeholder engagement tool, providing functionality to manage and engage with all stakeholders through one system. Whilst maintaining GDPR compliance, Tractivity facilitates the management of every aspect of your engagement process by securely logging communications with built-in tools such as surveys, newsletters and issue management.


  • Record and track all stakeholders and engagements
  • Case management, analysis and reporting
  • Consultation reporting of qualitative and quantitative data
  • Fully customisable and easy to use
  • Built-In survey and newsletter tools
  • Event management
  • Drag and drop custom report facilities
  • Full GDPR Compliance


  • Save time and money
  • View all stakeholder interactions across a project, consultation, organisation
  • Effective management of feedback and issues raised
  • Publish branded newsletters and event invitations
  • Custom build surveys and track all responses
  • Real-time reporting
  • Dedicated account manager
  • UK based software


£10000 to £50000 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Tractivity Ltd

Mark Rutter


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Planned maintenance and emergency maintenance windows are defined within the service contract. Application Service Levels are dependent on client contract.
System requirements
  • Browsers: Chrome, IE10+, Firefox, Edge
  • Windows 7+

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Out of standard UK business hours support can be provided on request. Standard support is provided during UK business hours of 09:00- 17.30GMT (GMT +1) Monday to Friday (excluding bank holidays).
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Skype for Business opens as a new interface
Web chat accessibility testing Skype for Business accessibility
Onsite support Yes, at extra cost
Support levels Tractivity licensing comes with standard support services that can be accessed via telephone, web or email services between Monday to Friday, during normal UK business hours (09:00- 17.30pm GMT (GMT+1)).

A dedicated account manager will be assigned as part of the on-boarding process and they will maintain regular contact with the client. Monthly online refresher training sessions are also available should these be required.

Further onsite support and training may attract an additional charge.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Tractivity provides onsite training to all UK based clients as part of the standard on-boarding process. User documentation is provided for all training sessions. Further on-site follow up and online training sessions can be arranged with the client's dedicated account manager.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • DOC
  • PPTX
  • PDF
End-of-contract data extraction All data can be extracted from Tractivity by using the reporting facilities in a range of formats such as MS Excel, CSV and XML. Tractivity can also securely provide an encrypted SQL Server (.BAK) file when the contract expires as part of the secure data deletion and service shutdown process.
End-of-contract process An encrypted SQL Server (.BAK) file is transferred onto an encrypted storage device and sent to the main contact via recorded Royal Mail or courier delivery as defined within the contract.

Upon written confirmation of receipt and decryption of the data the database and backups are subjected to the secure data destruction procedure. Documentation that all the client data has been securely deleted can be provided upon request.

Bespoke data requests can be facilitated and this service will attract an additional charge which will be agreed beforehand with the dedicated account manager.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Tractivity provides a streamlined and dynamic version for Smart phones and tablets
Accessibility standards WCAG 2.0 A
Accessibility testing No testing done
Customisation available Yes
Description of customisation Most of the settings in the software are customisable - data fields, data options and mandatory data field settings can be all controlled (per project) by nominated Administrator level person(s) only.


Independence of resources We use dedicated virtualised servers configured as a private cloud (all held within the UK facilitated through VMWare and vSphere) that are shared with other Tractivity users only, all traffic is segmented and VLANed through a dedicated 1Tb facilitated through 4 diverse independent BGP TIER 1 data carriers. Disk, memory, cpu, server performance and network traffic is monitored 24/7 through our dedicated monitoring services which feeds into our automated escalation service. Client performance issues are monitored as a more granular service by individual client basis.


Service usage metrics Yes
Metrics types User level service metrics and Project level service metrics
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported using our reporting system. All data can be exported in a range of formats including as MS Excel, Word, CSV, PDF, XML or RTF.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XML
  • MS Excel
  • MS Word
Data import formats
  • CSV
  • Other
Other data import formats MS Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Our datacentre provider guarantee availability:
99.99% at the application level
99.99% at the infrastructure level

If we do not meet the guaranteed levels of availability we negotiate an acceptable outcome in terms of compensation for lost time with individual clients who are directly affected (when required).
Approach to resilience Datacentres are ISO27001 and PCI DSS compliant and provide TIER 4 (N+N) redundancy for power, supporting services and air conditioning.
At the network level active/passive failover of all connectivity networks. through > 4 diverse BGP TIER 1 data carriers.
IDS /IPS services at primary firewall perimeters
At the application:
- daily digital backups of data stored off-site
- regularly integrity tests of backup data conducted as part of backup process
- active monitoring from diverse location with 24/7 response service
- snapshots servers transferred daily to off-site failover
- warm/cold standby servers off site
Outage reporting Email alerts can be made available to clients upon request.

Internal 24/7 monitoring with alerts and escalation procedure delivered by email and SMS to Systems Administrators

Internal outage escalation and reporting procedure

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Management interfaces are restricted by role access. These restrictions are limited to Administrator level users.

Support channels are generally available to all users through our dedicated UK online facilities.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • The datacentre has ISO27001, ISO28000 and PCI DSS certification
  • Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Payment Card Industry (PCI DSS) and cyber essentials
Information security policies and processes We follow the ISO27001 and adhere to PCI DSS recommended standards.
Our Information Security Policy includes awareness, training, monitoring and review. The Information Security Policy document is reviewed annually and disseminated to staff for them to review and confirm annually. Along with supporting documents which include BCP / DR, Data Protection / GDPR, Development Standards, Breach, Secure Data Deletion and Destruction, Firewall and Change Control policies.
All information security policies and process are monitored by our Technical Director and DPO who reports directly to the Board.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We adhere to the ISO27001 change management process standards. Services are tracked through software development policy. The company follows formal policies for backup, anti-mailware, physical security, information security, data handling and change process that complies with the PCI DSS recommended standards. Service Impact and Change Notifications is controlled through email alerts to clients and dates altered by negotiation with the dedicated account manager.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability management policy in place.
Operating system patching performed monthly according to the manufacturers recommendations. Emergency patching of critical threats are evaluated by the Technical Director and deployed accordingly, the process is handled through emergency change control procedure.
At least daily threat notifications come from source vendors and recognised security sources which included but is not limited to Microsoft, Sophos, GDS Security, Prism Infosec, Webroot, ICO, PCI DSS council and NCSC.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Regular Windows server and firewall log file review in line with PCI DSS recommendations.
Log file review using heuristic tool.
Perimeter IDS/IPS monitoring.
Identified incidents managed through formal incident response plan according to PCI DSS recommendations.
Priority and resolution speed is dependent upon the incident severity.
Incident management type Supplier-defined controls
Incident management approach A formal documented incident and breach management process is in place and adheres to PCI DSS guidance and recommendations and follows IS027001 standards. It also forms part of the documented Information Security Policy which is reviewed and issued to all staff annually.
Users can report incidents via email, helpdesk ticketing system and telephone (when they will be asked to raise a support ticket for tracking purposes).
Incident reports are made available through Tractivity website and a more detailed incident report can be made available to the client by contacting their dedicated account manager.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 to £50000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Access to a full version of the software along with limited support services. Certain features such as emailing and reporting will be restricted.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑