exeGesIS Spatial Data Management


FlyMapper is the national fly-tipping monitoring and recording system for Scotland and Wales. Now available in England and Northern Ireland, FlyMapper allows organisations to accurately record and analyse fly-tipping patterns and target resources accordingly.


  • National spatial representation of fly-tipping
  • Integration with CRM software through FlyMapper API
  • Real-time notification of incidents
  • Free app download for Bring Your Own Device (BYOD) users
  • Uses mobile phone GPS to locate incidents
  • Integrated management reporting, including costs, fines and enforcement actions
  • Offline mapping available for use when out of signal range
  • Heat map displays hotspots of incidents
  • Incidents filtered by size, type, status, organisation or electoral ward
  • Weekly notifications of incidents requiring attention


  • Allows targeting of resources towards identified hotspots
  • Intuitive design means that no specialist training is required
  • Comprehensive cross-border coverage
  • Unlimited users can register per organisation
  • App works on most mobile devices
  • Website works on most popular browers
  • Use reports to inform stakeholders and other interest groups
  • System users decide on annual upgrade new features
  • Partnership project managed by stakeholder organisations
  • Flexible scalable hosting arrangements, including Azure; secure backup and recovery


£885.65 to £2605.00 per licence per year

Service documents


G-Cloud 11

Service ID

3 3 5 8 5 3 5 1 1 7 2 2 7 1 6


exeGesIS Spatial Data Management

Jon Young

01874 711145


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements
  • FlyMapper Web requires Chrome, Firefox, or IE 11 or higher
  • Mobile minimum OS: Android 6.0 or iOS 11

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 24 hours, Monday to Friday.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Support is available from a dedicated FlyMapper consultant with developer support from 09:00 to 17:00 hours Monday to Friday, excluding public holidays and 27th-31st December at a standard rate agreed with the client. Technical support is normally provided immediately, or within a maximum response time of 24 hours. The user is informed if the timescale for resolution will be longer.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Webinar training provided to client administrators. Call-off support available during standard working hours. Documentation integrated into website and app. Full user guide and administrator guide available for download from website.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Client can download all data at any time via website export. All data recorded by clients returned at no extra cost at end of contract period as standard.
End-of-contract process On termination all licences will immediately terminate. The supplier will deliver to the client all data in its most recent form (whether or not backed up) and all other property of the client then in its possession. There is no charge for returning data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service FlyMapper Mobile is the mobile app component of FlyMapper and is used to record and update incidents in the field. It integrates with FlyMapper Web, which allows recording, reporting and analysis of incidents. Each country has a separate FlyMapper website that is used by relevant local authorities and national agencies. Incidents in FlyMapper Web are visible to all local authorities, thus facilitating joined up management, but the ability to edit incidents is restricted to the authority in which they occur. Private organisations can also use FlyMapper to record and manage incidents, providing a much fuller regional picture than otherwise possible.
Service interface No
What users can and can't do using the API The API can be used to import data from client CRM into FlyMapper. Configuration work required between client and supplier. Access and editing rights are managed via client setting user privileges
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Custom map layers can be added for each user organisation, choice of base mapping, various filters to show data according to user requirements.


Independence of resources Generally we only run one user on a Virtual Machine which allows us to ring fence appropriate resources for the Virtual Machine. We also have a number of monitoring systems in place to monitor both the response times of the systems (e.g. a web request) and also the performance of the hardware - both virtual and physical. This systems send out alerts if they detect a problem.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Hosting may be provided by us or Microsoft Azure.

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach CSV export function on website.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks We generally don't allow clients networks to connect to ours. Access is either via web browsers or SSL gateway. New client server setups would all support TLS 1.2 providing the client was capable. We also lock to client IPs wherever possible.
Data protection within supplier network
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network Access is also restricted to known company IP addresses.

Availability and resilience

Availability and resilience
Guaranteed availability The Supplier will ensure that FlyMapper is “Fully Available for Use” for at least 99% of the total number of minutes in each Month. “Fully Available for Use” means that both FlyMapper Web and FlyMapper Mobile are available to users, including access to, viewing of and submitting of data via the central server and the ability to apply filters and run reports via the website. The supplier will arrange all such additional resources as are reasonably necessary to correct any failure as early as practicable.
Approach to resilience Power and internet feeds are duplicated provided to us by the datacentre. We run dual firewalls in an Active / Passive setup. We have duplicate HyperV servers so a Virtual Machine could quickly be started on another server in the event of hardware failure of the Hyper V server. Virtual Machine storage is backed up to separated storage.
Outage reporting We report on an (independently hosted!) status page also available as RSS feed. We can also arrange for emails from our various monitoring systems to be sent direct to clients if they wish.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Management interfaces and support channels are restricted to authenticated users (username and password over https).
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication We use restricted IP addresses for all management access.

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SGS United Kingdom Ltd
ISO/IEC 27001 accreditation date 28/02/2017
What the ISO/IEC 27001 doesn’t cover The certificate covers our hosting infrastructure, not FlyMapper itself or any operations undertaken by us outside of the hosting infrastructure, such as data preparation, etc.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach All new staff are made aware of company polices relating to security governance. Checks are made on systems and processes to ensure these are being adhered to.
Information security policies and processes We have an individual hosting manager who is responsible for security of our hosting infrastructure, who reports to the board. Internal policy documents ensure staff can reference required procedures. Policies are set by discussion with board and hosting manager.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change management is in accordance with our ISO9001 certified Quality Management System. Changes to production systems are made by Product Consultants with the necessary expertise. All changes on production systems are documented in advance with details of what is to be changed, assessment of impact/downtime, assessments of risk and mitigation measures, communications plan, and roll-back plan, reviewed and signed off by the relevant Server/Service Manager before proceeding. Following implementation, all changes are stored in the change log. Changes with significant impact and/or risk are made in a test environment first, subject to contract and agreement with the client.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Firewall monitors intrusion attempts / suspicious activity. Our systems are patched with all MS security patches normally within a few days of their release. Potential threat information is from the web and email subscription to various relevant industry websites.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Firewall monitors and logs intrusion attempts / suspicious activity. Alerts set if detected. Depending on service provided, customer logons can be reported on. We would aim to act on any suspicious activity within 24 hrs
Incident management type Supplier-defined controls
Incident management approach Internally defined process allows for preventative measures (such as blocking IP ranges if suspicious activity detected), our provider can provide additional DDOS filtering. If users have an issue they can alert their company contact who will escalate it to our infrastructure manager if they can't deal with it themselves. Any incidents would be reported on our server hosting status page. If the incident was significant for a particular user we would contact them directly.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £885.65 to £2605.00 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Full access to mobile & website services, including hosting & backup. Time limited to 12 weeks. Data returned to client if contract is not taken up.
Link to free trial https://england.flymapper.org/

Service documents

Return to top ↑