Forfront Limited

e-shot™ email marketing

e-shot™ is a secure email marketing platform trusted by a number of government organisations to deliver branded communications. With a user-friendly and fully accessible interface e-shot gives you extensive campaign and contact management tools along with integration and analytics capabilities.

Features

• Email marketing
• SMS marketing
• Contact management and segmentation
• Forms and preference centre
• Dynamic content and personalisation
• Deliverability tools
• Integrations and API
• Campaign reporting and analytics

Benefits

• Single view of contact data and interactions
• GDPR-compliant contact and preference management
• Intelligent campaign segmentation and targeting
• Easily design responsive, accessible emails
• Optimised deliverability for public sector communication
• Extensive reporting and analytics
• Manage multiple brands or departments through one interface
• Integrate with other key business systems
• Send via official domains: gov.uk, nhs.uk, police.uk

£199 a licence a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at daniel.hare@forfront.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

341066174260367

Contact

Daniel Hare
020 3320 8777
daniel.hare@forfront.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Hybrid cloud
• Service constraints: We always proactively inform our customers of any scheduled maintenance or if there is an issue affecting the services both by e-mail and on the e-shot™ dashboard. In the case of peak time traffic overload, we apply contingency in the form of intelligent delivery procedures in order to protect the reputation of our customers’ domains and IPs.
• System requirements: Requires internet access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our Customer Success team will respond promptly during standard support hours. Monday - Friday, 8:30am - 6pm. Median first response time (Jan - June 2020) 3m 15s. Median time to close (Jan - June 2020) 1h 30m. Out of office hours support is also available for critical issues. Our team proactively monitor our systems 24/7.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: We have not systematically undertaken testing of this nature
• Onsite support: Yes, at extra cost
• Support levels: All of our customers have access to remote support through our Customer Success team who deal with a full range of issues including technical support, training, advice, account management and administration. ; ; Support is provided on the same basis to all customers and priority is given to issues that prevent a customer from using the software to complete a time sensitive task. Remote support is inclusive in all of our software subscriptions and we also provide proactive support to ensure customers can derive maximum benefit from using our solutions. Should a support requirement be deemed as consultancy, then additional charges may apply. ; ; Our Customer Success team is backed up by our technical teams including Infrastructure, Deliverability and Development. Technical Account Management is provided by the Customer Success team and Cloud Support is provided by our Infrastructure team who continually monitor our solutions and solve issues proactively.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Personal training via screen share and telephone. Additional online resources available with training videos and documentation. Ongoing Customer Success team on hand to provide the personal touch, all included.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Platform caters for all data export via user interface. You can export all contact data via csv files or use the API to export all data.
• End-of-contract process: All data, reports and templates are available for extraction up until the date of leaving without charge. Once deadline has been reached, account is closed and archived. After this period the account will be deleted from the system and only an archived back up copy will be kept for the period required by data protection guidelines

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Email and campaign authoring is only available on desktop service.; ; Mobile service is restricted to reporting and analytics.
• Service interface: No
• API: Yes
• What users can and can't do using the API: E-shot has a REST API that is accessible over HTTPS. API access is granted by a API key that can be restricted to specific sub-accounts and IP addresses where necessary. API key requests must be submitted by an authorised administrator via our support system. The appropriate login credentials are then supplied to the client who will use these credentials in all API requests made to e-shot™. Further documentation detailing the functionality available for the APIs can be found at: https://www.e-shot.net/assets/pdf/rest_api_guide.pdf. The REST API has full read and write capabilities over the main entities including contacts, campaigns, sources, groups and website activity.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: E-shot™ can be customised extensively to accommodate different needs with control over user management, branding, templates and sending identities. e-shot™ can also be set up into sub-accounts so that different organisational units can have their own customisations. Each e-shot™ sub-account can be white-labeled by a customer to have their own logo that appears on the UI and reports sent by the system. Individual users can customise reporting and analytics and certain elements of the UI. From an API perspective, customisation is extremely versatile with e-shot™ functions built into third party systems on a bespoke basis where needed.

Scaling

• Independence of resources: The e-shot platform is housed on its own infrastructure in a secure UK data centre with scalable architecture and a significant headroom.; ; Each client data is stored on a separate database dedicated to the client.

Analytics

• Service usage metrics: Yes
• Metrics types: All interactions are tracked and reported in real time. Data is written to both the Campaign Report and the individual Activity Log of each contact.; ; Graphical presentation of opens, clicks, forwards, unsubscribes and bounces of every email campaign you send.; ; Build and save custom reports that can be configured with all the power of a SQL query from within our user interface. Saved custom reports can then be run with a single click and shared throughout your organisation.; ; All service usage metrics are also available via API integration.
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Via user interface, API or integration
• Data export formats:
  • CSV
  • Other
• Other data export formats: Via API or integration
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Excel
  • Via API or integration

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The platform operates a 99.9% availability with scheduled maintenance windows out of hours. Customers are immediately informed if there is an issue affecting services via e-mail and platform notification. If it is a high or crisis priority issue, the customers will be periodically updated with the status. All the time frames above are based on the working hours schedule 09:00 – 18:00 Monday to Friday excluding Public Holidays. Please refer to Forfront Service Level Agreement.pdf for full details.
• Approach to resilience: High availability architecture
• Outage reporting: Outages detected by our monitoring systems result in 24/7/365 notifications to the Operations Team. They would triage and if necessary escalate these issues.; ; Clients are notified in the dashboard and by email to the client's authorised administrator . Details of cause and mitigation available on request.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Username and password.; ; Restriction based on IP can be implemented upon request.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: E-shot™ platform in Datacentre is accessed via dedicated/permanent Site to Site VPN only from office. This Site to Site VPN is protected by 3DES & AES128 encryption and 3DES & SHA1 authentication with pre-shared key. Access via this Site to Site VPN is further restricted at user level to only authorised personnel by 3rd party software with encrypted username password.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: We are Cyber Essentials Compliant. We have implemented DevOps processes and practices. The website adheres to the OWASP standards for web security. ; ; Only tested code is promoted from Development to UAT to Production via use of automated deployment system. It is not possible for code to be promoted to Production without first going to the Development and UAT environments. ; ; We review our implemented policies annually.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Ges requested to a system are written up into a UAC driven change request specification document, with supplied estimates for delivery. This takes into consideration standards agreed with the client; e.g. OWASP. ; ; The deliverable components of a specification are created as tasks in our issue tracking system and assigned to a SPRINT delivery. Code changes are checked-in against a task to provide an audit that will be reviewed and tested.; ; Only the release management team can promote software to public facing environments. This is carried out using an automated delivery platform.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Issues encountered by users of the system go to first line support who will triage the issue. Issues encountered by the application or monitoring facilities are triaged by the Operations Team. These issues can be received by: Text, Phone, Web Chat or Email.; ; Triaging takes into consideration the impact of an issue according to our definitions associated with Critical, High, Medium and Low priority issues.; E.g. Critical issues are where the system is unusable or cannot be used to carry out critical business functions and no work around exists.; ; The following is a link to our SLA:; http://www.forfront.com/ClientSupport/pdf/forfrontSLA.pdf
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Firewall logs and application notifications are monitored and Forfront can respond quickly to any incidents. Cloud security services including WAF OSWAP and DDoS protection.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Users may report incidents by phone, email or via chat. Once escalated, we have incident management processes which cover roles and responsibilities for incident handling. Updates will be usually be provided to affected customers in real time. Details of cause and mitigation are available on request to authorised administrator contacts.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £199 a licence a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at daniel.hare@forfront.com. Tell them what format you need. It will help if you say what assistive technology you use.