Digital Patterns Limited

FormIO Form and API as a Government Service

FormIO is a Form API Management platform. It enables web application developers to rapidly create the Forms using a simple drag-and-drop form builder interface. These forms generates a JSON schema that is used to both dynamically render the forms and automatically generate corresponding API's to receive the data upon submission.


  • Dynamic Form Building
  • Form Validation API
  • Serverless
  • GDS Scheme Compatible


  • Rapid Form Design
  • Integrated API
  • Embeddable within existing applications
  • Server and Client side validation
  • Data Component abstraction
  • oAuth2 Compliant
  • GDS Notify Compatible
  • 365 & Google Integration


£1000 per unit per month

Service documents


G-Cloud 11

Service ID

3 5 4 6 3 1 4 3 5 3 0 9 3 5 8


Digital Patterns Limited

Mark Olliver & Amin Mohammed-Coleman


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
This can be embedded into any current software service or used as part of our Cloud Workflow platform offering.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
This solution can run on any hardware currently supporting Docker, or native Linux environments.
System requirements

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Next business day
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our Core support hours are 9am till 5pm Monday to Friday excluding UK Bank Holidays and UK Public Holidays. Additional Support times or training can be negotiated upon request. We have three general support packages available billed for an unlimited number of issues per month. Bronze is ticket only 12 hour response time support - £1,000 Silver is ticket support with optional phone response, response within 4 hours - £5,000 Gold is dedicated ticket support with phone number and an account manager, response within 30 minutes - £20,000 We have two additional optional support options for dedicated extended support both include ticket and phone support with a dedicated account manager and response times within 30 minutes. (per month) Platinum is 6am till 10pm Seven Days a week - £110,000 Rhodium is 24x7 - £150,000
Support available to third parties

Onboarding and offboarding

Getting started
Provide online resource
Provide on premise training
Provide consultancy and architectural overview of how to use the service
Email/Chat integration
Service documentation
Documentation formats
End-of-contract data extraction
There is an API that allows you to extract all the Form Schema's at any point in time.
Data submitted using the form is not persisted within the service. Form submissions are stored with the client side services.
End-of-contract process
Included within the termination of contract is removal of all client forms from any live and test systems.
For an additional fee we can provide a export of the Forms in Json format.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No Difference
Service interface
What users can and can't do using the API
The API allows users to embed the form schema inside their applications.
The API can be used to create new forms without using the drag and drop interface
The API allows you to validate form submissions before persisting or sending the data downstream/upstream.
Users must be authenticated and authorised before using the API
Access control can be applied at different parts of the form.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
If embedding the form schema inside an application, users can customise the look and feel of the form using standard CSS. Users can use bootswatch to override themes.


Independence of resources
This is an auto scaling stateless platform, as such the needs of one user will not affect that of another. Should users require additional performance guaranties then for an additional fee private instances can be launched.


Service usage metrics


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
No data other than Form templates are held within the system and all templates are exportable via the API.
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Response times are measured using the supplier’s support ticketing system, which tracks all issues from initial reporting to resolution.
It is vital the client raises every issue via this system. If an issue is not raised in this way, the guaranteed response time does not apply to that issue.
If the supplier fails to meet a guaranteed response, a penalty will be applied in the form of a credit for the client.
This means the following month’s fee payable by the client will be reduced on a sliding scale.
The level of penalty will be calculated depending on the number of hours by which the supplier missed the response time, minus the downtime permitted by the SLA:
P1 - 5% of total monthly fee
P2 - 2% of total monthly fee
P3 - 1% of total monthly fee
Approach to resilience
Our platform uses multi zone environments, kubernetes with stateless services and resilient datastore. Further information is available on request.
Outage reporting
There is a service status dashboard which allows for subscribe able email alerts.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Security Governance is subjected to code reviews, best practice and is open to be reviewed at anytime by clients.
Information security policies and processes
Our company is small and all security events are notified to the whole team via secure methods.
Our Directors are fully responsible for acting on all security events.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our services follow CI/CD with Sonarqube introspection. All code being pushed to live is subjected manual peer review and signed by GPG commits.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We subscribe to the standard industry vulnerability lists as well including all those provided by our upstream vendors. Upon notification of a vulnerability we access the potential impact and take the appropriate action.
If possible we will automatically rebuild patching any service, test through our CI pipeline and deploy. Should this not be possible we will look at the best mitigation options.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Identification of potential compromises will be via dynamic monitoring off logs and traffic types.
Each service can be assigned its own DNS end point which can be repointed / or allocated as required.
Upon notification and identification of the incident.
Incident management type
Supplier-defined controls
Incident management approach
All incidents should be reported as tickets to our ticket management system. From there they will be reviewed by one of our directors and the appropriate actions taken.
Clients can request to see a copy of all incident reports which will be provided in PDF format.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£1000 per unit per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑