FormIO Form and API as a Government Service
FormIO is a Form API Management platform. It enables web application developers to rapidly create the Forms using a simple drag-and-drop form builder interface. These forms generates a JSON schema that is used to both dynamically render the forms and automatically generate corresponding API's to receive the data upon submission.
- Dynamic Form Building
- Form Validation API
- GDS Scheme Compatible
- Rapid Form Design
- Integrated API
- Embeddable within existing applications
- Server and Client side validation
- Data Component abstraction
- oAuth2 Compliant
- GDS Notify Compatible
- 365 & Google Integration
£1000 per unit per month
3 5 4 6 3 1 4 3 5 3 0 9 3 5 8
Digital Patterns Limited
Mark Olliver & Amin Mohammed-Coleman
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||This can be embedded into any current software service or used as part of our Cloud Workflow platform offering.|
|Cloud deployment model||
|Service constraints||This solution can run on any hardware currently supporting Docker, or native Linux environments.|
|Email or online ticketing support||Yes, at extra cost|
|Support response times||Next business day|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Our Core support hours are 9am till 5pm Monday to Friday excluding UK Bank Holidays and UK Public Holidays. Additional Support times or training can be negotiated upon request. We have three general support packages available billed for an unlimited number of issues per month. Bronze is ticket only 12 hour response time support - £1,000 Silver is ticket support with optional phone response, response within 4 hours - £5,000 Gold is dedicated ticket support with phone number and an account manager, response within 30 minutes - £20,000 We have two additional optional support options for dedicated extended support both include ticket and phone support with a dedicated account manager and response times within 30 minutes. (per month) Platinum is 6am till 10pm Seven Days a week - £110,000 Rhodium is 24x7 - £150,000|
|Support available to third parties||Yes|
Onboarding and offboarding
Provide online resource
Provide on premise training
Provide consultancy and architectural overview of how to use the service
|End-of-contract data extraction||
There is an API that allows you to extract all the Form Schema's at any point in time.
Data submitted using the form is not persisted within the service. Form submissions are stored with the client side services.
Included within the termination of contract is removal of all client forms from any live and test systems.
For an additional fee we can provide a export of the Forms in Json format.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||No Difference|
|What users can and can't do using the API||
The API allows users to embed the form schema inside their applications.
The API can be used to create new forms without using the drag and drop interface
The API allows you to validate form submissions before persisting or sending the data downstream/upstream.
Users must be authenticated and authorised before using the API
Access control can be applied at different parts of the form.
|API documentation formats||
|API sandbox or test environment||No|
|Description of customisation||If embedding the form schema inside an application, users can customise the look and feel of the form using standard CSS. Users can use bootswatch to override themes.|
|Independence of resources||This is an auto scaling stateless platform, as such the needs of one user will not affect that of another. Should users require additional performance guaranties then for an additional fee private instances can be launched.|
|Service usage metrics||No|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||FormIO LLC|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||In-house|
|Protecting data at rest||Encryption of all physical media|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||No data other than Form templates are held within the system and all templates are exportable via the API.|
|Data export formats||Other|
|Other data export formats||Json|
|Data import formats||Other|
|Other data import formats||Json|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
Response times are measured using the supplier’s support ticketing system, which tracks all issues from initial reporting to resolution.
It is vital the client raises every issue via this system. If an issue is not raised in this way, the guaranteed response time does not apply to that issue.
If the supplier fails to meet a guaranteed response, a penalty will be applied in the form of a credit for the client.
This means the following month’s fee payable by the client will be reduced on a sliding scale.
The level of penalty will be calculated depending on the number of hours by which the supplier missed the response time, minus the downtime permitted by the SLA:
P1 - 5% of total monthly fee
P2 - 2% of total monthly fee
P3 - 1% of total monthly fee
|Approach to resilience||Our platform uses multi zone environments, kubernetes with stateless services and resilient datastore. Further information is available on request.|
|Outage reporting||There is a service status dashboard which allows for subscribe able email alerts.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Whitelist|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Security Governance is subjected to code reviews, best practice and is open to be reviewed at anytime by clients.|
|Information security policies and processes||
Our company is small and all security events are notified to the whole team via secure methods.
Our Directors are fully responsible for acting on all security events.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Our services follow CI/CD with Sonarqube introspection. All code being pushed to live is subjected manual peer review and signed by GPG commits.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
We subscribe to the standard industry vulnerability lists as well including all those provided by our upstream vendors. Upon notification of a vulnerability we access the potential impact and take the appropriate action.
If possible we will automatically rebuild patching any service, test through our CI pipeline and deploy. Should this not be possible we will look at the best mitigation options.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Identification of potential compromises will be via dynamic monitoring off logs and traffic types.
Each service can be assigned its own DNS end point which can be repointed / or allocated as required.
Upon notification and identification of the incident.
|Incident management type||Supplier-defined controls|
|Incident management approach||
All incidents should be reported as tickets to our ticket management system. From there they will be reviewed by one of our directors and the appropriate actions taken.
Clients can request to see a copy of all incident reports which will be provided in PDF format.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£1000 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|