Digital Patterns Limited

FormIO Form and API as a Government Service

FormIO is a Form API Management platform. It enables web application developers to rapidly create the Forms using a simple drag-and-drop form builder interface. These forms generates a JSON schema that is used to both dynamically render the forms and automatically generate corresponding API's to receive the data upon submission.


  • Dynamic Form Building
  • Form Validation API
  • Serverless
  • GDS Scheme Compatible


  • Rapid Form Design
  • Integrated API
  • Embeddable within existing applications
  • Server and Client side validation
  • Data Component abstraction
  • oAuth2 Compliant
  • GDS Notify Compatible
  • 365 & Google Integration


£1000 per unit per month

Service documents


G-Cloud 11

Service ID

3 5 4 6 3 1 4 3 5 3 0 9 3 5 8


Digital Patterns Limited

Mark Olliver & Amin Mohammed-Coleman


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to This can be embedded into any current software service or used as part of our Cloud Workflow platform offering.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints This solution can run on any hardware currently supporting Docker, or native Linux environments.
System requirements N/a

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Next business day
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Our Core support hours are 9am till 5pm Monday to Friday excluding UK Bank Holidays and UK Public Holidays. Additional Support times or training can be negotiated upon request. We have three general support packages available billed for an unlimited number of issues per month. Bronze is ticket only 12 hour response time support - £1,000 Silver is ticket support with optional phone response, response within 4 hours - £5,000 Gold is dedicated ticket support with phone number and an account manager, response within 30 minutes - £20,000 We have two additional optional support options for dedicated extended support both include ticket and phone support with a dedicated account manager and response times within 30 minutes. (per month) Platinum is 6am till 10pm Seven Days a week - £110,000 Rhodium is 24x7 - £150,000
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Provide online resource
Provide on premise training
Provide consultancy and architectural overview of how to use the service
Email/Chat integration
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction There is an API that allows you to extract all the Form Schema's at any point in time.
Data submitted using the form is not persisted within the service. Form submissions are stored with the client side services.
End-of-contract process Included within the termination of contract is removal of all client forms from any live and test systems.
For an additional fee we can provide a export of the Forms in Json format.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No Difference
Service interface No
What users can and can't do using the API The API allows users to embed the form schema inside their applications.
The API can be used to create new forms without using the drag and drop interface
The API allows you to validate form submissions before persisting or sending the data downstream/upstream.
Users must be authenticated and authorised before using the API
Access control can be applied at different parts of the form.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation If embedding the form schema inside an application, users can customise the look and feel of the form using standard CSS. Users can use bootswatch to override themes.


Independence of resources This is an auto scaling stateless platform, as such the needs of one user will not affect that of another. Should users require additional performance guaranties then for an additional fee private instances can be launched.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold FormIO LLC

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach No data other than Form templates are held within the system and all templates are exportable via the API.
Data export formats Other
Other data export formats Json
Data import formats Other
Other data import formats Json

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Response times are measured using the supplier’s support ticketing system, which tracks all issues from initial reporting to resolution.
It is vital the client raises every issue via this system. If an issue is not raised in this way, the guaranteed response time does not apply to that issue.
If the supplier fails to meet a guaranteed response, a penalty will be applied in the form of a credit for the client.
This means the following month’s fee payable by the client will be reduced on a sliding scale.
The level of penalty will be calculated depending on the number of hours by which the supplier missed the response time, minus the downtime permitted by the SLA:
P1 - 5% of total monthly fee
P2 - 2% of total monthly fee
P3 - 1% of total monthly fee
Approach to resilience Our platform uses multi zone environments, kubernetes with stateless services and resilient datastore. Further information is available on request.
Outage reporting There is a service status dashboard which allows for subscribe able email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Whitelist
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security Governance is subjected to code reviews, best practice and is open to be reviewed at anytime by clients.
Information security policies and processes Our company is small and all security events are notified to the whole team via secure methods.
Our Directors are fully responsible for acting on all security events.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our services follow CI/CD with Sonarqube introspection. All code being pushed to live is subjected manual peer review and signed by GPG commits.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We subscribe to the standard industry vulnerability lists as well including all those provided by our upstream vendors. Upon notification of a vulnerability we access the potential impact and take the appropriate action.
If possible we will automatically rebuild patching any service, test through our CI pipeline and deploy. Should this not be possible we will look at the best mitigation options.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Identification of potential compromises will be via dynamic monitoring off logs and traffic types.
Each service can be assigned its own DNS end point which can be repointed / or allocated as required.
Upon notification and identification of the incident.
Incident management type Supplier-defined controls
Incident management approach All incidents should be reported as tickets to our ticket management system. From there they will be reviewed by one of our directors and the appropriate actions taken.
Clients can request to see a copy of all incident reports which will be provided in PDF format.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1000 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑