Deloitte LLP

Location and Geospatial Planning Platform

Deloitte offers a cloud-based Location and Geospatial Advisory Platform, allowing users to combine your own data with inbuilt granular geo-coded UK-wide data on businesses, services, demographics, amenities and transport, to provide insight into your location based decision making, supported by integrated market-leading analytics and visualisation.


  • Expert supplementary location advisory available to help users apply service
  • Advanced predictive analytics engine with machine learning and artificial intelligence
  • Intuitive cloud-based user-interface and interactive visualization dashboards
  • Can be integrated with most APIs and data sources
  • Supports scenario modelling investigating impacts of estate changes
  • Supports optimisation of public estate – open, close, modify services
  • Pre-configured integration with data from CACI Acorn, Experian Mosaic, Census
  • Pre-configured integration with standard geo-data types (.shp, long/lat, Eastings/Northings)
  • Supports location based business case development and analysis
  • Deployable across secure cloud environments (AWS, Azure) and onpremis


  • Data driven insight to support strategic location decision making
  • Easy, rapid setup, scalable infrastructure, supports large cloud data volumes
  • Enterprise solution providing single-source-of-truth for location decision-making
  • Actionable insights to drive improved estate performance and cost savings
  • Supports digital analysis of structures using LIDAR data
  • Enable integration between datasets in disparate source systems
  • Support consistent Management Information (MI) and Business Intelligence (BI) reporting
  • Maximise return on public sector investment through accurate demand profiling
  • Determine accurate local funding based on true local authority need
  • Analyse future citizen infrastructure requirements from spatial market trends


£50000 to £200000 per instance per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Deloitte LLP

Toby Spanier

0207 303 0913

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Where service constraints exist of a general nature, these and any other constraints would need to be discussed with the client, based on their circumstances. This includes constraints that are specific to the client or the client’s situation, or that need to be addressed before delivery of the service. We will rely on the client to bring to our attention before any specific constraints that need to be addressed, including those that could impact on quality, service levels, costs or duration of the engagement.
System requirements
  • Internet accessibility
  • Common operating systems
  • Standard hardware compatibility

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Business hours coverage for support is 0830 – 1730 UK, Monday to Friday. Emergency callout available at all other times. Example standard response times are P1 resolution target within 60 mins P2 resolution target within 2 hrs P3 resolution target within 1 business day P4 resolution target within 5 business days. Actual response times are subject to agreement in final order.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Onsite support can be provided during the implementation of the service as part of the onboarding process. After the initial phase, onsite support will need to be agreed in advance.
Onsite support can take many forms (e.g. training or customisation), therefore we would only be able to provide further information on this once we have discussed requirements.
For onsite support we will provide the resources with the required skills (technical or otherwise) to ensure the process is run efficiently and effectively.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started During the setup of the service Deloitte will engage with identified key members of the client team who will be trained as super users. This will be carried out through on-site training including providing hands on experience, lessons learned sessions and the provision of documentation. Documentation will be provided at the necessary level, i.e. technical and user.
All users of the system will be provided with training sessions through the use of on-site Deloitte resources. These sessions will provide the knowledge required to begin using the service. The super-users will continue this training once the service has been provided. User documentation will be accessible via the service to ensure answers to common questions are readily available.
Negotiations for further training requirements or specific needs can be carried out when agreeing the project contract.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction If there are specific requirements for data extracts these can be discussed at the beginning of the contract to ensure data security and robustness are integral to this extract process.
End-of-contract process During and at the end of the contract Deloitte will engage with you to best match the specific requirements that arise. Our approach will be to ensure minimal disruption to a continued service.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 A
Accessibility testing None.
What users can and can't do using the API The software used to build this service has the native ability to use APIs. Requirements typically depend on client's needs and specific use cases. We are happy to further discuss your requirements for using APIs with the service and will aim to meet all required functionality.
API documentation Yes
API documentation formats Other
API sandbox or test environment No
Customisation available Yes
Description of customisation Deloitte aims to ensure the service matches your requirements and, as such, is willing to customise the service to allow compatibility. Aspects of the service that can be customised include:
• KPIs: The KPIs currently provided with the service can be updated to ensure the specific requirements of the client can be met
• Dashboards: Dashboards can be configured so that they reflect the requirements of the client

These items can be customised by the client initially during the requirements phase as well as at certain times in the project lifecycle e.g. after UAT.

Deloitte will initially complete all customisation, with an agreed approach for the duration of the contract on who carries out further work.


Independence of resources Through our experience of delivering solutions we recognise that periods of high traffic are common occurrences. The architecture and infrastructure of the service have been designed, built and robustly tested to ensure high concurrency rates do not impact the performance or experience of other users.


Service usage metrics Yes
Metrics types Service metrics can be provided upon agreement of several factors including:
-User logins
-Traffic volumes
-Service availability
-Maintenance timelines
-Support requests and responses


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users select inbuilt commands to export their data.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% availability (production environment) per month, excluding a period of planned maintenance.
99% availability (test and dev environments), excluding a period of planned maintenance.
Approach to resilience No single points of failure within the data centre (details available on request).
Outage reporting Outages are extremely rare and are reported manually.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels We restrict access in line with the requirements of handling personal data, agreed with the client's security and data protection officers. Details available on request
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI Assurance UK Limited
ISO/IEC 27001 accreditation date 01/04/2016
What the ISO/IEC 27001 doesn’t cover Deloitte’s accreditation is on our management of client data, in all its aspects, rather than being limited to one specific area of the firm.

This includes security policy, organisation if information security, asset management, human resources security, physical and environment security, communications and operations management, access control, IS systems acquisitions, development and maintenance, IS incident management and business continuity management.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Deloitte’s information security controls are a core element of our culture and we maintain and communicate this Information Security policy to ensure all our people have and maintain a clear understanding of what is expected of them.
Information security is delegated to the Deloitte Business Security team responsible for all IS initiatives. There is an internal dedicated Quality and Risk Management team which are the first point of contact for all advice and issues.
ISO 27001: 2005 (“Information security management systems - Requirements”) is the international standard for information security management.
All Staff and Partners have an individual responsibility to ensure their personal compliance with these policies and should seek guidance from Deloitte Business Security for further clarification if required.
There are currently 12 Policies that cover all requirements for ISO 27001: 2005 which are easily accessible and essential reading for all employees. These policies include:
1. Security Policy
2. Information Classification and Handling Policy
3. Logical Access Control Policy
4. Onboarding and Personnel Security Policy
5. Acceptable Use Policy
6. Physical Security Policy
7. System Management Policy
8. Security Incident Policy
9. Compliance and Auditing Policy
10. Business Continuity Management Policy
11. Third Party Policy
12. Confidentiality Policy

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach To manage the change process and ensure risks are mitigated we ensure change controls are in place and follow the following protocol:
1. Change request
2. Change approval
3. Plan for change
4. Test changes
5. Deliver change

All changes both to the components which make up the service and changes to the service itself will undergo this process which aims to reduce any risk of change. The review of the change will include an assessment on security, performance and functionality.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Under ISO/IEC 27001:2013 and ISO:22301 Deloitte Business Continuity (BC) programme is designed on an “all hazards” approach.
Having good working relationships and professional partnerships with other technology companies, we are updated regularly regarding potential threats. These threats are assessed and our BC programme is updated based on this new information including priority and mitigation plan.
Any changes to software implemented e.g. patches, are not immediately applied as careful consideration and testing will be required to ensure there is no negative impact.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Protective monitoring is carried out at multiple levels of the service. Potential compromises are identified by ongoing monitoring of systems by software providers, cloud providers and IT teams. Response is defined by a standard incident response including triage, classification, communication and remediation
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach The Incident Management process contains an Incident Response and Notification Process Flow whereby all incidents are raised through the support line once the incident event has occurred. Support line then:

1. Triage incident
2. Determine the path of escalation if one is required
3. Identify Incident Scenario
4. Notification and communications sent
5. Coordinate with the responding teams and monitor the incident
6. Escalate or return to triage dependent on response teams results
Incident reports are sent after each time an incident occurs.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £50000 to £200000 per instance per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Limited trial can be provided, to be discussed individually depending on organisational needs


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑