Figshare is a purpose-built next-generation repository system. Any file format can be uploaded and published, subject to approval by client administrators. Common file formats are previewed in-browser, and Projects functionality provides private collaborative spaces. DOIs or handles are created for all items upon publication. Management information dashboards are provided.


  • fully managed AWS EC2 SaaS solution with multiple releases annually
  • upload, describe and publish files of any format
  • in-browser previews/visualisations for common file formats
  • each metadata record describes zero, one or multiple files
  • define a hierarchy of groups within your repository
  • assign administrative roles to users at organisation or group level
  • review workflow to approve submissions before they are made public
  • all public items receive a DataCite DOI or other PID
  • collaborative Project spaces and compile collections of items
  • 10TB AWS S3 storage included or use suitable local storage


  • no in-house IT support necessary after implementation
  • publish datasets, videos, maps, images, documents all in one repository
  • appeal to internal researchers and external reusers with engaging interface
  • Figshare acts as a data catalogue as well as repository
  • promote groups, conferences etc through differently branded subportals
  • central or devolved administration of your repository as you prefer
  • control public content with review workflow, embargoes, confidential items
  • DOIs can be reserved in advanced
  • share private content as needed through Projects or sharing links
  • plenty of storage to allocate to high-needs groups or individuals


£3,090 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

4 0 6 4 1 5 9 7 9 7 0 5 9 5 8


DIGITAL SCIENCE & RESEARCH SOLUTIONS INC. Digital Science & Research Solutions Inc.
Telephone: +1 617 475 9218

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Figshare releases are deployed live. There are no scheduled downtimes for releases or maintenance.

The maximum file size that can be uploaded is determined by the user's browser or storage allocation. The Figshare API or desktop uploader client can be used for files larger than this limit.

The maximum file size supported by Figshare is 5TB.

There are soft limits on the number of files per item, users per Project etc, but these can be modified for each client.

If client-provided storage is used in preference to 100TB of AWS storage, that storage must have a suitable REST API.
System requirements
  • Minimum Chrome version: 38 or
  • Minimum Firefox version: 28 or
  • Minimum Opera version: 25 or
  • Minimum Safari version: 7 or
  • Minimum Edge version: 12
  • For SSO integration, must be SAML 2.0 compliant

User support

Email or online ticketing support
Email or online ticketing
Support response times
New support tickets all receive an immediate automatic email response, containing a copy of the request and a ticket number so that follow-ups can be tracked, or so that the issue can be escalated if necessary. The Figshare SLA details the response times for different severities of issues. For the most severe issues (for which no workaround exists and which has caused an immediate and material adverse business impact), the initial response time is 1 working hour.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support is available throughout the subscription to the service - please see Figshare’s standard SLA for more details about our commitments. Each customer is assigned a dedicated technical account manager, who can be contacted directly, and a team of engineers - this is all managed via basecamp. Administrators will be able to log in to Figshare’s support site ( where support tickets can be submitted, and Slack community to ask questions or find out more about best practice. Figshare’s support team aims to respond to all tickets within 24 hours. Support tickets can be assigned a priority level and status level. After implementation, the support platform is still available for more general support, queries and feature requests. Training support will be managed and delivered by Figshare’s Head of Engagement, they will provide an admin user guide and user guide, and an engagement package (case studies, marketing materials, slide deck and email templates, guides to deliver testing, information on the API and more). Furthermore, admins are provided with comprehensive release notes demonstrations which are carried out approximately every three months. Optional in-person or online training can also be delivered to research groups or individuals, which may incur a fee.
Support available to third parties

Onboarding and offboarding

Getting started
Once the production environment is live, administrators are provided with an engagement guide which includes case studies, marketing materials, slide deck and email templates, guides to deliver testing, information on the API and more. Please visit for further examples.

The user guide, which includes text and gifs for each step of the uploading process, can be copied and amended to include your branding and specific implementation customisations. Both user guides (user and admin) are updated after each major development release and are therefore always up-to-date. There are also YouTube videos and an Admin LibGuide and End user LibGuide available for additional guidance. End users also have the Knowledge Portal ( as an additional resource with How-to guides, information and tips and more. Optional in-person or online training can also be delivered ad-hoc to research groups or individuals. These dates can be decided closer to the time and should be communicated to your dedicated account manager who will then liaise with Figshare’s Head of Engagement. For on-site visits and consultations, it is expected that the customer will, at a minimum, cover the cost of travel expenses.
Service documentation
Documentation formats
End-of-contract data extraction
All public content - files and metadata - can be extracted using open API endpoints.

All private content - files and metadata - can be extracted using secure API endpoints.

Individual users can also download their own files and download metadata records in various formats through the user interface.

Figshare provides support for a period of 3 months after contract expiry to assist clients in extracting their content.

Note that if clients prefer, they can leave their public content in place after the end of the contract and it will continue to be available under the same DOIs at the site for a period of ten years. (But not at the client's branded Figshare portal, which will be taken down 3 months after the end of the contract).
End-of-contract process
Upon notice of cancellation, Figshare will freeze all public and private accounts, setting the individual user quotas to zero to prevent the uploading of items, either publicly or privately.

User accounts will remain ‘active’ for a period of 3 months during which time account holders can download their private content. After the 3 month period, the Figshare team will delete all private accounts.

After the 3 month period, Figshare will also remove all institution-affiliated admin accounts on the Figshare support site and Community Slack.

Institutional author profiles would remain on Figshare but users would need to open a new (free) account.

For a period of 3 months after the contract end date, Figshare can provide support to export content or transfer it manually.

The client’s public portal will be taken down after the 3 month period has expired, but DOIs and published content will continue to live on the main site.

All content will be citable with a DOI and stored persistently. All Content will be maintained for a period of 10 years, even if the subscription is not renewed.

We can help you to make your DOIs resolve to a new platform.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Limited ability to upload files, depending on the workflows on your mobile device between browsers and stored files. Search, browse and viewing functions fully.
Service interface
What users can and can't do using the API
Figshare provides a fully-featured two-way RESTful API, documented at using Swagger. The documentation site enables rapid prototyping, as API queries can be written and the responses viewed, in the documentation site. Example code snippets are provided for multiple languages.

The Figshare API is accessible at All communication is done through https and all data is encoded as JSON.

The Figshare API provides endpoints that allow you to:
- Upload files to create a new Item
- Search for public and private items
- List the metadata of a public item
- Show the details of files associated with an item
- Report on whether items are embargoed confidential
- Publish an Item
- Reserve a DOI or handle ahead of publication
- Update metadata
- Change confidentiality or embargo settings
- Create or disable a private sharing link
- Create and update accounts
- Add and remove admin roles
- Upload a user feed
- Harvest metadata through OAI-PMH

An API user group shares ideas and knowledge across our clients.

See for a with interactive visualisations for data stored in Figshare, and for the University of Sheffield’s custom front end for their underlying Figshare data repository.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
During implementation, requested by the client implementation team:
- Domain of repository site: either a client domain or *
- Custom branding logo and background image. Each public subportal can have its own branding
- Define links in the masthead
- Define links in custom footer (to a client’s own pages)
- Define group hierarchy for the repository
- Define which identifier type is minted for items in each group
- Configure reporting dashboard
- Define a scheme of custom Categories of the default Fields of Research scheme is not wanted
- Turn off the Projects and/or Collections features if not wanted

By raising a support ticket, by client top-level administrators:
- Add new or amend existing branding
- Amend masthead links
- Amend custom footer links
- Modify reporting dashboard
- Request custom management information report

In the admin web interface, by owner of the appropriate group, or by top-level administrator:
- Assign admin roles to users
- Add subgroups to the hierarchy
- Add descriptions text for each group
- Define custom metadata fields at the organisation or group level
- Define ‘Tips’ help text for each custom metadata field


Independence of resources
Figshare runs in AWS EC2 and therefore adding extra capacity for new clients is not an issue. We have publisher clients whose journal platforms integrate with Figshare (e.g. pulling Figshare items into widgets on the publisher platforms), therefore Figshare can handle traffic orders of high magnitude. On request Figshare can provide load testing reports for Figshare services where core functionality is load tested for different usage patterns.


Service usage metrics
Metrics types
Public stats page e.g. provides on-screen graphs of views and downloads by date range, filterable by Group, Item type, Category and Author.

Internal admin reporting dashboard provides various graphs, maps and tables, and can download the underlying data in CSV format.

The Figshare API provides statistics endpoints - see

Custom reports can be requested through support requests.

Figshare hasn’t yet applied for formal COUNTER compliance, but we fully comply with the COUNTER Release 5 rules regarding views and downloads.

UK institutional Figshare repositories are configured to send usage events to the national Jisc IRUS for Data service.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
AWS uses Physical access control, complying with CSA CCM v3.0 and SSAE-16 / ISAE 3402.

Outside of AWS specific physical technical controls, Figshare uses encryption for all storage devices and services used on AWS (EC2 EBS, AWS S3). Encryption keys are managed via AWS KMS.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
All public content - files and metadata - can be extracted using open API endpoints.

All private content - files and metadata - can be extracted using secure API endpoints.

Individual users can also download their own files and download metadata records in various formats through the user interface.

Metadata can also be harvested through OAI-PMH endpoints.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML - Dublin Core
  • XML - Datacite
  • XML - RDF
  • XML - Qualified Dublin Core
  • XML - METS
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON (for metadata upload through the API)
  • Any file format can be uploaded to the Figshare repository

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
All Figshare public endpoints are available only via HTTPS endpoints (HSTS enabled) using the ELBSecurityPolicy-FS-2018-06 AWS ALB security policy.

Inter-cloud communications are deployed over IPSec based VPNs.

ELBSecurityPolicy-FS-2018-06 supports TLS1 TLS 1.1 and TLS 1.2 . We do have plans to eliminate support for TLS 1 and TLS 1.1 but that is not currently possible due to some client requirements.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
All Figshare services are deployed inside AWS VPCs with the following technical controls implemented to protect data:
- Use of private only subnets
- Use of NAT Gateways for instance internet access
- Use of AWS Client VPN for operational remote access
- EBS encrypted volumes for all EC2 instances
- S3 encrypted buckets
- Environment segregation at the VPC level (dedicated VPCs for each environment)
- Use of VPC Endpoints for intra VPC S3 communications
- Use of dedicated subnets (NACLs) for applications and storage services
- Use of TLS for inter-microservice communications (where applicable)

Availability and resilience

Guaranteed availability
We commit to making the Platform available at least 99.9% of the time during each full calendar month, subject to the exclusions set forth below (the “Uptime Service Availability”).

Periods where the Platform is not available due to the following reasons shall be excluded from the calculation of Uptime Service Availability: (i) any Force Majeure Event, which shall include any internet access or related problems beyond the demarcation point of the Storage Services; (ii) any breach of this Agreement by you or any actions or inactions of you or any third party; (iii) your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control); (iv) and planned maintenance carried out during the maintenance window of 05:00am to 09:00am UK time. Sufficient notice will be given for any unscheduled period during which the availability of the Platform is suspended as soon as reasonably practicable.

Where the Uptime Service Availability falls below 99.9% for three (3) consecutive months, you may terminate this Agreement for material breach.
Approach to resilience
The Figshare platform is deployed within AWS. To achieve a highly available and fault tolerant setup all Figshare services are deployed across multiple AWS availability zones.
Horizontally scaling storage solutions are used across the platform: multi node MariaDB Galera Cluster, ElasticSearch cluster, AWS S3. All public services are deployed behind AWS Application Load Balancers configured to route traffic between EC2 instances across multiple availability zones. Figshare also maintains a backup disaster recovery location as documented in the Figshare’s Disaster Recovery Plan which is available upon request.

To ensure an adequate level of security the following technical controls and deployed across our infrastructure:
- 24/7 automated monitoring
- OS level monitoring
- Application monitoring
- Vulnerability management
- Real-time analysis

For details on AWS's resilient workload and RTO please see:
Outage reporting
Figshare provides current and historical status information at This site is immediately updated whenever there is a service issue. The site includes an email alerts facility and during the implementation process we ensure that all clients register for alerts.

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
Figshare integrates with the client’s SAML 2.0-compliant authentication system (e.g. Shibboleth). This must expose externally verifiable IDs to Figshare for all user accounts to ensure that they are unique.

The two most common ways to create Figshare user accounts are by sending us a user feed, or by creating accounts at first login (using your authentication system).

For clients without a SAML 2.0 compliant authentication system we can create accounts manually.

We use Freshdesk for our support site and Basecamp to manage implementations. Relevant client staff will be able to create accounts on those systems.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
SRAC Bucharest (an IQNet Partner)
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The following exclusions are made to the scope of our Information Security and Management System:

- The physical security of the location and of the hardware related to the AWS infrastructure used by the company

- The physical security of the location and of the hardware related to the Hetzner infrastructure used by the company

- The security of the (SaaS-type) platforms used by the company employees, but which are not managed by the company and are used during the processes/activities performed, except for the data generated and managed in these platforms.

(We use Hetzner infrastructure for a small number of European clients who do not want to use AWS infrastructure).
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Figshare is ISO27001 certified. The following policies and principles are maintained and can be supplied upon request:

Information Security Policy
Access Control Policy
Secure Software Development Policy
Secure Software Engineering Principles
Change Management Policy
Password Policy
Mobile device and teleworking policy
Bring Your Own Device Policy
Physical and Environmental security policy
Stored Information Handling Procedure
Clear Desk and Clear Screen policy
Acceptable Use Policy
IT Disaster Recovery Plan
Policy on assigning and refreshing hardware equipment
Incident management procedure
Use of cryptographic controls policy
Virtual private network policy
Scope of information security management
Information transfer policy
Departmental policy on personnel training (HR)
Backup policy
Communication procedure
Risk assessment and risk treatment methodology
Information Classification Policy
Asset Classification Policy

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Changes may only be suggested by employees of the IT Infrastructure and Software Development Departments.

Task created in Jira to allow suggester to document and implement the process.

Change must be authorized by Head of the IT Infrastructure Department: must document justification and potential negative impact on security.

Changes implemented by members of the IT Infrastructure Department.

Head of the IT Infrastructure Department is responsible for testing the compliance of the change with the requirements.

Head of the IT Infrastructure Department responsible for testing and assessing the system’s stability.

Implementation of the change must be reported to the Project Manager.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
24/7 automated monitoring: internally via Nagios, AWS CloudWatch and from external endpoints.

OS level monitoring: deploying HIDS software across all systems to detect and alert for suspicious activity. Audit log all system level commands via Linux Audit module.

Vulnerability management: deploy antivirus solution across all networked systems. Perform OS level scans via AWS Inspector, weekly maintenance routines for OS level patching and 3rd party libraries security assessments.

Real-time analysis, deploying AWS WAF, GuardDuty, Shield Basic, CloudTrail, Config to analyze and detect anomalies across our infrastructure. All OS, Application and Service logs and collected for long term storage and analysis.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
- 24/7 automated monitoring: all services internally and externally. All send automated events to our 24/7 on-call devops team.
- OS level monitoring: HIDS software deployed across all systems to detect and alert for suspicious activity. Log all system level commands via Linux Audit module.
- Application monitoring: APM solution to monitor performance and exception related metrics.
- Vulnerability management: antivirus solution and OS security scans. Weekly maintenance routines for OS patching and 3rd party libraries’ security assessments.
- Real-time analysis: Multiple tools analyze and detect anomalies across infrastructure. Logs collected and centralized for long term storage / analysis.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Security incidents are classified according to their impact on operations, the critical level of the system impacted and the level of sensitivity of the compromised data. Once a security incident has been found, the response stage will involve restoring operations and diminishing the impact of the vulnerabilities unveiled. Activities performed during the response stage vary according to the type of incident and to the security level.

Further details are available in Figshare’s Incident Management Procedure document, available upon request.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£3,090 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
Freely available site with only basic metadata, a few Open Licence choices, no branding, no Groups etc.

Or we can create a free basic custom test portal on request, with more features (e.g. Groups, custom metadata, review workflow), with a few manually-created admin and user accounts.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.