ClauseMatch Collaboration Platform

ClauseMatch is an award-winning collaboration platform containing in its core a detailed documentation workflow, where comments, approvals and changes are tracked in real-time and form part of a full audit trail. That brings complete control of content, streamlines complex workflows and provides a better management insight with groundbreaking reporting capabilities.


  • Real-time collaboration on documents
  • Complete document lifecycle workflow, including approvals in a single system
  • Complete audit trail of document changes, approvals, comments and workflow
  • Full management reporting capabilities on the documentation workflow
  • Full-text search through document content across all documents
  • Management of documentation metadata and reports based on it
  • Email notifications of workflow events and reminders of dates
  • Granular permissions management on documents and paragraphs
  • Identification and ability to re-use similar content across all documents
  • Dashboard to track all the activity and tasks


  • Reduce costs as all communications are done on the platform
  • Ability to find any content quickly
  • Centralised way to manage content in real-time
  • Gain true version control of content at paragraph level
  • Ability to see reports and identify bottlenecks in the process
  • Create data in a structured form to apply machine learning
  • Ability to re-use content to standardise documentation across the organisation
  • Automate documentation processes and workflows


£2500 per user per year

Service documents


G-Cloud 11

Service ID

4 3 0 4 6 8 8 6 9 3 4 5 3 5 1



Evgeny Likhoded


Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints The only constraint that the service may have is the use of older browsers which are not supported (for example, Internet Explorer 10 and below is not supported)
System requirements
  • Internet Explorer v. 11+ or Google Chrome v. 50+
  • Amazon AWS or Microsoft Azure Hosting as agreed deployment environment

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Support hours are 9:00am - 5:00pm on during weekdays only. Our response time is within 1 hour of reporting by email.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Type 1 (Blocker) - Email response within 1 hour of reporting and 4-hourly email updates.
Type 2 (Critical) - Email response within 1 hour of reporting and 8-hourly email updates.
Type 3 (Major) - Email response within 1 hour of reporting and 24-hourly email updates.
Type 4 (Minor) - Email response within 1 hour of reporting and 48-hourly updates until resolution.
Type 5 (Trivial) - Email response within 1 hour of reporting and regular updates until resolution.

Support operates 9am-5pm UK time on working days in the UK.

Minimum standard support cost is 20% of subscription value.

We provide account manager, technical support manager and cloud engineering support is available when required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide built-in onboarding visual guides for new functionality, remote online training, documented user guides and guidance videos.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Documents and the full audit trail on documents can be exported as PDF or Word documents and a full database dump is also provided. If required, assistance can be provided to convert existing data into a format of the new vendor (at cost).
End-of-contract process Export of data and audit trail into PDF or Word documents and full database dump are included in the price of the contract.

Specific conversion of existing data into a new format or database can be provided at cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Chrome
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API Our REST API is available for integration with other services in order to create, change or access data on the platform. Every action that can be done through the interface on the platform is available via the API.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Limited customisation is available. The following features can be customised:
- documentation metadata
- user roles
- user groups
- categorisation of documents
- templates of documents
- reports (customised by our team on request)


Independence of resources We use dedicated servers for each enterprise client and we constantly monitor performance and usage of the service to ensure that the dedicated hardware continues to be at the appropriate level. In the event of increased demand, the hardware can be scaled up without interruption.


Service usage metrics Yes
Metrics types We provide the following metrics:
- reports based on documentation metadata
- usage statistics
- user interaction on the platform
- security and authentication logs and statistics
- platform performance statistics
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Either export documents to PDF and Word, or structured data can be exported via API or full database dump.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Word
  • XML
  • JSON
  • SQL
Data import formats Other
Other data import formats Word

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks We use IP whitelisting to limit exposure of the service only to the organisation's IP addresses.
Data protection within supplier network
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network We use IP whitelisting to limit access to data only to certain internal IP addresses used by the application and database servers.

Availability and resilience

Availability and resilience
Guaranteed availability We provide 99.5% availability, which is assured through contractual commitment and regular reporting on the uptime of the service.
Approach to resilience The resilience of the service and datacentre documentation is available on request.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication SAML-based Single Sign-On
Access restrictions in management interfaces and support channels Access to ClauseMatch platform is restricted through SSL and whitelisting of client IP addresses to limit exposure of the service only to approved IPs. Users authenticate through SAML Single Sign-On or username and password with 2FA available. Roles and permissions can be defined within the application by admin users and more granular permissions can be managed individually in relation to documents and content.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DAS Certification
ISO/IEC 27001 accreditation date 08/05/2015
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ClauseMatch operates an Information Security Management System (ISMS) in accordance with ISO27001 standard, which is independently audited and certified by an accredited certification body. The ISMS system includes clearly defined policies, controls and a clear reporting structure with the full division of responsibilities. Compliance with policies and operational processes are audited on quarterly basis internally and every 12 months by independent auditors providing the ISO27001 certification.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Every single change to the platform is tracked and documented from ideation to development, testing (automated and manual) for defects and security, code review, user acceptance testing and production. ClauseMatch operates a Secure Development and Change Management Policy in accordance with the ISO27001 standard, which is independently audited. There is a clear division of responsibilities ensuring that the code developed cannot be deployed into production without following the approval process.
Vulnerability management type Supplier-defined controls
Vulnerability management approach ClauseMatch employs automated vulnerability scanning tools, extensive logging, real-time alerting of potential security incidents and regular auditing of logs. Information about potential threats is gathered from OWASP Top 10 and reputable industry resources on security. Patches can either be deployed through bi-weekly release cycle or sooner through hotfixes depending on the criticality of the vulnerability.
Protective monitoring type Supplier-defined controls
Protective monitoring approach ClauseMatch employs automated scanning tools, extensive logging of potential security incidents and real-time alerting. Logs are reviewed regularly and incidents are reported to clients within 1 hour.
Incident management type Supplier-defined controls
Incident management approach ClauseMatch uses incident management software to define SLAs, provide clients with the ability to submit support and incident tickets and track incidents from reporting to resolution. Reports are gathered and generated through the incident management system automatically. ClauseMatch is ISO9001 certified, the quality standard, which showcases our commitment to continued quality and improvement of our service.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2500 per user per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑