GDPR compliant Smart Forms SaaS that lets people setup surveys, events, polls, tests and custom secure data collection by building forms from their browser. Remove paper and legacy uncontrolled data collection methods. Move your manual processes online with zero programming. Secure data workflow, file uploads, signatures, payments, emailer & reporting.


  • Software as a Service & Utility charged
  • Used by anyone with word processing or spreadsheet type skills
  • Data collected can be DIY archived, downloaded or deleted
  • GDPR Compliant Data Collection
  • Place your data in your chosen Cloud geography
  • ISO27001 & ISO27018 compliant for In Confidence Data collection
  • Transparent Data Encryption at rest using AES) & Hashing
  • Removes uncontrolled data footprints e.g. email & Office Documents
  • Data reporting and exportable into business intelligence tools
  • Works across all browsers and devices, mobile, PC, Mac, Tablet


  • Works on any device, mobile, tablet, PC, Mac
  • Control data footprints e.g. data held in email
  • Enables your Privacy Markings for GDPR
  • Dashboard on Data Ageing for GDPR
  • GDPR Forms based workflow approval with dashboard approval status
  • Encrypted data at rest and in transit
  • Data Protection (Data Processor) tagging for GDPR
  • Data always Classified & Owned by Customer for GDPR
  • Data offload at anytime for GDPR compliance
  • Collect data easily and securely from any device anywhere


£100 to £500 per user per year

  • Education pricing available

Service documents

G-Cloud 10



Smart Forms Team


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Our SaaS Software can be served from our Cloud or installed on your Private Cloud or your Public Cloud on or off your premises anywhere globally.
Cloud deployment model Hybrid cloud
Service constraints We also support Single Sign On. SSO is fully supported but depends on further integration works with each customers individual triple AAA model (Authentication , Authorisation & Accounting).
System requirements Any browser as a client

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Ticket acknowledgment is under an hour
Ticked investigation is within one hour
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Free support (not usability or training) is provided via email and then telephone contact with online screen sharing tools e.g. Skype (or similar acceptable) Screen Share.

Support timeframe options are : 9 a.m to 5p.m. (UK GMT) as standard

A TAM ( technical account manager) is provided for organisations of 10,000 user or more (chargeable option).
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Example Smart Forms and pre-provided free templates are provided along with support videos.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Our customers can download all their data at any time during their contract on day 1 or last day.

The system has a download data facility which also deletes any data on our service securely.
End-of-contract process On contract end or termination the customer can DIY extract all their data to process as required or to enable simple DIY moving to another provider.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service fully mobile responsive for users accessing any Smart Forms built by the service.

The authoring of the Smart Forms is desktop based via a browser.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing UI testing with focus groups.
Customisation available Yes
Description of customisation Custom Forms can be designed by our bureau service based on a customers statement of works and our day rate development service.


Independence of resources We can instantiate a dedicated instance on private or public cloud where required.


Service usage metrics Yes
Metrics types Auto created reporting & auto created graphing on usage.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data is downloadable at any time via our export facility into CSV or XLS Spreadsheet format.

Images are downloaded as the original.
Data export formats
  • CSV
  • Other
Other data export formats
  • .xls
  • Pdf
Data import formats
  • CSV
  • Other
Other data import formats Txt

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% SLA with Service Credits provision for any service loss.
Approach to resilience Available on request.
Outage reporting Email as we need to assimilate if it's third party influenced e.g. an Internet failure

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Only authorised individuals are provided with support account access.
Account viewing for troubleshooting is provided to our support staff without revealing customers passwords.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Less than 1 month
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Less than 1 month
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We operate an independent security function (a person's role) to ensure separation from production to negate "checking our own homework".

We also operate a "Chaos Monkey" to ensure that security is tested, again, with independence from our day to day operational functions.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow a Change Control process based on IBM's TSO Change Control System. This cements our Dev into Ops process that became forgotten when Cloud was born.
Vulnerability management type Undisclosed
Vulnerability management approach We apply the latest patches based on first testing new patches in our testing Cloud (Pre-Production/Staging) Infrastructure environment, with corresponding equivalent configuration/roles of the Production Environment VMs.
Protective monitoring type Undisclosed
Protective monitoring approach We employ an automated based protective monitoring service.
Potential compromises are advised to the account holders nominated email.

Incident response conforms to Data Protection & GDPR advisory and escalatory policies.
Incident management type Undisclosed
Incident management approach Our pre-defined processes for common events are available to customers.

Users report incidents via their provided account management contact.

Incident reports are provided on demand.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £100 to £500 per user per year
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑