Social & Citizen Communication & Payments Apps

Provision of Apps and Web that deliver digital services to Citizens, Communities and Employees (Colleagues). Effectively Private Social Networks.

This is an evergreen cloud SaaS solution that delivers the functionality of a social, organisation, messaging, broadcast, communities as well as 1-1 collaboration.

A range of payments solutions are also included.


  • Community Collaboration
  • Management Organisation
  • Event Organisation
  • Payments Solutions and Open Banking
  • Work Requests and Tickets
  • E-Wallets
  • Information Broadcast
  • Interest Based Marketing and Advertising
  • Private Social Network


  • Publish content to communities of interest
  • Reduce marketing costs where you know the recipient
  • Democratise revenues for Citizens & Communities
  • Self-organising platform for ease of beneifts
  • Appealing way to get sensitive content out of WhatsApp Facebook
  • Collaborate around people in need, communities, interests
  • Manage payments and link to transactions
  • Evergreen SaaS solution with your brand
  • Evolving functionality - see for latest
  • Ability to share content you wish on public Padoq apps


£0.20 to £1.00 per user per month

Service documents


G-Cloud 11

Service ID

5 1 0 0 0 4 9 4 5 2 2 6 5 7 0



Chris Airey


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The Apps are available for iOS and Android.

Web versions aim for compatibility with all modern browsers / versions.

UK only cloud at this point but obviously available internationally to consume.
System requirements Accessed by consumer technology so no specific requirements.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Problems are reporting by shaking the apps.

Support is available 24*7 since a public SaaS solution.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels All support is included in the cost of the service (as in break / fix).

Extras would be for supporting any bespoke integration, content management or additional requirements or services you may request.

This is a Apps Store / Google Play distributed set of apps so the platform is designed to be available 24*7.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There are public versions of Padoq on Apps Store and Google Play. Therefore we don't see many training needs.

However, we will prepare 'how to' guides as part of set-up if required explaining how to achieve your outcomes. We are very happy to do on-site training and help you make this a success in any way we can.
Service documentation No
End-of-contract data extraction At this stage we will provide a data extract of all data on request. Our target is 1 week SLA and can plan this in advance with any migrations. We would collaborate in explaining the data structure as is quite flat based around social posts and post types. Payments history can be provided but we will meet out obligations to legal requirements for payments audit trails.
End-of-contract process Included is:
- Data Extract
- Removal of Apps

Extras such as:
- Data mapping for your destination system
- Project costs related to your migration requirements above an extract

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile solution looks like mobile apps and are native to iOS and Android. Desktop service makes full use of browser screen size and we expect more complex administration and MI tasks to be developed there. The solutions will have the same general user experience on all technologies.
Service interface No
Customisation available Yes
Description of customisation Branding and colours can be customised.

It is possible to extend the solution as you wish in terms of development for integrations and connecting APIs etc. The Padoq team will do technical development.

The app itself has a high level of user customisation at 'app' level and for the admin of each 'group' within the system e.g. public or secret group, broadcast or classical social, post tags allowed etc

We are happy to do a gap analysis for you against requirements but find most configuration can be done by yourselves once the data structure is worked out.


Independence of resources The design of the platform has been made using a number of asynchronous and synchronous approaches to messaging and as a social & payments platform it has been designed to scale.

Additionally, it is hosted in a Private Cloud environment for ease of addition of resources.


Service usage metrics Yes
Metrics types We provide social network KPIs at this time such as visitors, post analytics. Additionally, we analyse data for moderation and criminal activity.

Additional reporting and dashboards can be built to suit your needs as additional activity.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach At this stage this is a request service given the nature of the social network platform.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks This is a public facing solution. If you want private network connections we will delivery to your specification.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability From our G-Cloud hosting partner:
Network availability - 100%
Infrastructure availability - 99.99%
Availability is based on the total number of operating hours of a given calendar month and excludes planned and emergency maintenance.
Approach to resilience From our G-Cloud Hosting Partner:
Operates a 5.52MW tier 3 1,000 rack data centre estate. This contains multiple physically separate buildings, connected by dedicated fibre. High voltage power connections are provided from separate primary sub-stations. All mission-critical services including Standby Generation, Cooling systems and UPS (uninterruptible power system) are provided at N+1 or greater across the whole facility. The complex has a power density of over 6KW per square foot, providing diverse A & B power to each data rack, and all eCloud service platforms are supported from quadruple power feeds. The data centre complex is supported by 9MW of standby generation with over 100,000 litres of fuel storage and eight hour fuel supply SLA. All critical services are supported by 4.6MW of UPS power and 4.9MW of data centre cooling. The public sector hosting suite has fully resilient networking, switches, carrier-redundant leased lines, power and backup generators, all separated from the rest of the network and data centre complex.
Outage reporting As an App based solution availability depends on the user's device.

Any central issues around data provision will be communicated via the app.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Other
Other user authentication Initial 2-factor authentication then reliant on the device security e.g. iPhone facial recognition.

2FA can be switched on for all access of you require, which may be sensible for certain scenarios such as medial files. However, that may be counter-productive in terms of user adoption and encourage use of WhatsApp etc.

2FA is always on for our G-Cloud hosting provider with regards to platform access.
Access restrictions in management interfaces and support channels From our G-Cloud hosting provider:
Management access to environments is strictly restricted to authorised and vetted personnel only. Granular access rights ensure individual personnel have access to only the resources they need in order to carry out their specific tasks and responsibilities. Logical and physical separation of access rights is provided, and all management interfaces are restricted to internal privileged networks and are not accessible to the internet or external networks.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 LRQA for our G-Cloud Hosting Provider.
ISO 28000:2007 accreditation date 23/06/2016
What the ISO 28000:2007 doesn’t cover N/A
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Our G-Cloud hosting provider: Ultima Risk Management
PCI DSS accreditation date 22/08/2016
What the PCI DSS doesn’t cover Hosting provider's office network.

Additionally, Padoq uses MangoPay who have their own for payments services.
Other security certifications Yes
Any other security certifications
  • G-Cloud hosting provider: Cyber essentials +
  • G-Cloud hosting provider: SOC 2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Padoq is awaiting approval for FCA authorisation as an Open Banking organisation and therefore takes security governance seriously.

The directors review the monitoring of traditional security and social moderation on a regular basis, maintaining governance. Additionally, the highest risk payments processing elements are performed by PCI DSS compliant providers.
Information security policies and processes We have our own information security policy related to our aggregation role of social & payments.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Padoq uses Agile processes for development and tracks all changes into releases that follow Apple and Google governance for publishing.

A change management system operational which documents all changes, responsible parties, time of change and senior-level sign off. All changes pass through a Change Advisory Board (CAB) at this stage comprising of at least two directors.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach From our G-Cloud hosing partner:
Vulnerability scan run once per month and critical vulnerabilities patched within 30 days. Additional vulnerability scan run after any significant change implementation.
Protective monitoring type Supplier-defined controls
Protective monitoring approach From our G-Cloud hosting partner:
Internally designed and developed threat monitoring system is run on all infrastructure.

Additionally Padoq has a its own monitoring solution for FCA compliance and social moderation requirements.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach From our G-Cloud hosting provider:

ISO27001-complaint processes and systems for incident response are operational.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.20 to £1.00 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Padoq apps are available on Google Play and Apple Apps Store now. You can create your own groups and communities on there. It is a freemium model with a generous proportion of free services, no time limitation.

You should use this G-Cloud service if you want your private social network.
Link to free trial

Service documents

Return to top ↑