Thunderhead ONE & Thunderbay

Thunderhead ONE is a unifying layer of technology that learns, understands and orchestrates customer conversations and journeys across all interactions and organisational silos.


  • journey analytics
  • journey orchestration
  • journey decisioning
  • realtime interaction management
  • omnichannel orchestration
  • Machine Learning and Artificial Intelligence
  • Omni-Channel Listening
  • Reporting and Analytics
  • Customer Journeys
  • Real-time Personalisation/Individualisation at Scale


  • Understand Customer behaviour
  • Improve incremental up-sell and x-sell opportunities
  • Improve CST & NPS Scores
  • Increase Customer life-time value
  • Improve retention rates
  • Driving Operational efficiencies
  • Reducing Customer churn
  • Increase metrics across Customer life-cycle
  • Increase Customer acquisition rates
  • Reduce cost to serve


£75,000 an instance

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 2 0 0 8 1 1 8 9 3 5 4 6 6 7


Thunderhead Lee Fraser
Telephone: 07790 426469

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Thunderhead ONE is operated entirely within Microsoft Azure as a multi-tenant SaaS service (SaaS). All data resides within Microsoft’s Azure Data Centers and under Thunderhead’s Azure Subscriptions across multiple geographic regions (limited to the EEA where the Customer entity and Thunderhead entity are based inside the EEA). Thunderhead provides data centers in the EU, US, and APAC. Clients can choose their preferred deployment location

The deployment of a Thunderhead ONE tenant application takes minutes after which configuration can begin.
System requirements
Not Applicable as we are a SaaS platform

User support

Email or online ticketing support
Email or online ticketing
Support response times
Critical / Major: 1 hour (24/7)
Moderate/Minor: 1 hour, M-F 9:00am Eastern - 5pm Eastern
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Support levels
Platform Service Support

Thunderhead’s operations department provide 24-7 monitoring of Services with staff members on-call and three tiers of internal alert escalation.

Application Level Support

The preferred method of communication is via the Portal which provides Customer with a single interface to raise issues and questions and see all bi-directional communication with Thunderhead’s support team. All communications with Thunderhead’s support team will be in English.

Application Support Hours

Support Hours are between 9am-6pm GMT, Mon-Fri.


For definitions of the Error Severity levels and Response times below, see terms in section 1 and Schedule 1 of the MSA.


Critical 1 Hour
Urgent 2 Hours
High 4 Support Hours
Medium 8 Support Hours

Support is provided as part of the license fee.

A Customer Success Mgr is allocated as part of our Support and is included in the License fee.
Support available to third parties

Onboarding and offboarding

Getting started
Training is provided both on-line and on-site if requested.
There is full documentation and training and access to a learning management system.

The Thunderhead Customer Success team is responsible for ensuring value to customers. The team traverses the customer journey with Thunderhead by commencing engagement pre-contract through delivery and success to ensure simplicity on the part of the customer.

Engagements are based on a lightweight and iterative model:

1. Vision - techniques such as stakeholder interviews and capability assessments to deliver a vision.

2. Scope - journey mapping to define the scope of each project spanning channels, propositions, objectives and organisation.

3. Delivery - delivery to time and budget across people, process and technology.

4. Success - progress against defined KPIs, driving ongoing exponential change through journey insights and optimisation.

Each deployment is measured against a maturity model that starts with the proliferation of listening and incrementally builds to actioning and full omni-channel conversations.

ONE's modern architecture allows rapid delivery across 9+ touch-points within four weeks.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The ONE Engagement Hub provides the ability to export data using the Data Export page. Thunderhead shall assist customers with the return data upon request.
End-of-contract process
The contract can be for both license and supporting services. The contract can be auto renewed or renewed upon request at the end of the agreed initial term.

Should the contract with client be terminated, then Thunderhead will permanently remove all data related to client's tenancy, including user accounts, configuration data and data relating to client's customers. Thunderhead aims to ensure removal of such data within 30 days of termination. Copies of customer data held in backup files will expire after normal backup data expiration/rotation processes.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
We provide mobile SDKs for both iOS and Android which enable business users to easily capture, orchestrate and test configurations on a mobile device.
Service interface
What users can and can't do using the API
The Thunderhead ONE API is built on RESTful concepts and accepts both XML and JSON requests/responses.
The ONE API is designed to:
- Provide your organization with the ability to track customer activity.
- Provide your customers with personalized content based on the most appropriate conversation for them.
- Provide customer profile data held in ONE to external systems, upon request.
- Provide your organization with the ability to export data about customer activity to your BI tools.
- Provide you with the ability to store customer reference data in ONE for use in decisioning.
Users access the API through OAuth2.0 and limitations are set by user access rights and permissions.
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
ONE is monitored continually by Operations staff using a combination of monitoring tools that check for health, response-times, threats and usage. These tools alert staff of changes in ONE’s behavior that may require remediation and enable staff to anticipate and plan for resource scaling. Automated alerts are configured to notify members of the Operations team based on a rotating pager schedule when certain thresholds for service metrics are crossed, so that immediate action can be taken.


Service usage metrics
Metrics types
Total Platform Utilisation - Interactions by time and channel and Instance.

The Operational Metrics page lets you view the overall health of your current published configuration, providing you with a set of metrics, so you can check that things are working as you expect.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The Data Export API provides secure access endpoints (OAUTH 2.0) that enable you to retrieve raw data files from ONE for richer insights about your Customers and the Actions and Activities they are triggering at your Touchpoints.

Data exports can be accessed using an OAUTH2.0 token, requested manually using a HTTP client platform or automated via a library. The token must be used in any subsequent calls to the Data Export API.
Data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
At Thunderhead we work hard to keep service interruptions to a minimum and have a record of averaging 99.99% uptime across our core services.

But like anyone, we occasionally encounter service interruptions. Typically, this tends to be a small window of scheduled maintenance, which we try to do during non-working hours. Rest assured that in the rare event of an unplanned outage, we keep your data safe and secure and get things back up and running as soon as possible.

To keep you informed, we post updates to our Status page. Here, you can see whether we have an ongoing incident, or review historic incidents and uptimes. You can also use the Status page to subscribe for incident updates via email.

CHECK STATUS - Changes to availability are published to:

More information regarding our SLAs can be found in section 11 of our terms and conditions (MSA) and the uploaded Service Support Document.
Approach to resilience
All infrastructure components are configured in a high availability mode or in a redundant fashion. All Customer Data submitted to the Services is stored on a redundant fault-tolerant infrastructure that is replicated to the secondary data center hourly. Data centers forming a regional pair are geographically located in different areas to minimize the possibility of a pandemic or natural disaster impacting both at the same time.
Outage reporting
Changes to availability are published to:

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Only Thunderhead Operations team members have access to production data centers. Only privileged DBAs within the Operations team have access to databases for maintenance and trouble-shooting purposes. Access is controlled using 2FA secured VPNs.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Thunderhead's ISO 27001 certification covers the management of Information Security across all Thunderhead One processes, systems, and functions necessary to develop, operate, and maintain the services Thunderhead One provides to its customers and partners.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • SOC 2 Type 1
  • Privacy Shield

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Thunderhead has developed an Information Security Management System (ISMS) consisting of policies and procedures that comply with the international Information Security Management Systems standard ISO/IEC 27001:2013.

Overall responsibility for information security is assigned to the Chief Technology Officer and the Director of Security and Compliance.

The Chief Technology Officer is responsible for ensuring the effectiveness of Thunderhead’s Information Security Management System (ISMS) and the availability of all necessary resources to execute the ISMS.

The Director of Security and Compliance /Data Protection Officer is responsible for operational management of the ISMS and oversight of Thunderhead’s data protection and privacy strategy.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Changes to ONE (e.g., configuration changes, bug fixes, and new features) adhere to Thunderhead’s change management policies and procedures that are reviewed by management annually. Members of the Product, Engineering, Operations, and Security teams work together to ensure that all application changes adhere to a strictly controlled process. This process helps provide the highest quality, stability and availability of the products offered by Thunderhead. Application changes are tracked via Thunderhead’s internal ticketing and wiki systems and require approval by members of the aforementioned teams, prior to release.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
ONE uses commercial vulnerability management software that continually monitors for vulnerabilities.

Critical issues have top priority within the development team and are worked on immediately. Any issues resulting from patches or vulnerabilities are prioritized based on their severity.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
ONE is proactively monitored using a combination of tools and sensors with auto-escalation of alerts to ensure prompt action is taken. Monitoring tools in multiple geographies provide automated checks relating to security, performance, responsiveness and availability of the Service.

Thunderhead’s Operations department provide 24-7 monitoring of Services with staff members on-call and three tiers of internal alert escalation.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Thunderhead maintains security incident management policies and procedures. That address the following requirements:

- Reporting of weaknesses, events and incidents
- Treatment
- Breach Notification
- Contact with Authorities
- Post Mortem
- Learning from Incidents
- Collection of Evidence

Thunderhead notifies impacted Data Subjects without undue delay of any unauthorized disclosure of their respective Personal Data by Thunderhead or its agents of which Thunderhead becomes aware to the extent required by Data Protection Laws and Regulations.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£75,000 an instance
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.