Boomalert Ltd

Boomalert: Critical Incident Communications

Boomalert’s incident communication software enables the distribution and receipt of broadcast communications over SMS, Voice and Email and the escalation of urgent or critical messages. This ensures that an organisation can plan and prepare effectively for critical incidents, and consequently mitigate against the negative impact that might otherwise occur.


  • Fully automated and interactive critical communication processes
  • Build dynamic, layered communication workflow via a simple user interface
  • Dynamically escalate communications through groups/individuals and across communication channels
  • Provide live reporting for real-time visibility into incident progress
  • Remote activation via Email, SMS, GUI, Machine alerts, API
  • Run simultaneous workflows to different business entities during incidents


  • Minimize service disruption negative impact of critical incidents
  • Manage incidents by exception to reduce resolution timescales
  • Improve the speed and efficiency of decision-making via real-time data
  • Customise workflows without the need for local application development
  • Limit the reputational damage of business incidents
  • Improve service uptime through pre-emptive warnings and alerts
  • Improve safety of staff and stakeholders in isolated situations
  • Fulfil duty of care requirements
  • Enhance corporate governance with full audit trail of communications


£0.027 per transaction per minute

Service documents

G-Cloud 9


Boomalert Ltd

Peter Tanner

+44 207 224 5555

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements N/A

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time within an hour
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Standard - 9AM - 5PM Monday - Friday or Premium 24/7/365 email or telephone support
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide documented support and telephone support where required
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users export data before the term ends or request export from Boomerang
End-of-contract process The service account is disabled

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No major difference
Accessibility standards None or don’t know
Description of accessibility Access user interface via web browser and trigger communication remotely through SMS, email, HTTP post, MIPS and traps
Accessibility testing N/A
Customisation available Yes
Description of customisation Customisation options are as follows: - On-premises: Host the services within a local environment - Social hours: Control the times between which messages are sent / not sent - Exclusive numbers: Messages are sent from a number range unique to the customer - Message validity: Control the expiry period of an outbound message - Secure data: Choose to overwrite (hash) the message content and communication address for a message transaction - Set specific configurations for each communication channel: 1. Voice - Intro and exit messages, divert number and message 2. Email - From Id, Subject, signatures, logos and HTML customisation 3. SMS - Alpha or numeric originating Ids Service configuration options are either set via the user interface, during the on-boarding process or can be submitted to Boomerang in writing to Boomerang at any point during the contract term. Boomerang will usually action the request within 24 hours.


Independence of resources The hardware supporting the Services is provisioned with resources that are managed by VMware to automatically spread resources across the Cloud as and where required. From the infrastructure perspective, VMware Cloud Design allows the platform to scale without downtime or performance degradation linearly. Cloud instances have been configured to use an auto-scale set of resource limits, within which Boomerang can utilize and grow out as demand is increased.


Service usage metrics Yes
Metrics types Transactional message data consisting of date/time sent, transaction Id, communication channel, originating address, destination address, message content delivery status, ticket type, ticket status, number of replies, Reply content
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users export data before the term ends or request export from Boomerang
Data export formats CSV
Data import formats Other
Other data import formats N/A

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99,5%
Approach to resilience Our solution has been designed to handle both active / passive and active / active load balanced configurations and with the ability to automatically expand overall capacity to accommodate any dramatic surges in traffic. Data spans both geographical sites in real time and any data changes to the primary location are also replicated to the secondary location. All data is backed up externally every three hours and as data is transparent between sites, there is no need to backup and restore data across locations in the event of a failover - data locking and consistency is handled within the vCLoud platform. The infrastructure is also subject to regular vulnerability and penetration testing, using a third-party software. This will identify any potential security weaknesses and provide recommendations as to how these can best be addressed.
Outage reporting Via Email and SMS

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication - Username and password - Captcha - Multiple invalid requests from the same user locks the user's account - Multiple invalid requests from the same IP address, blocks any further requests from that IP
Access restrictions in management interfaces and support channels Username and password controls are in place for system users. Access to system administration functions is only permitted by providing an additional Admin level password.
Access restriction testing frequency At least once a year
Management access authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Security Metrics
PCI DSS accreditation date 30/01/2017
What the PCI DSS doesn’t cover N/A
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach We are currently working to the principles of ISO 27001 using an online ISMS platform that sets out our policies and approach to information security. The platform is structured according to the ISO 27001 standard and enables the mangement of organisationsal Risks, Stakeholders, HR etc
Information security policies and processes ISO 27001

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change management processes are risk based and aim to minimise the impact of changes upon Service users. This process covers the following activities: • Initiation and review of change requests • Logging of all change requests • Evaluation (of business impact and risk) and formal authorisation of change requests • Drafting and approval of functional and non-functional requirements • Design review • Development of approved changes • Testing of approved changes being applied • Notification of scheduled release to relevant stakeholders • Change control reviewed and if approved changes are released into production • Post production evaluation and testing
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach The TISO is tasked keep up-to-date with news on general vulnerabilities and vulnerabilities that apply to our services. Information sources include CVEs, security mailing lists and VMWare security advisories. We also perform quarterly VM scans via a third party. All vulnerabilities added to a risk map and if the risk requires treatment, then based on the nature, probability and impact of the risk we will decide on one of the following options: - Take immediate action (deploy an emergency patch) - Schedule for action in the near future - Agree action to be taken at next ISMS Board review
Protective monitoring type Supplier-defined controls
Protective monitoring approach Traffic is monitored using third-party intrusion detection software - 'Sourcefire', which is used to look for anomalies in activity. The rule-set applied has been adapted from the 'out-of-the-box' rules based on evaluation of traffic over time. Where a potential compromise is identified, notifications are triggered to the relevant internal team in real-time who will conduct an immediate investigation to identify the course of action required. Where a compromise is validated incident management procedures are invoked.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We have a documented process that enables a consistent approach to tracking and managing incidents. As such: • Users can report incidents by email or by telephone • Incidents are logged in a Case Management System • Incidents are properly prioritised and handled in the appropriate sequence • Incidents are routed to the team best placed to resolve the incident • Incident status is accurately reported • Queue of unresolved incidents is visible and reported • Service users are kept up to with incident progress within agreed SLAs • The resolution meets the requirements of the SLA for the customer

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.027 per transaction per minute
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The free version is limited by time and messaging quantity
Link to free trial


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑