Free Rein Limited

Enterprise Content Management System (CMS)

CMS is a fully featured, browser based content management system built using LAMP open standards. It is used by dozens of public sector, commercial and not-for-profit organisations.
The experience Free Rein has gained delivering an IL3 compliant application for the BIS/HMRC has been rolled back into our core CMS service.


  • Responsive Website Content Design and Display – Smart device Friendly
  • Multi-channel, Social Media, Forum, RSS Syndication and Blog Features
  • User Registration and Secure Group Management
  • Integrated E-mail and SMS Broadcast Capabilities
  • Multisite, multilingual and event management capability
  • E-Commerce/Licensing and Online Payments
  • GIS and Map Based Presentation
  • SEO, Meta Data, Site Map and Bespoke Feeds, Metadata Management
  • Content Scheduling, Audit trailed, versioning with Roll Back and Comparison
  • Multimedia & document library, Forms, Polls and Questionnaires


  • Centralised and shared content with granular level controls
  • Secure and personalised content administration dashboards
  • Workflow reduces bottlenecks, speeds up content publishing and editorial cycles
  • Personalised alerts based on configurable preferences and interests
  • Targeted content delivery based on geographical location and cross promotion
  • SEO benefits through intelligent use of analytics and auditing tools
  • Rapid development of unique functionality
  • Identify new Revenue streams in order to monetise audiences
  • Centralised media repository with configuration controls
  • Low total cost of ownership and simplified system maintenance


£90 per unit per hour

Service documents


G-Cloud 11

Service ID

5 5 3 8 0 7 4 7 4 8 9 1 5 0 1


Free Rein Limited

Tony Addison

01473 810002

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Working Hours: 60 minutes
(Monday to Friday excluding bank holidays from 8.30 am to 5.30 pm)

Outside Office Hours: 4 hours
(Monday to Friday 5.30pm to 8.30 am)

Weekends: 4 hours

Bank Holidays: 6 hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible N/A
Web chat accessibility testing The web chat is currently undergoing testing and validation.
Onsite support Yes, at extra cost
Support levels Support is available generally Mon-Fri 9-5:30 to solve any user issue or technical problem to registered users. If we get repeated questions we would rather solve the cause than the symptom.
Optional support at other times.
Each client has a dedicated user/semi technical account manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Users supported initially with recommended onsite training (couple of hours desk based), then online manual and optional webinars for specific needs.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Part of the contract closure arrangements include Free Rein extracting all data required and confirming what data, and when, it can be safely destroyed.
End-of-contract process Data extraction and safe disposal of data not required. Any design or content files are managed during the contract into the clients own safe keeping.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Length of scroll to view whole page contents
Reduced detail in table presentations and media lists in a single screen
Service interface No
Customisation available Yes
Description of customisation Extensive range of modules from simple content, through membership and closed groups, ecommerce and event management. Email and SMS broadcast as standard. Modules enabled and validated by our tech team to meet client design requirements. Once activated client can customise module features themselves.


Independence of resources Managed cluster loading of virtual servers – mostly automated except under DDOS conditions where manual intervention often required.


Service usage metrics Yes
Metrics types Automatically link to Google Analytics with client access.
Email and SMS is reported on a broadcast by broadcast basis and clustered in campaigns - includes opens, reads, estimated read duration, clicks, soft and hard bounces, prints, exchanges with mail server, out of office, times and days of traffic and levels.
Optional self generated reports to client requirements. Reports on demand in any format.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Controls to initiate and manage contents of the data exports are provided by the web interface when enabled and access conditions are satisfied.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 100% availability excluding planned maintenance
Refunds automatic as double proportion of the monthly or annual contract, no claim required.
Approach to resilience All data centre elements are redundant with automatic fail-over. Further detail available on request.
Outage reporting Email alerts available on a request for subscription basis

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Systems are initially created with a core group of users from the client organisation who will act as administrators and manage all other users in compliance with their own internal policies.
User capabilities are determined by the roles they have been assigned and the privileges granted to each role.
Support channels are limited to authorised individuals who will be granted appropriate permissions. No external management is available on support channels.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • We don't store payment information in the cloud services

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials accredited moving up to Plus en route for IASME
Information security policies and processes The ISMS contains policies and processes that are critical to provide assurance that data is handled consistently and securely. These cover all aspects including asset management, application usage, accounts, emails, storage devices, access controls, and the handling of data.
Procedures exist to ensure actions comply with the defined policies and what to do in the event of non-compliance.
In the event of a suspected incident, the IT manager (or nominee) is responsible for authorising access to equipment, services and data to allow investigations to proceed.
Wherever possible, policies are enforced by automation but in many cases manual intervention is necessary. In these situations procedures define the process required to ensure each policy is being followed and the frequency the process is to be executed.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach On receipt of a documented change request, a risk assessment is performed to determine the potential effect the change will have on system components, security and running costs.
Changes will then be implemented in a controlled test environment, where testing and reviews can performed. All changes are be retained within source control.
Once approved, changes will be announced and documented as required before release.
Vulnerability management type Supplier-defined controls
Vulnerability management approach OS and application patches are constantly monitored and when available they will be assessed and implemented. For critical patches an emergency process is in place to action quickly.
Announcements of potential threats and exploits are received through numerous notification services including CVE databases and OS maintainers.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Networks and systems are monitored for abnormal performance and resource usage which may indicate a potential attack or system malfunction. Automated alerts are sent when defined thresholds have been reached.
Activity logs are retained to allow for forensic analysis of actions if an issue arrises.
AntiVirus software is used to scan incoming files and emails to the environment with regular full system scans as an extra measure.
Incident management type Supplier-defined controls
Incident management approach Incidents can be raised by users through the support channels or from the automated monitoring systems, all of which have a process to be followed.
Many incidents can be handled either automatically or manually by help desk staff but for complex or time critical incidents, specialist technical support staff will be assigned to ensure a timely resolution.
Incident reports will be made available upon request.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £90 per unit per hour
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑