Galvanize Solution for Governance, Risk Management & Compliance (HighBond GRC Platform).

The Highbond Platform provides Governance, Risk and Audit Management and Compliance assurance (and applicable training services) around delivery of Government programs to ensure spend with beneficiaries, 3rd parties, and vendors is effective and efficient. The platform is utilised by 500+ public sector
organisations including Government Departments, agencies and local government.


  • Apply objectiveness via data to identify risks.
  • Execute assessments to ensure controls are effective and risks mitigated.
  • Raise issues, assign actions, review progress and automate reminders.
  • Your data can be automatically sliced, diced and disseminated.
  • Engage stakeholders for 3rdparty compliance, customer complaints or incident hotline.
  • Any flagged record from analytics/surveys can be actioned for response/remediation.
  • Integrate analytics results into audits, compliance reviews or risk assessments.
  • Assess current versions of standards, regulations, policies or legal obligations.
  • Work offline and sync later where internet is unavailable.
  • Create dashboard views with executive narratives across programs or agencies.


  • Easy implementation and quick ROI.
  • Break down complex agency operations in manageable views and processes.
  • Cloud - Customers always have the latest version + Security.
  • Enhance collaboration, team efficiency and expand coverage.
  • Automated and live reporting for all projects.
  • Out of the box content based on industry-best-practices.
  • Single entry point to access the service or learning ecosystem.
  • Leverage data and surveys in audit, risk or compliance assessments.
  • Galvanize and Amazon exceed SOC2 and ITGC compliance standards.
  • Galvanize drives user adoption through great design and crisp performance.


£15000.00 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

5 7 9 0 4 1 9 9 2 1 6 8 5 7 8



Simon Woolley

02039 00 1288

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Windows
  • IE 10+, Chrome, Safarr, Firefox, (latest releases)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 24 hours or less.

Weekends - Can be up to next working day
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
We run automated testing.
Onsite support
Yes, at extra cost
Support levels
24x7 Support for all clients at no extra cost. Included in license
fees. Technical account manager (Customer Intensity
Support available to third parties

Onboarding and offboarding

Getting started
Clients generally begin with tailored on-site training delivered by our customer success team. This is complimented or supplemented by online training delivered through Galvanize's e-learning academy (no additional cost for licensed users). Comprehensive help documentation is available at
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The customer has the ability to backup/export their data from Projects in zip format; more details here;
End-of-contract process
Highbond will retain your data for a period of 60 days after subscription termination to allow time for data extraction via the backup/export function.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No differences
Service interface
What users can and can't do using the API
Customers can use public API access via public tokens to programmatically access their GRC data.
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The customer has the ability to backup/export their data from Projects in zip format; more details here;
Data export formats
Other data export formats
  • Word
  • PDF
  • Excel
  • Powerpoint
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Data protection within supplier network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Galvanize HighBond is delivered securely via TLS with up to AES-256 bit encryption.

Availability and resilience

Guaranteed availability
SLA details can be found here under Schedule A;
Approach to resilience
Highbond GRC has master and slave replicated database servers and failsafe attachment storage across data centers within each geographical region.
Outage reporting
Systems are also monitored for availability and performance using automated monitoring and alerting. contains availability history and customers can subscribe to email alerts.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Only Highbond DevOps team members and Highbond production support personnel have access to Highbond GRC production systems using a principle of least privilege. Technical controls include username, passwords, IP whitelisting, OTP and asymmetric
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • SOC II
  • Alligned with ISO27001 & working towards accreditation

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
FEDRAMP standards are complied with

SOC2 standards are complied with

Alligned with ISO27001 and working towards full certification.
Information security policies and processes
An Information Security Management Program is implemented that includes administrative, technical, and physical safeguards. To protect assets and data from loss, misuse, unauthorised access, disclosure, alteration, and destruction. The security program consists of risk management, asset management, security policies, HR policies, operational procedures, access control and communications. Incident Management is performed through the alerting, categorisation, performance process, escalation, & communication of incidents. Highbond has a communications plan in place to notify both internal employees and external customers during an incident response. Quarterbacks are established to coordinate communications over an incident period.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
SDLC methodology where all features are defined, designed, developed, tested and deployed – multiple iterations of testing and building are performed through the SLDC lifecycle (including security checklists, peer review, formal security QA automated and manual, and static code analysis.), in development environments, staging environments and production. The change management process ensures consistent code quality and security for
each change deployed to production.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Highbond has weekly vulnerability scanning and re-mediates based on severity using the CVSS rating system. Weekly blue/green deployments allow us to continuously deploy patches into our environment.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Highbond has developed procedures related to the monitoring of Highbond GRC systems for performance, availability, and security related events. System logs from Highbond GRC production systems are continuously monitored, and any
anomalies are investigated promptly by the Highbond production operations team. Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
An incident response process has been defined to ensure timely and effective identification and response of security related incidents. All actions taken during the incident response process are documented and reviewed to ensure continuous improvement. Operations and support personnel follow defined protocols for resolving and escalating reported events according to the
incident response process. Internal and external users are informed of incidents in a timely manner based on need to know. Users are notified as needed via various collaboration tools.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£15000.00 per licence per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑