Galvanize Solution for Governance, Risk Management & Compliance (HighBond GRC Platform).

The Highbond Platform provides Governance, Risk and Audit Management and Compliance assurance (and applicable training services) around delivery of Government programs to ensure spend with beneficiaries, 3rd parties, and vendors is effective and efficient. The platform is utilised by 500+ public sector
organisations including Government Departments, agencies and local government.


  • Apply objectiveness via data to identify risks.
  • Execute assessments to ensure controls are effective and risks mitigated.
  • Raise issues, assign actions, review progress and automate reminders.
  • Your data can be automatically sliced, diced and disseminated.
  • Engage stakeholders for 3rdparty compliance, customer complaints or incident hotline.
  • Any flagged record from analytics/surveys can be actioned for response/remediation.
  • Integrate analytics results into audits, compliance reviews or risk assessments.
  • Assess current versions of standards, regulations, policies or legal obligations.
  • Work offline and sync later where internet is unavailable.
  • Create dashboard views with executive narratives across programs or agencies.


  • It's easy to adopt and configure so there's rapid ROI.
  • Can study disparate, complex agency operations in a normalized view.
  • Customers are always on the latest and only software version.
  • Easy to access and collaborate, teams gain efficiency, expand coverage.
  • Galvanize manage infrastructure and software so no IT blockers.
  • Library of on-demand resources to support beginners and advanced users.
  • Single entry point to access the service or learning ecosystem.
  • Integrate data or surveys in audit, risk or compliance assessments.
  • Galvanize and Amazon exceed SOC2 and ITGC compliance standards.
  • Galvanize drives user adoption through great design and crisp performance.


£15000.00 per licence per year

  • Education pricing available

Service documents

G-Cloud 11



Stephane Vergnaud

02039 00 1288

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements
  • Windows
  • IE 10+, Chrome, Safarr, Firefox, (latest releases)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 24 hours or less.

Weekends - Can be up to next working day
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 A
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 A
Web chat accessibility testing We run automated testing.
Onsite support Yes, at extra cost
Support levels 24x7 Support for all clients at no extra cost. Included in license
fees. Technical account manager (Customer Intensity
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Clients generally begin with tailored on-site training delivered by our customer success team. This is complimented or supplemented by online training delivered through Galvanize's e-learning academy (no additional cost for licensed users). Comprehensive help documentation is available at
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The customer has the ability to backup/export their data from Projects in zip format; more details here;
End-of-contract process Highbond will retain your data for a period of 60 days after subscription termination to allow time for data extraction via the backup/export function.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No differences
Service interface No
What users can and can't do using the API Customers can use public API access via public tokens to programmatically access their GRC data.
API documentation Yes
API documentation formats Other
API sandbox or test environment No
Customisation available No


Independence of resources Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The customer has the ability to backup/export their data from Projects in zip format; more details here;
Data export formats Other
Other data export formats
  • Word
  • PDF
  • Excel
  • Powerpoint
Data import formats Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Data protection within supplier network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Galvanize HighBond is delivered securely via TLS with up to AES-256 bit encryption.

Availability and resilience

Availability and resilience
Guaranteed availability SLA details can be found here under Schedule A;
Approach to resilience Highbond GRC has master and slave replicated database servers and failsafe attachment storage across data centers within each geographical region.
Outage reporting Systems are also monitored for availability and performance using automated monitoring and alerting. contains availability history and customers can subscribe to email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Only Highbond DevOps team members and Highbond production support personnel have access to Highbond GRC production systems using a principle of least privilege. Technical controls include username, passwords, IP whitelisting, OTP and asymmetric
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • SOC II
  • Alligned with ISO27001 & working towards accreditation

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards FEDRAMP standards are complied with

SOC2 standards are complied with

Alligned with ISO27001 and working towards full certification.
Information security policies and processes An Information Security Management Program is implemented that includes administrative, technical, and physical safeguards. To protect assets and data from loss, misuse, unauthorised access, disclosure, alteration, and destruction. The security program consists of risk management, asset management, security policies, HR policies, operational procedures, access control and communications. Incident Management is performed through the alerting, categorisation, performance process, escalation, & communication of incidents. Highbond has a communications plan in place to notify both internal employees and external customers during an incident response. Quarterbacks are established to coordinate communications over an incident period.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach SDLC methodology where all features are defined, designed, developed, tested and deployed – multiple iterations of testing and building are performed through the SLDC lifecycle (including security checklists, peer review, formal security QA automated and manual, and static code analysis.), in development environments, staging environments and production. The change management process ensures consistent code quality and security for
each change deployed to production.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Highbond has weekly vulnerability scanning and re-mediates based on severity using the CVSS rating system. Weekly blue/green deployments allow us to continuously deploy patches into our environment.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Highbond has developed procedures related to the monitoring of Highbond GRC systems for performance, availability, and security related events. System logs from Highbond GRC production systems are continuously monitored, and any
anomalies are investigated promptly by the Highbond production operations team. Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach An incident response process has been defined to ensure timely and effective identification and response of security related incidents. All actions taken during the incident response process are documented and reviewed to ensure continuous improvement. Operations and support personnel follow defined protocols for resolving and escalating reported events according to the
incident response process. Internal and external users are informed of incidents in a timely manner based on need to know. Users are notified as needed via various collaboration tools.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000.00 per licence per year
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑