Pentagull Ltd

Enterprise Service Builder (ESB)

Enterprise Service Builder (ESB) is a unique service delivery platform that enables rapid deployment and flexible process flow automation for enabling services in the public sector.
ESB is a highly flexible, scalable and resilient platform that helps the public sector reduce costs and facilitate improved service.


  • Enterprise digital platform uniquely designed for public sector services
  • Powerful business rule engine enabling rapid deployment/development
  • Fast, robust and powerful workflow engine seamlessly automates business decisions
  • Product library of ready built applications
  • Support for main mapping providers for spatial referencing
  • Support for latest smartphones and tablets
  • Built in document management system
  • Granular Role Based Access Control (RBAC) to data
  • Custom dashboards provide key information at-a-glance
  • Full integration with Active Directory for authentication and authorisation


  • Facilitates cost reductions
  • Streamlines processes
  • Secure data model
  • Ability to consolidate multiple systems
  • Facilitates consistency
  • Enables rapid development
  • Simple to change and maintain
  • Extremely flexible and sustainable
  • Powerful reporting tools
  • Enables mobile and agile working


£24500 to £60000 per unit

  • Education pricing available

Service documents

G-Cloud 10


Pentagull Ltd

Stuart Gilbert

0845 680 7147

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements
  • Supported Web-browsers
  • Working LAN, firewall and Internet Connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Each support issue will be raised as a ‘ticket’ on our help desk system and the appropriate resolution will be scheduled and communicated to the client.
Our service desk is staffed by knowledgeable staff providing first level support, this is backed up by unrestricted access to our second and third level support provided by our own experienced consultancy and development teams.

Priority A - System not usable or service down-1 hour.
Priority B - Important production job or service will not run-4 hours.
Priority C - Any other problem call -1 day.

Additional support levels available upon request.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support is standard and included within the licence charge. All customers benefit from the same excellent level of support. Each customer will be provided with a dedicated Account Manager and full access to support channels.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started As ESB is a flexible platform offering numerous functional parts and each client’s use is bound to be disparate, our approach to on-boarding would be through collaborative working with the client.
The methods we would use to facilitate this would be through a combination of onsite training, online training, and access to our extensive online documentation site.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The service has in-built functionality to extract information in various formats available to the users.
Additionally if required we will provide a data extraction service tailored to the individual needs of the customer
End-of-contract process All client data returned to client.All client access deactivated.Relevant secure processes fully applied.Final invoice prepared.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Use of accessibility tools such as JAWS have been tested for use with browser form UI. Labels and field content have been verified for speech output
Customisation available Yes
Description of customisation Scope for complete customisation of software.
Customers can use configuration tools included within the service.
Access to configuration tools controlled through user roles and permissions.


Independence of resources A series of key performance metrics are constantly monitored, ranging from low level operating system counters to high level application layer metrics. This allows us to automatically respond to increases in demand by scaling up the resources allocated to the application before any impact is felt by end-users. By partnering with Amazon Web Services we are able to leverage the vast resources of their Elastic Compute Cloud
(EC2) to ensure that we can continually exceed our capacity requirements.


Service usage metrics Yes
Metrics types As a web application our primary performance metric is the page response time. This is carefully monitored to ensure it stays within acceptable levels. In addition to the HTTP response metrics, a number of lower-level metrics are monitored to ensure the application stack remains healthy and responsive. These include CPU usage, memory usage and disk I/O metrics.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach A wide variety of formats and platforms are supported for secure data export
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Service Level Agreements and remedies therein are contract specific
Approach to resilience Our service is hosted on infrastructure provided by Amazon Web Services, who provide a monthly uptime percentage of 99.99%. To achieve maximum resiliency, we utilise all 3 AWS London data centres (known as Availability Zones) as either active or DR locations. This means that in the event of total data centre failure we are able to resume service using one or both of the alternate locations. Impacts to service delivery caused by more routine events such as server patching, server reboots and failure of individual components are mitigated through the use of load balancing and redundant storage. At the network level, AWS provides multiple carrier-independent feeds to each of its data centres.
Outage reporting Service outages, whether unplanned or as part of scheduled maintenance, are communicated to customers via email alerts. Each customer may nominate a number of key personnel who will receive such alerts. The email alerts service is hosted using infrastructure that is totally independent from that which is used to host the service, ensuring that even a catastrophic failure of AWS infrastructure does not affect our ability to communicate with our customers.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access is restricted to designated support staff at a level required for them to perform their role.
In terms of management interfaces there is an escalation process in place whereby senior staff can interface if required.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Pentagull Ltd is currently working towards achieving the ISO27001 certification which we hope to achieve late 2018, consequently we currently have a security policy in place that adopts the principles from ISO27001. In line with ISO27001 compliance this is regularly reviewed and ratified by the board. A board director is directly responsible for the security policy and its implementation is managed operationally by our security officer.
Information security policies and processes The board director who is responsible for the security policy ensures that this is regularly communicated to staff, additionally steps are taken to ensure understanding is gained by the staff on the salient sections of the policy. The security officer ensures that the policy is provided to the staff and manages the security procedures. The security officer reports to the board director. Upon induction all staff are required to familiarise themselves with the security policy and the procedures within it. If security is breached then firstly this is documented by the security officer and then reported to the board director. At this point the security officer and board director make a decision on any subsequent action to be taken and/or further investigations to be completed. Based on the feedback from these decision they mutually decide whether to implement new procedures, countermeasures and mitigation(s) and/or revise the security policy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change control to our ESB platform’s core is managed through the practice of continuous integration (CI). Each build is tracked through formal version control process supported by a software version control system. Each new release has formal unit, integration, security and regression testing and is released into test environments before subsequently making into the live environment.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our vulnerability management process is based on industry standards combined with advice from our own hardware/software suppliers. We regularly review our infrastructure to ensure we identify and categorise components based on risk/impact.

Patching is automated where it’s practical to do so, outside of this there we have a robust patch management procedure including a named individual responsible for patch management. All patches are applied within 7 days of release.

In order to keep abreast of the latest infrastructure threats we obtain information from multiple sources - our own hardware, software and infrastructure suppliers, additionally from a number of industry outlets.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We employ proactive monitoring of various logs to detect unusual patterns of activity. This includes traffic and request patterns, authentication attempts and analysis of source IP addresses.

Our Incident Management System is used to manage and respond to any suspected compromise. This provides us with a structured way of handling potential security issues at each step of the investigation, and ensuring timely disclosure to our customers where appropriate. All suspected security incidents are investigated within 24 hours and co-ordinated by our Security Officer.
Incident management type Supplier-defined controls
Incident management approach Customers are able to report incidents using our support portal, this is logged directly into our support desk system with automated RAG categorisation and escalation of priority items.
Workflow within this system is also capable of routing specific problems or customers to an individual or team.
The teams also have access to a knowledge based system that enables for rapid diagnosis of problems.
We proactively monitor incidents on a regular basis to highlight any mitigation that we can put in place to reduce the likelihood of re-occurrence.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £24500 to £60000 per unit
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑