Register Dynamics – Management and publishing platform for linked reference data Registers

Standard definitions allow your teams and your data to work together. gives your organisation control to define and manage standardised cloud-first data that is essential infrastructure for your business processes. Data custodians define authoritative sources with a human-friendly, self-serve interface for organisations to use as canonical reference data everywhere.


  • Create and update unlimited Registers using a simple, self-service interface.
  • Custodians can check and approve drafts made by team members.
  • Create private data Registers or use public Open Register hosting.
  • Run quality tests on draft changes before publishing them live.
  • Publish multiple versions and pick one for each application environment.
  • Use built-in picker tools to quickly embed Registers in websites.
  • Access powerful analytics to understand who’s using data and how.
  • Import existing data spreadsheets in any model and format.
  • Audit every change to data with complete, transparent verifiable logs.
  • Automate workflows for handling changes in source data.


  • Prevent mistakes and errors, increasing data quality using golden sources.
  • Interoperate by using data dictionaries and canonical code lists.
  • Enables smarter data stewardship with human-friendly reference data management (RDM).
  • Easily use authoritative lists everywhere: in services, websites and forms.
  • Trust processes are safe and secure with blockchain-powered verifiable data.
  • Supports teams to collaboratively manage authoritative sources of data.
  • Achieve best-practice organisation-wide data governance by widely disseminating canonical lists.
  • Real-time APIs automate away costs from expensive database change requests.
  • Fully standards-compliant with the Government standard for GDS Registers.
  • Reuse existing Open Registers of reference data from around Government.


£3150 per licence per month

Service documents


G-Cloud 11

Service ID

6 2 3 0 1 1 7 8 1 2 3 9 7 9 9


Register Dynamics

Simon Worthington


Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints No
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times For all customers, we provide support within standard business hours (Mon-Fri 8:00am-6:00pm, excluding English public holidays). We respond to P1 (loss of service) and P2 (loss of update) incidents within 2 hours. We respond to P3 (degraded experience) incidents within 4 hours. We respond to P4 (manual configuration or training) requests within 1 business day. Support outside of standard business hours or with agreed shorter resolution time is available as a paid add-on.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels For all customers, we provide support within standard business hours (Mon-Fri 8:00am-6:00pm, excluding English public holidays). We provide agreed response and resolution times depending on the priority of the support request.

For P1 (loss of service) incidents, we will respond within 2 hours and resolve within 4 hours.
For P2 (loss of update) incidents, we will respond within 2 hours and resolve within 8 hours.
For P3 (degraded experience) incidents, we will respond within 4 hours and resolve within 2 business days.
For P4 (manual configuration or training) requsts, we will respond within 1 business day and resolve within 4 business days.
Please see our service definition document for our description of these standard support tiers.

For Pro tier customers, support requests are limited to P3 or P4 levels. For customers of Business tier or higher, support outside of standard business hours or with agreed shorter response or resolutions times is available as a paid add-on.

All customers of Business tier or higher are assigned a Technical Account Manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started For all customers, online training is available from within the service to provide users with information on how to use the application. This includes basic "getting started" guides and step-by-step "how-tos" covering the main functionality of the service.

For Business tier customers, onsite training is available as a paid add-on.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All user data is available via API or user interface at all times, so users can export all their data before the contract ends as desired.

If requested, Business tier customers can also have their data e-mailed to a named account e-mail address free of charge at the end of the contract.
End-of-contract process At the end of the contract, all existing users are converted to Community tier users. If users previously authenticated via a SSO mechanism, the users are emailed a link to create a new password the first time they attempt to sign in. All private Registers and environments become read-only to their owner and are deleted after 30 days. All Open Registers remain open and are owned by the user that initially created them.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service uses a reactive layout that scales to all mobile screen sizes. All functionality is available. Some user interface elements are optimised for mobile users.
Service interface No
What users can and can't do using the API Using the API, users can:
• create Registers for themselves or their team,
• push changes to any of the Registers or environments owned by their team,
• search for, clone, or access root hash and metadata information for any Open Registers, or Registers or environments owned by their team.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customers of Business tier or higher can fully customise the logo, branding and livery of all app pages served from their custom domain by sending their custom CSS documents from one of their account e-mail addresses.


Independence of resources We operate in a cloud environment and scale our resource usage in real-time to meet demand.

For customers with an on-site installation, each instance is run in a separate cloud environment to ensure complete isolation from other users.


Service usage metrics Yes
Metrics types Users are able to see the usage of their Registers in terms of number of downloads and number of linkages from other Registers.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users can export all Registers and environments from the system via API calls or from the user interface.
Data export formats
  • CSV
  • Other
Other data export formats
  • Register Serialisation Format (RSF)
  • MS Excel (XLSX)
  • Tab-separated values (TSV)
Data import formats
  • CSV
  • Other
Other data import formats
  • Register Serialisation Format (RSF)
  • Tab-separated values (TSV)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability For SaaS usage, we guarantee 98% availability Mon-Fri 8am-6pm, excluding English public holidays. Account owners are automatically notified by e-mail if delivered availability drops outside this limit, Please see our service definition document for full details of our SLAs and refund policy.
Approach to resilience We make use of cloud hosting with multiple availability zones and distributed database technology to provide resilience of our service. Details of our specific design are available on request.
Outage reporting Outages are communicated via a human and machine-readable status page and are distributed via e-mail.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access to support channels and admin role modification is limited to a set of named account email addresses. Only emails that are received with domain verification and from an account email address are able to manage support tickets and request admin role changes.

Only users given an admin role via an account email address are able to access management interfaces and grant access to other lower capability users.
Access restriction testing frequency At least once a year
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We have assessed ourselves to be compliant with CCM CSA v3.0. We have security policies that outline the governance requirements on all our systems, infrastructure and staff, and we can share these on request.
Information security policies and processes Our Security Policy requires that change management, vulnerability assessment, data security and incident management processes are followed, and governs how we undertake datacentre security, key and encryption management, access management and audit. We designate a named Director who is responsible for ensuring that processes are sufficiently rigorous and are being implemented fully. Governance is delegated to an Operational Security Group (OSG) who have responsibility for implementing and reviewing our security governance processes, and for undertaking review of our deployed systems and infrastructure. All staff with access to sensitive information report how they are meeting the requirements of the policy to OSG.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our change management approach complies with CSA CCM v3.0. Any new development or acquisition of application, operational resource or development tool is approved and tracked. Access to security keys or passwords for any accounts through which these resources are acquired is limited to named individuals. Releases of software or infrastructure components are assessed for risks, possible impacts, and possible vulnerabilities and require approval. Backout plans are defined. All changes are tested and validated in a test environment prior to being pushed to production. Appropriate software and hardware protection is utilised to protect devices and infrastructure with access to sensitive information.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our vulnerability management approach complies with CSA CCM v3.0. New resources and changes are assessed for vulnerability and potential compromise as above. Infrastructure and devices have platform-appropriate malware and mobile code protection installed or deployed. Best-practice user authentication to infrastructure (e.g. public key, 2FA) is used where available. Use of third-party dependencies is limited to trusted sources. Changes to third-party dependencies are applied regularly are assessed, approved, tested and released as above. External vulnerability announcements for all third-party dependencies are monitored and corrective action taken if appropriate. Penetration assessments are carried out at least annually by an external accredited organisation.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our protective monitoring approach complies with CSA CCM v3.0. Systems and infrastructure are analysed thoroughly to ensure potential compromises are understood and all vectors have sufficient audit information collected and stored using platform-appropriate technology. Access to sensitive audit information is limited to a named list. Regular and frequent analysis of audit information occurs automatically or manually as appropriate to the nature of the potential compromise. Potential compromises have an incident management process defined (as outlined below) that ensures timely communication with customers and resolution of incidents. Protective monitoring approaches are reviewed regularly both internally and externally by an independent body.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our incident management approach complies with CSA CCM v3.0. Possible security incidents have a defined incident management process (including steps for triaging the potential impact of the incident, identifying and communicating with affected stakeholders in a timely and regular manner, identifying affected information, and taking immediate steps to resolve the incident and secure any affected systems). Possible and past incidents are reviewed regularly to identify where implementing additional security controls would prevent the incident from occurring. Points of contact (email and phone) are actively maintained and made available for customers to report potential incidents and for liaison with external enforcement.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3150 per licence per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Our Community tier (free of charge, forever) allows users to make and manage Open Registers and access all Open Register data via API, picker tools or Live Spreadsheets.
Link to free trial

Service documents

Return to top ↑