GoodSAM Limited

GoodSAM Pro

GoodSAM Pro ( is a Web/Smartphone Application based personnel management, tracking, communications and dispatch system e.g. for emergency services, co-responders/CFRs. The Responder application enables streaming of scene video and real time staff/resource mapping. The system has major incident / joint-command capabilities and applications in elderly care / long-term care management.


  • Smartphone based real time resource tracking and dispatch system
  • Real time communication system (e.g. for individuals and major incidents)
  • Real time secure video streaming platform (e.g. from scene/patients)
  • Highly sophisticated integrated data analytics system
  • In built patient report forms / incident report forms
  • Highly configurable dispatch rules (select responders)
  • KML Mapping options for different dispatch rules
  • In built file storage facility
  • Ability to book on duty / off duty
  • World's largest defibrillator register


  • Effectively dispatch staff/responders using own their own phone/hardware.
  • Effectively communicate with staff/responders using own phone/hardware
  • Continuously map resources and personnel across organisations
  • Joint command platform for major incidents
  • Improve triage of patients through on-scene video to clinical hubs
  • Improve patient pathways through remote care (managing range of conditions)
  • Realtime analysis of data to monitor KPIs/arrival times / responses
  • Communicate with staff/responders when off and on duty.
  • Configure maps with icons to reflect specific each specific resource
  • Vital Signs technology in video gives instant pulse/respiratory rate


£50 to £200 per user per year

  • Free trial available

Service documents


G-Cloud 11

Service ID

6 3 2 3 0 4 8 4 1 3 0 6 0 2 3


GoodSAM Limited

Mark Wilson


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
GoodSAM Pro can be used as a web-based standalone system or integrated into CAD via API. It uses the same infrastructure as the GoodSAM Cardiac system but allows dispatch to a range of incidents beyond GoodSAMCardiac. GoodSAM Pro also includes video streaming through Instant on Scene and advanced dispatch tools.
Cloud deployment model
Private cloud
Service constraints
No - the system is hardware neutral and works on any network. No third party software is used and we have a managed continuous uptime with no interruption for maintenance.
System requirements
Requires HTTP support

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email support is provided 24/7 - response time for non-urgent requests are within 24 hours. Urgent requests (those affecting system use) are dealt with by Technical team within two hours of request being logged.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Support is included as part of service, including technical account management and access to our tech team 24/7. Specifically: System Uptime - System uptime will be maintained at 95% (excluding planned outages) 24 Hour Support Service - 95% of responses to requests provided within 3 hours from the time the email was logged. Rectification of Faults. Severity 1 - High impact, ie Loss of functionality - 90% of Faults are rectified within 24 hours, from the time of the email being logged. Severity 2 - Medium impact, ie Incorrect settings or changes not working. 90% of Faults are rectified to the satisfaction of client within 2 days, from the time of the email being logged. Severity 3 - Low impact, ie Fault is an inconvenience. 100% of Faults are rectified to the satisfaction of client within 7 days, from the time of the email being logged. Planned Outages. 100% of outages for technical maintenance/system updates/upgrades are planned and agreed with client - 14 days notice will be provided. Upgrades to software modifications, updates or new releases. 100% of upgrades will be provided on release whilst maintaining functionality. Where this is not possible, permission from client will be sought.
Support available to third parties

Onboarding and offboarding

Getting started
We can provide a trail service to enable an organisation to utilise the platform in their own environment to test and ensure subsequent effective implementation.

Both on-site and off-site training can be provided together with user manuals and explanatory videos. Previous experience has shown the system to be highly intuitive so minimal training is normally required.

CAD integration and API support to facilitate integration is provided by our tech team.

Additionally we have a wealth of global experience in implementation co-responding systems around the world and our advisory board (made up of emergency services already utilising the platform) are always happy to share knowledge and best practice. We can help with governance / culture change issues and advise on system roll outs.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data retention and disposal is agreed with buyer before service commencement. Typically this includes an agreement for GoodSAM to provide any data held to the buyer and then destroy additional records. All data is held and accessible via the Dashboard at all times. Buyer is able to extract data directly from the Dashboard.
End-of-contract process
There are no additional costs at the end of the service. At the termination date, GoodSAM revokes access to the system, shares a record of any data stored and destroys a record of the data. As the system operates in a stand alone capacity, further action is not required and other systems are not affected.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • Android
  • IOS
  • Windows Phone
Designed for use on mobile devices
Differences between the mobile and desktop service
The GoodSAM Application is designed for use on mobile smartphone and tablets.

The GoodSAM Web-based dashboard is designed for use on desktop and tablet.
Service interface
Description of service interface
The basic service interface is the Web based dashboard. This is comprehensive and gives access to all real time data and adjustable features of the platform. Additional service interfaces can be provided through CAD integration. GoodSAM Pro has many features which can be enabled for specific clients.

Based on those feature and requirements we can provide the service interface on demand.
Accessibility standards
None or don’t know
Description of accessibility
1)From Web Dashboard
- Dispatches from CAD
- Bespoke dispatch rules.
- Communications platform (push notification, email, buzz messaging).
- Track resources and Responders in realtime.
- Share resources/comms functions across organisations.
- Gather personal information, approve and categorise Responders within organisation.
- Time stamp Responder actions
- Generate reports inc. PRFs.

2)From the Application
- Report on-duty to accept dispatches beyond cardiac.
- Communicate with Control and Responders via buzz messaging, radio communications.
- Identify location of other personnel and resources (e.g AEDs).
- Video stream into the Control.
- Receive Responder notification via SMS.
- Completion of PRF.
Accessibility testing
What users can and can't do using the API
Auto sign up API - add a certificate record for your organisations, move Responders under organisations, delete certificate records if they are not yet used. Fetch all the user and certificate records

Defibrillator API - Add/update a defib, fetch defibs within an organisation, get defib images, readd defibs, upload/update defib images.

Dispatch API - assign alert, cancel alert/provide additional message, get information on alerts, use shapefiles, return density of Responders, create an alert.

Reporting API - fetch feedback reports, alerts triggered, on duty hours, Responder sign up .

Responders API - fetch all active Responders in the Supervision Area.

Streaming API -send link for streaming - open up users camera and start streaming via text or email, invalidate link, delete stream and metadata using ID, fetch metadata of all recorded streams in date/time range, download stream using its name.

Storage API - can be used to transfer video from cloud to local servers for in house storage.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
The GoodSAM dashboard is fully customisable:

By Systems administrators:
- Approve Responders
- Create tiers/ categories of responders (with different icons)
- Create dispatch / alerting rules (variable number of responders over variable radius in variable (map specified) regions
- Create composite rules (by combining rules)
- Appoint other admins
- Initiate, view and store video
- Switch on / off vital sign assessment in video.

By responders:
- Many variable features (e.g. restrict radio comms, over-ride silent, go incognito)
- Go on / off duty

By GoodSAM for services:
- Brandable platform that can be organisational or location based.


Independence of resources
Built on the idea of modularity (micro-services) and scaleability and have a proven track record. We've onboarded large emergency services globally.

We run all out our services in HA mode and since we have a modular architecture, we can horizontally scale the module/micro-service which is under the heavy load.

Key components of architecture:

1) Stateless app servers

2) Stateless cad servers

A micro service based architecture is extremely easy to scale and the system auto-scales with clusters which means it is able to dynamically adjust the number of our servers based on the user demand and usage.


Service usage metrics
Metrics types
Yes - provide comprehensive service usage metrics.

For example on a service level:
Number of registered responders/new responders
Number of dispatches triggered

Then comprehensive individual dispatch data:
CAD number, Responder identifier, contact details, location, time alerted, on scene, with patient (all timestamped). AED present. Then comprehensive patient report form data: nature of incident (e.g. medical, trauma, specifics), what was done on scene (e.g. CPR, defibrillation), outcome.

We can also provide additional / modified data if requested.
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
Physical access control is in place for the datacenter complying with SSAE 16 and the ISAE 3402. We use AWS which is also a G-cloud compliant data centre. When the data is at REST, we use AES-256 bit encryption. Our data storage system always have a replication factor greater than 1 and we have automated back-up generation in place.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can utilise the inbuilt analytics function to get real time analysis of data (e.g. radius of response suggested based on real time emergencies and number of responders).

Users can export data (for example incident/patient report forms) directly from the web dashboard as a CSV file or directly into CAD via the API. Video data can be: not stored, stored in cloud (then downloaded) or transferred direct via an API to local servers.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • HTML
  • XML

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
DTLS and SRTP for video transmission
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
DTLS and SRTP for video transmission

Availability and resilience

Guaranteed availability
System Uptime guaranteed at 99.99% (excluding planned outages).
Refund of 3% of the monthly license fee if not met.

24 Hour Tech Support Service. 100% of response to requests provided within 1 hour from the time the call was logged. Refund of 1% of the monthly license fee if not met.

Rectification of Severity 1 Faults - High impact. 100% of Faults are rectified to the satisfaction of the buyer within 24 hours, from the time of the call being logged. Refund of 3% of the monthly license fee if not met.

Rectification of Severity 2 Faults - 100% of Faults are rectified to the satisfaction of buyer within 2 days, from the time of the call being logged. Refund of 3% of the monthly license fee if not met.

Rectification of Severity 3 Faults - 100% of Faults are rectified to the satisfaction of the client within 7 days, from the time of the call being logged. Refund of 3% of the monthly license fee if not met.

Upgrades to software modifications, updates or new releases - 28 days notice will be provided - Refund of 3% of the monthly license fee if not met.
Approach to resilience
All GoodSAM features are coded in house. There is no third party utilities (e.g. video is done through native WebRTC not through Skype or a commercial third party). This means we can guarantee uptime as we are not reliant on another party. This accounts for why we have not had even a second downtime in 4 years.

The GoodSAM Platform is built using micro-service architecture which is the bleeding edge industry standard. (Rather than being one monolithic which cannot be changed, load balanced, scaled, improved or continuously deployed.)

We have Disaster Recovery (DR) environments and have automated back ups for our data storage solutions.

For our relational data storage solution, we use Log-Shipping and AG-Replication and can in almost all scenarios can recover from master server failures without the clients noticing.

Our non-relational data storage is Multi-DC replicated by design and we achieve data consistency by performing quorum read and writes.

Further information can be supplied on request.
Outage reporting
Supplier will report any outages to Buyer via email alerts.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access to data is tightly controlled by users roles, password restricted to closed group of authorised employees. Access and use is closely monitored and systems in place to ensure access is only provided to those with a bona fide interest. We also train employees on acceptable use and have protocols in place which all employees adhere regarding security protocols.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
We use AWS which is also a G-cloud compliant data centre.

We fully meet ISO/IEC 27001 compliance and are in the process of attaining accreditation. A Letter of Commitment from our Accreditors is available upon request.

We are fully GDPR compliant and ICO registered
Information security policies and processes
We have information security policies in place to ensure confidentiality (data and information assets is confined to people authorised to access and not be disclosed to others), integrity (keeping the data intact, complete and accurate, and IT systems operational) and availability (system is at disposal of authorised users when needed). Our security policies adhere to the Security Forum's Standard of Good Practice, the International Standards Organization's Security Management series and the Information Systems Audit and Control Association's Control Objectives for Information Technology. Specifically, we adhere to additional sub-policies, including: Authority & Access Control Policy to ensure staff are permitted hierarchical access according to their role. All access is monitored and staff adhere to Acceptable Use and Data Handling Policy. We also have a Change Management Policy, Incident Response Policy, Remote Access Policy, Email/Communication Policy, Disaster Recovery Policy and Business Continuity Plan. We also have processes to ensure technology standards, procedures and guidelines for staff and workflow processes.

We are fully GDPR compliant and ICO registered

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
There is no third party utilities or components are used. All code is done in standard programming languages of objective C for iOS, Java for android, C# for windows phones and HTML. No contractors are used - all tech is developed in house. This means we can manage change effectively through our in-house processes and the security impact is mitigated. This accounts for no downtime in the last five years.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All of the communications on our platform are done using TLS 1.3 or 1.2. We also have an integrated database with amazon/google and are able to deprecate crackable ciphers. We don't use Windows products at all due to their known vulnerabilities, all the services are Linux based and developer environments are Unix based. We also have measures in place for various hack prevention such as cross site scripting, DOS, DDOS and brute force attack. Unauthorised kernal modules are continuously scanned and checked against the Amazon’s AWS definitions.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We employ repeatable and periodic process for scanning, identifying and remediating newly discovered security vulnerabilities on servers, workstations, network equipment, and applications. We use Linux and Unix based kernals and all actions are monitored based on the users logon and roles. Policy and procedures have been developed in line with relevant legal and regulatory requirements and also adhere to NHS industry standards. Our Tech team commit to responding to all critical incidents 24/7, with all issues resolved within 24 hours of being identified.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
A summary of the incident management approach is below: Incident logging - Incident logged through phone and email. Incident categorisation - based on the area of IT or business Incident prioritisation - priority of incident determined as a function of its impact and urgency using a priority matrix, determining the time within which the incident should be resolved. Incident routing and assignment SLA management and escalation Incident resolution Incident closure Post-incident review - all incidents are reviewed and evaluated by Technical Team. Reporting - All processes are logged and Buyers are able to request incident reports documenting steps taken.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
NHS Network (N3)


£50 to £200 per user per year
Discount for educational organisations
Free trial available
Description of free trial
We offer a free trial (period to be agreed with the Buyer - typically three to six months) accessed through the standard alone dashboard. This is subject to reasonable use based on the number of dispatches and texts generated/ recording stored.

Service documents

Return to top ↑