Bitjam Limited

Co-produced software development services

Bitjam is an ethical software company that develops innovative solutions for web, mobile, IoT and AI systems. We are a highly experienced team using co-production and agile methodology, focusing on accurately fit the needs of the users. Proven experience in multi-national public sector systems with a social impact.


  • Tailored to each client
  • Ethical company, driven by social impact
  • Experienced development team
  • Apps and web services proven to benefit communities
  • Highly collaborative process
  • Adept at both multinational and smaller projects
  • Agile methodology
  • Reliable technologies


  • Accessible on mobile and web
  • Supports remote working
  • Easy to use final product developed with users
  • Scalability


£450 a person a day

Service documents


G-Cloud 12

Service ID

6 4 1 9 7 1 0 5 7 0 2 0 5 6 8


Bitjam Limited Carl Plant
Telephone: 01782 454304

Service scope

Software add-on or extension
Cloud deployment model
Hybrid cloud
Service constraints
Dependant on SLA
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Standard Support Monday to Friday: 09:00 - 17:00
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Dependent upon agreed SLA
Support available to third parties

Onboarding and offboarding

Getting started
Video or face to face meeting(s) carried out to scope out specifications that are documented and agreed upon. Letter of engagement signed along with terms and conditions. User documentation or videos supplied on completion.
Service documentation
Documentation formats
End-of-contract data extraction
Bitjam are data processors only so the client has control of data management during and after our R&D services have completed.
End-of-contract process
Full data copy provided to customer, then service terminated and all data deleted

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Differences between the mobile and desktop service
We design products to be mobile-friendly. Differences between the mobile and desktop service depend on application specifications
Service interface
Description of service interface
Dependant on specific product
Accessibility standards
WCAG 2.1 A
Accessibility testing
A blind student has tested out our main types of software.
Customisation available
Description of customisation
Software is co-produced with the client.


Independence of resources
Dedicated client servers, and SLA for support time.


Service usage metrics
Metrics types
Usage and performance
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
Less than once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Login, depending on permissions, they can select data and download to their local machine as a CSV.
Data export formats
  • CSV
  • Other
Other data export formats
  • Json
  • Pdf
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Dependent upon agreed SLA
Approach to resilience
Available on request
Outage reporting
We set up Emails alerts and text message alerts for specific users. We also provide access to dashboards.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
We have identity management processes (IAM in AWS for example) and 2Fa, with each user registered on a access list per software or service we use.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We are a small team of three so reporting is done immediately following any learning experience or incident.

We have DPIA assessments and privacy statements (where necessary) for each new project. We have data protection, data privacy, records management and information security policies in place.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use Gitlab to track changes and change requests.

We develop using a staging environment where we can test new features, for any changes to existing code we assess if the change has low, medium or high risk on data security and integrity. Each level has increasing levels of testing and user acceptance testing.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We monitor using Anti virus scanner and We patch the service when we get notified of high level security patches from ubuntu-security-announce.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Enhanced alerting - 16 hours per working day. Customer access to analysed data.

We scan applications we host for vulnerabilities plus malware scanning. We monitor any system we host for abnormal traffic or abnormal resource utilisation, we review access logs and error logs for any suspicious activity.

Regular reporting.
Incident management type
Supplier-defined controls
Incident management approach
Yes we have a policy that states how incidents are reported and escalated. We have a duty to report to our clients if any data breach has occurred. We also have a process to review near misses and action against them.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
NHS Network (N3)


£450 a person a day
Discount for educational organisations
Free trial available

Service documents