Umbraco CMS - Responsive, well designed and easy to manage websites

Umbraco is an incredibly easy to use content management system which is fully customisable to meet your needs. Brightwire is an Umbraco Certified Partner - we design and develop responsive and integrated websites and web applications. Used extensively, this cost-effective and high-performance platform is easy to use, easy to manage.


  • Complete flexibility - platform is heavily customisable
  • Easy to use for non-technical users
  • Systems integration with other applications
  • Digital asset management with a media library
  • Multimedia Support
  • Content publishing and expiry tools
  • Responsive design
  • E-commerce capability
  • Member and partner portal capability
  • Stunning visual designs with optimum user experience and usability


  • Incredibly easy to use and manage content
  • Zero licence fee means lower cost of implementation
  • Rapid development platform
  • All the features you'd expect of enterprise content management
  • Full training and support services provided
  • Supports restricted access areas for specified groups or members
  • Supports micro sites and blogs
  • Supports workflow and content approval models
  • GDPR compliant
  • Accessibility compliant


£675 per person per day

Service documents


G-Cloud 11

Service ID

6 5 7 5 8 7 9 4 4 7 5 4 5 7 1



Clare Millar

0131 541 2159

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints None - clients have a choice of deployment and support models depending on organisational and infrastructure requirements.
System requirements Web browser (IE, Chrome, Safari, Firefox, Opera)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times There are defined SLAs and Out of hours support models covering weekends and bank holidays. Support incidents are classed in three categories (Level 1 Critical, Level 2 Major and Level 3 Minor) each with four defined stages. A Level 1 incident has a maximum response time of 1 hour. Our support desk runs within office hours for the majority of clients, with year-round out of hours support also available on request.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support levels are based on an agreed allocation of time per month, with time reporting to indicate usage. Support can be scaled back or topped up accordingly. Support is based on a day rate. For out of hours support this cover is based on the client's need and an appropriate cost is calculated. We have clear support procedures in place and a technical account manager as well as a nominated support engineer are both provided as part of the support agreement.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We offer a variety of training plans to help users start using the service.
• Some training is face to face for administrators but we have extensive user based online training for our SaaS offerings.
• User documentation is provided where required in electronic format.
• Onsite training: provided to groups of trainees who are usually split by administrative and user type. provided to groups of trainees who are usually split by administrative and user type. We recommend a 'train the trainer' approach with advocates who will be the key 'go to' people within the organisation, and provide floorwalking.
• User guides: these can either be documented or video guides for users and contain quick tips and handy reference information.
• Online training: we can provide online training if required - typically to larger groups of users.
• The level of onboarding and offboarding support depends on the customer's requirements.
• We can provide full support for organisations where there is an organisation-wide rollout, as well as pilot or trials within a specific business area.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats
  • Word/DOC/DOCX
  • Video/Multimedia
End-of-contract data extraction All data can be exported as a SQL Server database backup or via reporting tools. The way in which we would recommend this be done would depend on customer need and the target environment.
End-of-contract process The support agreement would normally allow for basic handover at contract end - however if there were more specific or custom requirements (such as a new target environment to which to replicate) then these would be assessed and a cost agreed with the Client. Brightwire will provide appropriate assistance to the client to extract any data or move to another supplier as required.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface Yes
Description of service interface Umbraco provides a service interface out of the box.
Accessibility standards WCAG 2.1 A
Accessibility testing Umbraco can be customised to meet a client's accessibility requirements. For some clients we have configured and tested the interface with assistive technology tools as part of application development.
What users can and can't do using the API In one single installation of Umbraco Headless you are able to provide fresh content to all your customers on any device. Simply hit publish and your changes will automatically update on your mobile app, on store displays, flatscreens, websites, and on smart watches. More information is available here:
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Umbraco can be extensively customised to suit client needs. We have designed and developed sites for member management, secure extranets and portals, and comprehensive e-commerce and multi-channel solutions based on Umbraco. It can also be integrated with other line of business systems whether these are retail, ERP or asset management tools.


Independence of resources There are multiple deployment routes - each of which would be assessed in the light of specific functional and non-functional requirements such as performance. Performance can be affected by user bandwidth/connectivity as well as network capacity. We implement techniques to improve application performance and can recommend hosting models that will reduce the risk of load that negatively impacts performance. Umbraco Cloud offers considerable advantages including load balancing, performance, resilience and failover, backup and restore, and automatic updates. Further information is available here:


Service usage metrics Yes
Metrics types Service usage might apply to two scenarios - the behaviour of the users consuming the service, on which analytics can be provided, and/or the draw-down of the support time allocation, analytics for which are typically provided on a monthly basis. For usage metrics we typically recommend Google Analytics on a public website.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach All data can be exported as a SQL Server database backup or via reporting tools and a file system backup. The way in which we would recommend this be done would depend on customer need and the target environment.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • Excel
  • JSON
  • Various formats can be exported from Umbraco
  • XML and database backup
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • JSON
  • Various formats can be exported from Umbraco
  • XML and database backup

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our guarantee for service level uptime is 99.9%.
Approach to resilience The underlying solution is based on a high availability configuration on Azure. Further information is available here:
Outage reporting Administrator dashboard with automatic error reports via alerts and notifications.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Admin access is limited by role based controls built into the software to ensure that only users with appropriate rights have access to management functionality.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 29/11/2001
What the ISO/IEC 27001 doesn’t cover Brightwire does not directly hold ISO 27001 certification for Umbraco, however the Azure platform on which this is based holds the accreditation. For further information please see here:
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification SagePay/Coalfire
PCI DSS accreditation date 09/06/2018
What the PCI DSS doesn’t cover Brightwire does not hold the certification directly, however, Sage Pay, one of our online payment partners, have PCI DSS certification.

We also integrate with other online payment providers, if required.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We follow ISO 27001 methodology for policy and processes, and ensure that this is mapped closely to the Government's Cloud Security Principles. We have a defined reporting structure in place with ultimate responsibility for security and compliance resting with the CTO. Further information on security can be found here:

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow a structured change procedure, which provides a high degree of management and quality of output with a controlled approach to changes in scope – it being essential to track changes and ensure that all amendments are assessed and authorised. Specific processes for change management are as follows:
Request: Initiation of a change with a request for change (RFC);
Classification: Assigning a priority to the change after assessing its urgency and impact;
Authorisation: Processing the RFC through to the change advisory board;
Development: Developing the change, release management;
Release Management: Releasing the change for testing;
Review: Conducting post-deployment review.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a policy of applying all Microsoft related security patches within a day of them becoming available. For our hosting environment we subscribe to VMWare notifications and apply these to our private cloud environment within 3 days of them becoming available. For other general software that we use such as Umbraco we subscribe to notification lists and deploy these based on a triage of the exposure and risk and a prioritisation. Critical updates are always deployed as soon as they become available and always within a 4 hour window.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We limit exposure by only allowing access via firewall control to services which need to be accessed externally and have an account lockout process whereby after 15 attempts, an account will automatically be locked as suspicious activity would be assumed. We track and monitor invalid login attempts via standard Windows event logging mechanisms. We respond based on the SLA times as detailed earlier. Monitoring continuously measures the performance of key subsystems of the services platform against the established boundaries for acceptable service performance and availability, and generates warnings so that operations staff can address the event if one occurs.
Incident management type Supplier-defined controls
Incident management approach Users report incidents online using our incident reporting tool or by phone or email if required. We have specific processes that are triggered by incidents being reported to us which are followed and users are able to track and monitor the incident as it progresses through the SLA that corresponds to its priority. All incidents are followed by an incident report explaining what happened and what action is to be taken to prevent a reoccurance.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £675 per person per day
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑