Respondit Web Design ltd

WordPress CMS Web Design (Content Management System)

Respondit are award-winning website designers and developers. We create and maintain websites for local authorities, businesses and charities.

We primarily build using the Content Management System (CMS) WordPress which allows us to provide secure, scalable and easy to maintain websites that are fully responsive and deliver a great user experience.


  • Bespoke website designs built on an established Content Management System
  • Responsive and mobile optimised website design
  • Thorough user behaviour research and testing (Improve UI/UX)
  • E-commerce website functionality
  • Managed automatic backups of all data
  • Full design process, from initial concept to completion
  • Search Engine Optimisation - (SEO)
  • Professional photography and multimedia creation
  • Utilisation of pre-built tools to reduce overall costs
  • Full life-cycle service and support


  • Fast access to responsive support
  • Access to team/project management software (
  • Integrated digital marketing
  • Award-winning, solution focused and user experienced lead team
  • Experts in WordPress implementation and integration
  • Flexible SLA allowing clients to tailor solutions
  • Audit of your existing website for better on-boarding
  • Visually engaging websites that follow brand guidelines
  • Highly accessible
  • GDPR compliant


£65 to £100 per person per hour

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 7 5 3 2 7 1 1 5 4 5 2 3 6 4


Respondit Web Design ltd

David Hodder


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Our web applications are created using the WordPress Content Management System. Within this platform's ecosystem, we use a mixture of free, premium and in-house developed themes and plugins to build fully bespoke solutions.

We can utilise 3rd Party APIs to extend functionality even further by integrating other services and software.
Cloud deployment model Private cloud
Service constraints WordPress requires regular updates to core files and plugins in order to maintain performance and security. Whilst this can be done by a trained user a strict update procedure is required to reduce the possibility of updates causing a live site to go down. These updates and any issue resolving are included in Planned Preventative Maintenance (PPM) support plans that we offer or alternatively we can supply training to administrative users for in-house maintenance.

PPM support is also limited to plugins and themes that either we have installed or which we have previously confirmed in writing as fully compatible.
System requirements
  • Open Source Licence
  • Customisation of Servers
  • Scallable Solutions
  • All Inclusive Costing
  • Hack Guarantee In Place
  • WordPress Plug-In Licences Included
  • WordPress Theme Licences Included

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Ticketing support is run through When users raise a query notifications are sent to all staff.

Standard support response times during working hours Monday to Friday, 9am-5pm:

Priority 1 (mission critical): 1 hour
Priority 2 (high): 2 hours
Priority 3 (medium): 4 hours
Priority 4 (low): 8 hours

We will respond to issues that arise outside of standard working hours, however these response times cannot be guaranteed for our standard SLA's.

Extended SLA's are available upon request to include longer working hours including evenings, weekends and bank holidays, up to 24/7 at pre-arranged rates.

Hosting support is 24/7.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels We have a full scope team of varying skill sets including designers, developers and marketers who can all be utilised under support contracts to maximise the effectiveness of our support contracts and offer the client a wide range of skills at a reduced rate. This flexible approach has proved very popular with government entities as it allows access to a wide skill set under one set contract.

Each client is assigned a technical account manager who oversees work carried out.

Our standard Planned Preventative Maintenance (PPM) support packages include regular updates to key components within your WordPress hierarchy. Essential security patches are kept up to date: WordPress themes, plugins and core. Secondary backups are always maintained which act as a triple redundancy fail safe (offsite backups).

Additional support needs are charged at an hourly or daily rate. 1st line support is charged at £65 per hour and 2nd line support at £75 per hour.

Flexible additional support for more day-to-day updates to the website, such as text changes, how-to guides, content amends, etc are done on a retainer basis with roll forward/backward terms on any unused hours. Quarterly reviews with itemised reporting on works undertaken are produced for every client.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We are with our clients throughout the whole life cycle of projects and we really care about ensuring our buyers are supported through every step. We begin with talking to our clients about their specific needs and ensure the solution covers every base. We ensure the training and support that the client needs is completely covered through clear communication for the entirety of the project and beyond.

This support can be through a variety of means including:

Digital Marketing
Support and Maintenance (PPM)
Onsite Training
Online Training
Instructional Video
Content Creation
How-To Guides / Instruction Manuals
Managed Hosting Services
Design Services
Social Media Marketing

Respondit provide both onsite and online training for clients when needed, and can be off-the-shelf training, or bespoke to your particular needs.

The level of access and functionality each user requires is discussed in detail before a project is undertaken. We then agree upon the level of training required for clients to use the service and allocate a time convenient with them and their staff.

Ongoing support, digital marketing services (such as SEO or SMM) and design services can be bundled into retainer-based contracts with flexibility as-to which services are utilised on a flexible monthly basis.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users maintain full control of their data at all times. We will handover everything a user requires at the end of a contract in the most convenient form possible. This will have been agreed upon within our contract as part of our off-boarding planning but the user retains the option to alter their demands if needed.

Data can be exported from the dashboard in most cases using the client's login credentials. This can be in a variety of file types in most cases including XML feeds, CSV file output and PDF formats.

If for any reason a buyer is unable to pull any (or all) data, we will assist them by discussing their needs, identifying the desired method and file type and export the data for the client.

We explicitly agree upon what data will be required by us if we are continuing to provide a service to them in the form of support and remove anything that is unnecessary.

All data that is identified as needing to be deleted from our system will be thoroughly and securely destroyed.

This is not limited to the product, we are also happy to extract any project management or case files as required.
End-of-contract process When a website is created we will ask who in the client's organisation will have to use it and what level of access they will need. We agree upon how much training will be needed in the initial meetings and will deliver on our commitments within the time-frame and budget laid out in the contract.

At the end of this contract the client will have the option of hiring us on a separate Planned Preventative Maintenance contract if desired.

If the client is looking to self manage, or use another supplier for on-going maintenance / support or marketing services we offer full handover services, and on-boarding for any perspective 3rd parties.

We believe in collaboration, and strive to be as open and engaging as professionally possible with an excellent track record of delivering collaborative projects. We will offer training, guidelines, instructional videos and the required support to make any handover as smooth as possible.

At the end of any contract, we will ask the buyer to complete a questionnaire in either digital or interview format, to identify the strengths and weaknesses of our project delivery, so we can continue to learn and grow as a business.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There is no limitation to functionality when using smaller device, the view ports are optimised to match the device. Buyers can access their CMS and our support through either mobile or desktop devices. The service they receive is the same no matter how they access it.

Our websites are designed and built to be fully responsive. If viewing on a desktop or tablet buyers can simulate what a user will see on a mobile device (testing purposes) but if viewing on a mobile device alone they will not be able to assess what desktop or tablet users are presented with.
Service interface Yes
Description of service interface The WordPress dashboard is the service interface for the user. It can be accessed through any web browser and as standard allows access to:


Additional functionality (such as forms, custom taxonomies, products, etc.) is added to buyer's needs/requirements.

Administrator access has total control over the above. Additional users can access it through multiple accounts, with varying levels of user permissions. which can be customised to meets the buyers requirements. Users can make amends to the environment, functionality, content, user management and media library through their individual accounts with audit trail tracking.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing We use a combination of automated and manual interface testing. Our accessibility testing includes:

Screen Readers - Jaws - Reading elements and headers, tab through links, check landmarks (headers, content pieces, navigation, etc.), check ARIA (Accessible Rich Internet Applications) and ensure editable fields are functional.

Screen magnifiers - ZoomText - We test up to at least 10 times magnification and check spacing between elements, the content is clear with different colour schemes and variations available, the cursor enhancement and focus indicator are functional.

Speech recognition - Dragon NaturallySpeaking - We test with speech recognition technology, including navigation of each feature such as links, buttons, media, site controls and interactive elements. We also ensure speech to text is functional on any forms/search functionality that are applicable to buyer's site.

Our manual testing is done using focus groups of identified target audiences. This is actual road testing of the end product prior to launch and is normally done over multiple phases that identifies issues, we implement solutions and then test again. We design these tests specifically for the primary and secondary functions of the buyer's website or web application.

External 3rd party accessibility testing is also available.
What users can and can't do using the API The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON (JavaScript Object Notation) objects. JSON is an open standard data format that is lightweight and human-readable, and looks like Objects do in JavaScript; hence the name. When you send content to or make a request to the API, the response will be returned in JSON. This enables developers to create, read and update WordPress content from client-side JavaScript or from external applications, even those written in languages beyond PHP.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Everything can be completely customised from the design and aesthetics, to the development and functionality. Typical customisation of the platform include:

Design and Aesthetics - Full customisation including colours, fonts, imagery, video, layout, etc.

Functionality - Forms, E-commerce solutions, booking systems, online calendars, events, blog / vlog, E-learning platforms, product configurators, support / ticketing systems, advanced search, forums, staff or internal portals, image galleries, job / recruitment boards, real estate listings, classified listings, comments, directories, star ratings, fund raisers, payment gateways, online portfolios, brochures, online magazines, document downloads, etc. Essentially anything you have seen online can be added.

Communication - social media integration with Facebook, Live web chat, etc.

Users can customise the service through the WordPress dashboard which includes comprehensive online documentation including explainer videos, how-to guides and can be customised to include a drag and drop builder for complete simplicity.

WordPress enables users to have complete control, selected control in terms of what pages/content/media/permissions, and limited control such as just one page/area of the WordPress environment.

Default user permissions are built in as:

Super Admin

Additional user privileges can be added with bespoke functionality as required.


Independence of resources Depending on whether a user chooses our Virtual Private Server hosting or cloud hosting, there are numerous protections against the impact of other user's demands.

Our VPS hosting allocates dedicated resources in the form of slots whereas cloud hosting, as well as having dedicated resources can allocate the demand from users onto idle servers.


Service usage metrics Yes
Metrics types Usage metrics are provided through server usage statistics, on page metrics and advanced heat mapping technology is available.

Real-time reporting is achieved through Google Analytics giving audience information in terms of acquisition source, type, behaviour on the platform and the ability to set conversions and goals to accurately track users engagement.

Heat mapping is also available through Hot Jar to record users interactions with the WordPress platform for testing, reporting and refining purposes.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach We can supply SFTP access to authorised users in order to download core files. We can also give authorised users access to the hosting control panel, where they can access database files directly via PHPMyadmin.

Site level data such as media files,page and post content can be exported into CSV and JSON via the WordPress admin panel by users with the appropriate Administrator level of access.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • JSON
  • XML
  • SQL
  • Zip
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • JSON
  • XML
  • SQL

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% up-time guarantee for all hosting solutions.

100% up-time guarantee hosting available with load balancing, redundancy/back up solutions for mission critical, enterprise solutions.

We have real up-time monitoring on all our sites. We are alerted immediately should a site go down. If the site is maintained by us under our PPM maintenance then this would be dealt with according to contractually agreed SLA's. Our standard SLA for a Priority 1 case like this would be a response within 1 hour during core office hours. We will respond to Priority 1 issues that arise outside of standard working hours as soon as we can, however these response times cannot be guaranteed unless there is a contractually agreed SLA in place. If the site is not maintained by us then we will forward on any up-time alerts.

We have a rigorous procedure in place to avoid any issues arising on live sites from WordPress Core, Theme or Plugin updates however should one arise under our management, we roll back the site to the previous working version immediately, and establish the cause as a Priority 4 SLA - 8 hour response.

For each hour of downtime we refund one days hosting or support.
Approach to resilience Our business resilience has been built in by ensuring that we have a competent team, able to prepare, react and deal with the demands that resilience places on our business.

This also encompasses crisis management and business continuity with a ‘whole business’ approach. We treat business resilience as a strategic risk management process, ensuring that sufficient and appropriate resources are committed to it. Being resilient means we have secured those mission-critical and time-sensitive business functions so we continue with our mission of delivering high value, high quality services to clients.

Our approach to this is 5 fold: Identify, Protect, Detect, Respond, Recover.

Identify: We look to develop an organisational understanding for managing cyber security risk to systems, assets, data and capabilities.

Protect: We will then develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect: We will develop and implement the appropriate activities to take action regarding a detected cyber security event.

Respond: We will develop and implement the appropriate activities to take action regarding a detected cyber security event.

Recover: We will develop and implement the appropriate activities to take action regarding a detected cyber security event.
Outage reporting All of our sites have real time monitoring in place. If the Uptime Monitor doesn’t get the expected response, it’ll keep trying a couple more times to confirm that the site is down. If it is still unresponsive, we will receive a notification by email and by SMS and our client receives an email. The Uptime Monitor tracks the up-time percentage, response delay and individual checks and generates a report each month which we share with our client and use to track up-time SLA's.

Once we establish the cause of the down time we will respond by email within the time frame of our contractually agreed SLA's. Our standard Priority 1 SLA is a response within 1 hour during core office hours. We will state what the issue is, what the fix is and an estimate as to how long the fix will take. Once fixed, an email will be sent confirming this. Uptime monitor will also send out an alert to confirm the site is back up and running.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Respondit restricts access based on agreed permissions with the client, this is done normally through 2 factor authentication.

We agree with the client members of staff who are able to access management interfaces and support channels, which is reviewed at least every 6 months.

We automatically block any IP addresses seen to be repeatedly trying usernames such as admin or administrator and if password attempt is failed 3 times then we set the account to require a password reset or require unlocking by an administrator. We log the IP address of all login attempts both for auditing purposes.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication IP address white list where dedicated IP addresses are used to lock down administrator access.

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 360 Certification
ISO/IEC 27001 accreditation date 20/05/2019
What the ISO/IEC 27001 doesn’t cover Our whole service provision is covered by ISO/IEC 27001 certification
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 360 Certification Ltd.
ISO 28000:2007 accreditation date 20/05/2019
What the ISO 28000:2007 doesn’t cover Whilst we strive to cover our whole supply chain. We cannot guarantee that all third party WordPress plugins and Themes are covered.
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We break our information security into three key pillars:


Everyone in the business is made aware of their role in preventing and reducing cyber threats. Cyber security is a business issue and all of us have a role to play. Regular staff training takes place.


Processes are key to the effectiveness of our cyber security strategy. Processes are crucial in ensuring the companies activities, roles and documentation are used to mitigate the risks to the organisation’s data. Our processes are continually reviewed internally, and externally audited annually in line with our ISO27001 accreditation.


Technology is absolutely crucial when it comes to cyber security. By identifying the types of cyber risks that we face, we can then plan for mitigating the risks and identify the technologies we need to do this. Technology is then deployed to bolster the defensive strength in accordance to a risk assessment in line with our ISO accreditation.

Respondit and our hosting providers, WP Engine and AWS have documented policies which dictate procedures dealing with security, and offer guidance to staff members, We are are ISO 27001 accredited.

WP Engine security process:

AWS Process:

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All change requests from the client are dealt with via a ticketing system. This allows all communication and work to be tracked from start to finish with contract dependent SLA triggers in place.

Any maintenance patches or updates completed as per contract are logged internally via the same system.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our WordPress installs are scanned daily by 3 separate services for any threats or updates. System Administrators are alerted immediately of any potential threats and updates. These are investigated by a member of the technical team and dealt with based on contractually agreed SLA's.

Further to this, we will have 24 hour up time monitoring in place which also alerts us immediately should the site go down for any reason meaning we can react very quickly to solve the problem.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We have Web Application Firewall monitoring, which monitors sites in real time, and will stop sites from being hacked by identifying malicious traffic. Once identified, attackers are blocked before they can access the website.

This includes a real time threat defence feed which includes the latest malware signatures and malicious IP updates. This is augmented with:

> Two Factor Authentication
> Blocked Brute Force Attacks,and
> Country and Manual blocking controls.

Our layered protective monitoring processes continually monitor and protect client websites from attack before they occur, providing a high level of attack resilience.
Incident management type Supplier-defined controls
Incident management approach We develop and implement the appropriate activities to take action regarding a detected cyber security event.

Response Planning: Response processes and procedures are executed and maintained, to ensure timely response to detected cyber security events.

Communications: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.

Analysis: Analysis is conducted to ensure adequate response and support recovery activities.

Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

Improvements: Organisational response activities are improved by incorporating lessons learned from current and previous detection/response activities

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £65 to £100 per person per hour
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑