ACT Cloud Concessionary Portal

The ACT Cloud Concessionary Portal provides a customer facing website which is delivered and accessed across an agreed web URL, or directed via scheme owned site, providing end users the ability to apply, renew and replacement their smart concessionary bus pass.


  • Remote web access
  • Capacity for online new applications, renewals and replacements
  • UK governement ITSO standard capable
  • Save and return later application process, with photo upload
  • Bespoke styling and branding
  • Real time end user verification
  • Payment processing and management (PCI accredited)
  • Interfaces to ACT CMS service (mandatory module)


  • Low total cost of ownership
  • Multi tennanted service platform
  • Manned ServiceDesk 5 days per week
  • Full hosted managed service
  • Concessionary scheme management and support
  • Central reporting
  • Proven cloud platform supporting many UK transport schemes
  • Range of optional modules including analytics & reimbursement


£7200 to £10200 per unit per year

Service documents

G-Cloud 10



Chris Jefferies

01249 751 200

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to ITSO CMS Services
ITSO HOPS Services
Cloud deployment model Private cloud
Service constraints Subject to agreed planned maintenance for new releases and or bug fixes
System requirements
  • ACT require domain owned certificate if hosting using domain-owned URL
  • Integrated Payment Service Provider facility required for online payment
  • Integrated end user verification facility required for new applications

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times ACT service desk operates to an automatic response window within 15 minutes of call logging via helpdesk call and or on line support portal. Support is only provided to contracted customers.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels The Cloud Concessionary Portal support levels including: -

% Service Level Availability ranging from 99%
Service Desk availability is as follows: -
Mon - Friday 07:00 - 17:30,
Saturday 09:00 - 17:30 and
Sunday 10:00-16:00

ACT also operates an optional 24/7 manned helpdesk which is available at an extra cost which is determined by client requirements.

Access to an ACT account manager is available for contracted customers
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started On site training and user documentation
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction ACT is provided as part of a data extract service and provided in CSV format.
End-of-contract process Provision of a simple data file of customer owned data only.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service All functionality remains the same for mobile devices
Accessibility standards WCAG 2.0 A
Accessibility testing ACT engineers have worked with the Shaw Trust on accessibility standards for the Concessionary web portal
What users can and can't do using the API The Service Desk will enable the Cloud Concessionary Portal API which is provided as a RESTful and SOAP interface.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The service can be customised by ACT as follows: -

1. Service configuration to support scheme requirements.
2. Portal branding, colours, text and imagery are tailored to customer needs.
3. Can be hosted using customer owned domain URL


Independence of resources The Cloud Concessionary Portal is a virtual cloud service which can scale to meet customer demand. ACT network monitoring ensures the Cloud Concessionary Portal capacity meets the agreed service capacity needed for the customer.


Service usage metrics Yes
Metrics types Provided as standard end of month service performance report
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The ACT Service Desk provide a standard user data export service
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The ACT Cloud Concessionary Portal is provided on a 99% service level availability with a service credit regime to compensate for poor performance.
Approach to resilience The ACT Cloud Concessionary Portal has a secondary (DR) services to provide service resilience in the event of a system disaster.
Outage reporting The ACT Service Desk will inform customers (by email and phone) directly in the event of an unplanned system outage.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels The ACT Cloud Concessionary Portal is a public facing website therefore restrictions to access is not required.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 NQA
ISO/IEC 27001 accreditation date 12/01/2018
What the ISO/IEC 27001 doesn’t cover Certification is company wide
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification NCC
PCI DSS accreditation date 24/04/2018
What the PCI DSS doesn’t cover Certification covers ACT portals and CMS platforms with integration of Payment Service Provider (PSP) service only, PCI does not cover any other system.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO 27001
ISO 9001
ISO 14001

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach ACT operates its own change management process, reviewed and assessed at a monthly Change Advisory Board (CAB). A change manager plans and tracks the new releases and changes over their lifecycle.
Vulnerability management type Supplier-defined controls
Vulnerability management approach ACT operates a continuous threat assessment process for its business from software security violation monitoring (using Nexus), network vulnerability scanner (using solar winds) and annual pen testing using external security agencies.
Protective monitoring type Supplier-defined controls
Protective monitoring approach ACT operations working closely with infrastructure monitoring and review identified security issues and weaknesses. These are graded against an agreed criticality scale and those items identified as critical are schedule for resolution and owned by head of department. For example identified software security vulnerabilities are automatically scanned, scored and addressed as part of the continuous improvement policies.
Incident management type Supplier-defined controls
Incident management approach ACT has established predefined and documented incident management process, the ACT Service Desk is available 7 days per week to enable customer to contact ACT to report an incident. Incident reporting in managed via the incident manager and service desk and depending on the severity of the incident can be as frequent as hourly.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £7200 to £10200 per unit per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑