Sourcecode UK Ltd trading as K2

K2 Cloud

K2's process automation platform helps you rapidly build, change and maintain business process applications without writing endless lines of code. This makes it possible to deliver integrated, mission-critical process automation and case management at scale as well as quickly roll out lightweight departmental workflows.


  • Enterprise Workflow. Visual, intuitive process and rules designers
  • Forms. Visually design user experiences mobile-ready leveraging data and workflows
  • Business Rules. Across workflow, forms and data
  • Integration. Point-and-click integration with virtually any line-of-business system
  • Low-Code. Citizen developer focused wizards, templates & design approach
  • Component model. Re-usable artefacts to scale & change readiness
  • Mobile. Responsive user experience on major devices, online or offline
  • Security & Governance. Comprehensive, role-based management provide security & governance
  • Analytics. Reports & Analytics to identify issues & drive optimisation
  • Microsoft. Native interoperability across CRM, Flow, PowerBI, SharePoint ....


  • Develop Applications quickly. 78% reduction vs. traditional development
  • Reduce systems catalogue. One platform to build and manage applications
  • Rapid ROI. Forrester validate 466% over 3 years
  • Change. Component model and governance deliver rapid, controlled change
  • Digital by default. Connects citizen-facing services and department transformation
  • Low Code. Decreased reliance on developers with citizen design model
  • Channel. Significantly reduced transactional costs across multi-channels
  • Insight. Service compliance and optimisation with process monitoring and reporting
  • Data. Integration model leverages LOB systems data reducing data silos


£1.39 to £23.49 per user per month

Service documents


G-Cloud 11

Service ID

7 5 7 1 5 1 9 7 7 9 7 3 6 4 6


Sourcecode UK Ltd trading as K2

James Watkins

07825 663598

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to K2´s Cloud platform is an independent software running on Microsoft Azure service and connected to Azure Active Directory (no extra contract required with Microsoft).

K2’s platform delivers integration with leading solutions, such as SharePoint, DocuSign, Dynamics CRM, SAP and Salesforce as well as connectivity through REST, OData and Web services.
Cloud deployment model Public cloud
Service constraints No service constraints are known at this time
System requirements
  • For supported versions and browsers see Compatibility Matrix at
  • Azure Active Directory: K2 Cloud customers should use AAD authentication

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depending on the severity of the issues within 1-2 business hours.

Standard support times 8:30 - 5:30 Monday to Friday

Premier support times 24/7 - 365 days (extra costs see pricing)
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible We use Go To Meeting for remote support
Web chat accessibility testing We use Go To Meeting for remote support
Onsite support Yes, at extra cost
Support levels STANDARD: Software updates and upgrades, Codefixes, security alerts, and critical patch updates.
- Unlimited access to online self-service knowledge base of information and solutions.
- Unlimited access to online product help documentation.
- Electronic and telephonic access to K2 Software Support personnel for Standard Support Incidents.
- Unlimited access to SourceCode’s community forum for software functionality questions, assistance and guidance, solution and application sharing, collaboration with other community resources and technical information on lower priority service issues.

PREMIER: This service includes:
- Standard K2 Software Support
- Access to After-Hours Support
- Assistance on Standard Support Incidents for Technical Contacts operating from regions other
than where the K2 Software was licensed.

K2 software assurance provides ongoing access to product updates and downloads and various technical assistance resources, including:
- Online training and tutorials
- K2 Knowledge Center access
- K2 Community website access

UK support hours are 8:30 to 5:30 Monday to Friday.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started K2 provide open group or virtual classroom training options globally. Training options include self-guided, on-demand or group courses as well as a host of training courses, tutorials and videos for free via the K2 Learning Library.
See details at
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Customers can request a backup of their database at the end of the contract.
End-of-contract process At the end of a contract a customer can either renew subscription or cancel.

As K2's data policy for building applications is to use existing systems of record within a business so should a customer not want to continue to use K2 then the data should already reside either within the existing systems or defined databases supporting the cases managed by K2.

K2 provides a suite of reports which can also be used to extract data on the processes being run by K2 at the end of a contract should the customer not want to renew.

Any services to create information in different sources at the end of a contract would be chargeable and negotiated at the time.

Environments and any data will be securely destroyed 30 days after termination of the agreement.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service K2 Smartforms can be designed using one of the out of the box responsive themes to will automatically resize the form to fit in the screen of mobile devices and tablets.
The K2 Mobile App also provides off-line capabilities like task management, collaboration, comments and attachments, decision making and access to offline forms, application forms and reports
Service interface Yes
Description of service interface Browser-based design tooling :

Design and Build
- Workflows
- SmartForms
- Integrations

- Security and Compliance
- Roles
- Permissions
- Reporting

- Workspace
- Forms
- Mobile
- Reporting
Accessibility standards None or don’t know
Description of accessibility Can achieve this by an additional extra (cost) from our partner Discover Technologies -
Accessibility testing See -
What users can and can't do using the API K2 provides a standard set of REST services that allow for standard interactions with a workflow process such as process initiation, task actioning etc.

The K2 workflow API (REST) allows applications to:
• Start K2 processes
• Retrieve a user’s worklist
• Action a worklist item
• Retrieve details about a process instance
• Delegate or redirect a worklist item

The K2 SmartObjects OData API allows:
- Integration with BI tools such as PowerBI, Tableau or even Excel
- Access any Smartobject data via OData endpoints

In addition:
o Line-of-business integration with virtually any system using K2’s SmartObjects
o Out-of-the-box integration with SharePoint, SAP, Microsoft CRM,, SQL Server, Oracle, Exchange, Active Directory, Microsoft Excel and Microsoft Word
o Build composite SmartObjects that connect with multiple line-of-business systems to provide a single view of business data
o Inline Functions provide a built-in set of functions to provide complex logic and calculations
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation K2 software allows people to build and run business process applications, including forms, workflow, data and reports. Across enterprises and within departments, K2 customers are rapidly transforming their companies with applications that allocate work to the right people, with all the information they need to make great decisions.
With K2's visual tools, creating, launching and using the first K2 application is a snap. Reusable components ensure the next application delivers faster than the one before, and when the business needs change, it's easy to update your K2 apps to fit.
K2 provides a scalable, managed platform for data integration, customisation and forms. This provides a solution that rationalises all your workflow, integration and forms requirements into one scalable platform that works regardless of whether you are running a pure standalone K2 offering or integrating with other systems.


Independence of resources K2 Cloud runs on a service that can be scaled based upon either short-term, forecasted demand OR more permanently due to growth usage and adoption.
K2 Cloud is currently deployed as a multi-tenant model; however, customer compute and data is segmented from other customers. However, customers are isolated in both the compute and data storage tiers.


Service usage metrics Yes
Metrics types K2 provides detailed reports around the status of each process and their instances. These reports can be used to monitor real-time process information and discover trends for process-improvement.

K2 also provides the Server Usage report allows you to view the number of K2 artifacts -- like workflow definitions, process instances, activity instances, event instances, SmartObjects, forms and views -- deployed in your environment. The purpose of this report is to compare this number with your license agreement. You can also use the license audit report and the server usage report to determine if you are compliant with your license agreement.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
Other data at rest protection approach Standard TDE Azure SQL, full database encryption.
Optional database column encryption based on database engine (i.e. AES 256 on SQL Azure)
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data, provided via K2 Smartobjects, can be exported by different mechanisms. In a programmatic way, K2 Smartobjects can be exposed as OData endpoints. These endpoints can be used to export data straight into Excel files or to be used directly in BI tools such as PowerBI or Tableau. For an end user, K2 Smartforms provide a capability to "Export to Excel" a list of results with filtering and paging options available. An export of a form displayed information can also be created in PDF format.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel and CSV (via extensions)
  • SQL Server Import/Export wizard
  • JSON format via OData endpoint
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel and CSV (via extensions)
  • SQL Server Import/Export wizard

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability K2 Cloud provides customers with an Availability SLA of 99.9% within their production K2 Cloud tenant. Availability is defined as the ability for a customer to be able to access the production service environment irrespective of network connection or other intermediary issues outside of the control of K2. A Service Credit is available to customers should the K2 Cloud SLA not be met.
Approach to resilience K2 Cloud makes use of SQL Azure as data store. SQL Azure creates automatic geo-redundant database backups. Full database backups happen weekly, differential database backups generally happen every few hours, and transaction log backups generally happen every 5 - 10 minutes. The backup storage geo-replication occurs based on the Azure Storage replication schedule – handled by Microsoft. The retention period for the database is 30 days. The above means that we can do any point-in-time restore of the data with a 10-minute accuracy within the last 30 days.
High availability (HA) is provided by default in the Production instance. Native Microsoft Azure capability is utilized in testing disaster failover (DR).

More details available in the K2 Cloud - Service Policies document. More details available on request
Outage reporting K2 Cloud is hosted on Azure datacenters. Azure status, planned maintenance and outages are reported via the website: An RSS feed is available.
Communications channels to customers are via the K2 Cloud status page ( as well as direct email notifications to subscription administrators.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels The K2 Management site allows you to manage your K2 environment and components such as workflows, worklist items, SmartObjects, users and security. These are administrative tasks that are performed by the K2 administrator. The Server Rights node is used to add, edit, remove and refresh Workflow server permissions for users or groups. These rights will determine which users and groups can administer a K2 workflow server, export new workflows or impersonate a user.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman & Company, LLC
ISO/IEC 27001 accreditation date 18/04/2018
What the ISO/IEC 27001 doesn’t cover The only control not covered was outsourcing as we do not outsource, so it wasn't relevant. All other controls were included.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications SOC 2 type II attestation report

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Security is an important part of our reputation, how we earn customer trust, how we do business and how we deliver our product. Our company must provide secure products and services for our customers. We are committed to maintaining a secure environment and improving our information security management system and security program.

K2 have a Security Committee who are responsible for providing support for the business by assuring the confidentiality, integrity, and availability of company information assets. The Security Committee discusses security topics, reviews key security metrics, and approves security policies.

The Information Security Management Systems (ISMS) Manager is
responsible for implementing and maintaining the ISMS.

Security Administrators include systems administrators, database
administrators, network administrators, and other application
administrators. These functional teams maintain the responsibility for the
management of security controls and configurations within the
information systems they support. They implement security mechanisms
and maintain the requisite technical expertise to support them. They
ensure systems and services comply with all approved corporate
information security policies, standards, and procedures.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Changes to the Cloud environment are tracked, approved, tested, and implemented in accordance with ISO27001 specification are are independently audited annually against SSAE 16 SOC2 standards for 12 previous months prior to the audit.
Changes by customers within the K2 Platform will be configured and operated by either customers or 3rd party suppliers.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach K2 performs annual vulnerabilty testing internally and externally, as well as contracts out to a third party to perform an annual penetration test of the product and standard environment. These are conducted in accordance with ISO27001 specifications and are independently audited annually against SSAE 16 standards for 12 previous months prior to the audit and reflected within an SOC2 type II report.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Monitoring is conducted within Azure and consolidated within Elasticsearch for analysis.
Monitoring activities are handled in accordance with ISO27001 specifications and are independently audited annually against SSAE 16 standards for 12 previous months prior to the audit and reflected within an SOC2 type II report.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Customers can reach out to K2 support via web, phone or email to raise incidents. Incidents will be handled via K2's internal incident management policies and conducted in accordance with ISO27001 specifications. The processes are independently audited annually against SSAE 16 standards for the 12 previous months prior to the audit and reflected within an SOC2 type II report.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1.39 to £23.49 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Available on request
Link to free trial

Service documents

Return to top ↑