Open Systems Lab


Plan✕ is a self-service digital planning guide to make planning simpler. Visitors to a Council’s planning website are guided through a series of questions, checking their proposed project against relevant policy to see where it complies or clashes. Planning officers maintain the guides via an editor interface.


  • Simple, seamless interface for end users (applicants and their agents)
  • Works on desktop computers and mobile devices
  • Allows sharing of results via existing email and submission forms
  • Can integrate data from any source with an open API
  • Themed for your council identity
  • Simple, intuitive editor interface for content management by planners
  • Pre-written national policy guides (eg GPDO) included, maintained by others
  • Team permissions structure
  • Admin interface for domain admin
  • Policy analytics


  • Makes planning information dramatically simpler and more transparent for applicants
  • Reduces the volume of telephone and email enquiries
  • Automates the assessment of small and householder projects
  • Generates an agenda for pre-application meetings
  • Lets planning officers spend less time processing small applications
  • Reduces number of applications that need to be refused
  • Gives planning authorities easy control over their guides
  • Policy analytics allow planning authorities to understand demand better
  • Feedback reveals where improvements to guidelines are needed
  • Reduces need for many reports on small applications


£15000 to £26000 per instance per year

Service documents

G-Cloud 11


Open Systems Lab

Helen Lawrence


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The range of planning services PlanX can support varies, depending on the availability of data (eg GIS data) that is in a digital, structured format.
System requirements Any modern web browser (Chrome, Safari, Edge, Firefox, IE11+)

User support

User support
Email or online ticketing support No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Every customer is assigned an account manager who can be contacted by admins at any time during business hours. We seek to respond to admins queries as quickly as possible, normally within 24 hours or less. Users and editors can report any issues via the public and editor interfaces 24/7.

Additional support services such as training, co-writing and planning information and data auditing are available for an additional cost (see pricing).
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a complete range of services to fully support the on-boarding process, to make it as simple as possible for Councils to prepare their planning guides for launch. This begins with initially understanding your particular needs and priorities, as well as any potential implementation or adoption barriers. It can then include:
1. Planning Information review / cleanup.
2. Planning conditions review
3. Adding conditions and Article 4 directions to your guides
4. Training
5. Co-writing of planning guides
6. Pre-launch testing
(see pricing document for more detail).
Service documentation Yes
Documentation formats
  • HTML
  • Other
Other documentation formats
  • Documentation is built into the interfaces
  • Video tutorials available for editors
  • Code repositories contain their own documentation for developers
End-of-contract data extraction Admins will be able export much of the data relating to their Plan✕ domain in a structured format (eg .csv). In the case of data that is available but cannot be exported automatically, they can request this data, and it will be made available to them. If a Customer needs a hard copy of data there will be an on-cost for appropriately secure (Courier) delivery of the loaded media to the customer's nominated premises. This will be agreed with the Customer.
End-of-contract process A Council can request to terminate their Plan✕ subscription at any point in line with the termination terms, by notifying their Account Manager by email.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Public users will have the same experience on mobile and desktop.

Although the editor interface used by planning authorities will work on mobile device to some extent, but its design is not optimised for them. The editor interface is primarily designed for use on desktop devices.
What users can and can't do using the API PlanX has a REST API that will allow users to:

- Send and receive data to and from PlanX guides.

Access to the API will be rate-limited.
Some functionality may be restricted if it would affect users security or privacy.
API documentation Yes
API documentation formats HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation Admins can customise their PlanX instance with their brand colour and logo, to provide end users with a clear, seamless experience.

The content of all guides can be edited by editors within the constraints of the editor.

If they wish, customers can build their own front-end interface, operating the PlanX service via its API.


Independence of resources Plan✕ procures hosting from AWS (or equivalent) which can scale in response to spikes in user demand. Most hosted mapping data services can also scale to meet demand, however in the unlikely event that demand spikes beyond the scaling capacity of these services, Plan✕ can continue to function independently without these services until demand normalises again.


Service usage metrics Yes
Metrics types – Number of users
– User activity through flows (revealing, for example, the most common enquiry types, and which areas of guidance / policy are proving to be key barriers to users)
– Users devices (desktop or mobile)
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Some or all data will be available by means of an export button within the interface. Any data that is not available for direct export can be requested.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The services is hosted on AWS, Google or Azure Cloud and directly benefits from their availability and resilience.
Approach to resilience The weakest link in Plan✕ is where data is being pulled in from a customer or third party host (such as OS or a Council GIS data publishing platform). These are separated, so Plan✕ is designed to continue to function without that third party data. Previous enquiries will remain stable.
Outage reporting From time to time, a planned outage may be required. Customers will be notified of any planned outages by email in advance, and such outages will be timed to minimise disruption. In the event of any unplanned outage, the Customer will be informed as quickly as possible.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels The Plan✕ editor uses role-based access control for admins and editors. Users will be authenticated using federated identities (e.g. OAuth 2.0) if possible, a username and password system will be provided as a fallback. Attempts to circumvent these restrictions (e.g. via the API) would return an error and the request will be logged.

Third party support channels used by OSL enforce industry standard authentication and require two-factor authentication whenever possible.

An access log is kept centrally, detailing permission levels. Management access by OSL staff is controlled by company Directors. Access to the servers is monitored using third party application services.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach The Plan✕ tech lead is tasked with ensuring OSL security policies are complied with.
Information security policies and processes The CEO is a Director of OSL and is ultimately responsible for ensuring policies and processes are well-designed and followed. Directors receive a report from the Plan✕ tech lead at Board Meetings. OSL maintains a risk register and issue identification and escalation process. Company procedures are regularly reviewed to ensure best practice compliance.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Whenever possible OSL provisions and manages infrastructure with code using services (such as Terraform). Configurations are stored in a Git repository so we can track changes in version control. All code deployments must pass a suite of Continuous Integration Tests before going live. We tag each build as part of the deployment process.
Vulnerability management type Supplier-defined controls
Vulnerability management approach OSL uses an automated service to constantly monitor for threats and identify attacks immediately. Whenever possible we intend to keep all dependencies up to date using an automated service (such as Dependabot).
Protective monitoring type Supplier-defined controls
Protective monitoring approach OSL uses monitoring tools to help identify potential compromises with reports on server activity and email alerts. All code deployments must pass a suite of Automated Tests before going live.
Incident management type Supplier-defined controls
Incident management approach A risk log is maintained and mitigation actions are captured. Incidents are checked against this log to ensure we are constantly learning to prevent reoccurence. Many incidents may be automatically detected and logged. Customers can report incidents via their Account Manager or through an issue report.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000 to £26000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑