Heed Software Ltd


Heed is messaging automation software that provides the ability to build effective messaging solutions outside of email and chat.

Heed integrates with enterprise systems to provide more effective communication through intelligent, automated and stateful communications.

Heed can be leveraged to increase efficiency, reduce cost and improve KPIs around any process.


  • Stateful & Actionable Communications
  • Workflow Builder
  • Process Visualisation and Automated Communications
  • Bespoke Message Behaviour Definition
  • Real-time View of Active Communications through Buckets
  • Intelligent Waterfall Communication Flow
  • Automated Workflow Intelligence
  • Intrusive Desktop Notifications
  • Action Centre - Centralised Location for Actions (i.e. Approvals)
  • Real-time Analytics & Reporting


  • Take Action on the Move
  • Take Action (i.e. Approvals) in one system rather than multiple.
  • Increase Process Efficiency
  • Provide More Effective Communication to your Workforce
  • Automate Communications from your Enterprise Systems
  • Reduce Cost & Waste within any Business Process
  • Measure Productivity
  • Engage the Workforce
  • Integrate with your Enterprise Systems
  • Automate your Business Processes & the Communication Throughout


£2 per unit per month

  • Education pricing available

Service documents

G-Cloud 10


Heed Software Ltd

Liam Heather



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Heed has integration capabilities with a huge number of enterprise systems, including but not limited to: ServiceNow, BMC, Github, HPE Service Manager, IBM Cognos, IBM Notes, IBM Workspace, JIRA, Microsoft Dynamics, Oracle, Oracle Cloud, Oracle JD Edwards, Oracle PeopleSoft, Salesforce, SAP, Slack, Workday, Trello, Tibco, Twilio, Expensify, CircleCI, Citrix, AWS.
Cloud deployment model Hybrid cloud
Service constraints No it does not.
System requirements
  • Windows/Mac OS
  • IOS/Android/Windows Mobile

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard & Premium Support carry different response times and differing Support Hours. There is also an online portal for documentation and self-service support.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels - Heed provides both Standard and Premium Support, with Premium Support providing improved SLAs, faster response and higher availability.
- Standard Support comes as part of the basic package, however, Premium Support carries an additional % cost.
- Heed offers various Support Teams globally.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started - Online Support and Documentation is available as part of the On-boarding process.
- Training can also be provided as part of the onboarding process.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All data can be exported in a secure database format at the point of contract expiry, as part of the decommissioning process.
End-of-contract process Clients are decommissioned at the end of the contract and are left with a default window of time to migrate any wanted data or information.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Mobile Application provides the same functionality as the Desktop Application for the most part from an End User perspective.

Some advanced settings, administrative settings and workflow configurations are limited to the Desktop/ Browser rather than the Mobile Application.
Accessibility standards WCAG 2.0 A
Accessibility testing No official testing has been done with users of assistive technology, however, standards have been met in accordance to the WCAG 2.0 A guidelines.
What users can and can't do using the API Users can carry out the majority of the functions of the application utilising the REST API, however, authentication is required when making requests to the API.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The Workflow Builder within Heed allows for the user to build bespoke and customised workflows around their business processes. Corporate Branding can also be applied to the Application itself, as well as the Desktop Notifications and other communications.

The customisation is mostly handled by System Administrators.


Independence of resources Heed leverages scalable cloud infrastructure through AWS and Azure technologies to ensure that users aren't affected by external demand.


Service usage metrics Yes
Metrics types - Users online status
- Last time user was online.
- Metrics around communications distributed and actions taken within them.
- Metrics around which devices users have viewed communications on.
- Metrics around process efficiency and communications.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach There is no requirement for users to export their data. Role-based administration can be used to permit users to export data in either CSV or database format.
Data export formats
  • CSV
  • Other
Other data export formats Database Format
Data import formats
  • CSV
  • Other
Other data import formats Active Directory

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Premium: Monthly up-time percentage of at least 99.95%
Standard: Monthly up-time percentage of at least 99.90%

Customer eligible to receive Service Credit in the event that Heed does not meet these commitments.
Approach to resilience Available on Request.
Outage reporting - Email Alerts
- Public Service Status
- Other outbound communications.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access Management and Access Control to restrict access to management interfaces and support channels are controlled in accordance to IOS27001:2017, including role-based permissions to ensure access, is limited where necessary.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Assessment Bureau - UKAS accredited certification body
ISO/IEC 27001 accreditation date 07/12/2017
What the ISO/IEC 27001 doesn’t cover Nothing, we received a perfect score.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications CREST Approved Certification

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Heed follows the principles and controls outlined by ISO27001:2017, as well as the new GDPR.

The following policies are in place Acceptable Use Policy, Access Control Policy, Asset Management Policy, Clean Desk Policy, Data Breach Response Policy, Disaster Recovery Plan, Heed Software Business Management System,Operations and Communications Security, Password Policy, Physical and Environmental Security Policy, Statement of Applicability, Systems Acquisition, Development and Maintenance.

All are subject to review on an annual and bi-annual basis. Training for employees is conducted during the new hire process or when a change has been made to the current policies. Logs and reports are kept for reporting purposes including Internal Audit Report, Customer Complaints Form and Risk assessment Log (including all other logs). Any highlighted reports are discussed during the weekly management meeting.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The following list should be ensured when changes are implemented:

* Effectiveness of the change will be tested

* Compatibility within the existing systems

* Documentation updated

* Assessment of its impact against other applications, databases, operating systems, and processes.

* Formally approved during management meetings prior to implementation

* Audits will be logged

* Timeline of the implementation to set expectations with the team and parties affected.

The changes will be documented and logged for reference. The Technical Director, and Information Security Manager will work with those directly involved and affected to ensure completion without jeopardising Heed’s information security.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Management of technical vulnerabilities will be covered in the risk assessments. Review and monitoring of technical vulnerability will be a recurring process. Included in the vulnerability management process:

Processes clearly defined for monitoring risk assessments, patching, asset tracking and coordination.

Information Security Manager and the Technical Director must collaborate to create correct documentation for future reference.

Risk assessments of any relevant changes, updates, or patches should be carried out to compare the system with and without the changes.

Any change or update should be undergo testing before implementation.

Any high risk or particularly sensitive systems should be prioritised.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Risks are identified together with a rating as to the importance of the risk. Each group of assets (including people, technology, and environment) will be analyzed by identifying related threats, controls in place, vulnerability, consequences, and likelihood. The Information Security Risk Assessment document is reviewed frequently by the Information Security Manager.

Evaluations are drawn for each threat as to what the most appropriate action is together with the estimated cost of implementing action to address the identified issue. Key evaluation criteria used will be Accept Risk, Apply Controls, Avoid Risk and Transfer Risk.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Heed has predefined processes for common events, whether they be a data breach, Information Security related or disasters. External users are able to report incidents through various different methods, both email, phone lines, incident support portal etc. There are also predefined processes internally for the reporting of Incidents, management of Incidents and resolving/ reporting of Incidents also.

All Incidents are reported with a predefined set of requirements and the relevant parties will be informed as aptly as possible. This is all conformant with certification ISO27001:2017

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2 per unit per month
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑