CivicActions, Inc.

DKAN Open Data Portal

DKAN is the Drupal-based open source open data platform that allows governments to publish data to the public, provide visualizations and data stories and create internal analytics dashboards.


  • Publish data through a guided process
  • Customize your own metadata fields
  • Import data via API/harvesting from other catalogs
  • Store data within DKAN or on external departmental sites
  • Manage access control & version history with rollback
  • INSPIRE/RDF support & user analytics
  • FISMA-certified cloud hosting options available
  • Integrated CMS & blogs
  • Open source code base


  • Explore, search, add, describe, tag, group datasets via web front-end
  • Explore, search, add, describe, tag, group datasets via API
  • Collaborate with user profiles, groups, dashboard, social network integration
  • Use metadata and data APIs, data previews and visualizations
  • Let entrepreneur develop new businesses and markets
  • Simplify data access for members of the public
  • Increased transparency and accountability


£14814.81 to £74074.07 per instance per year

Service documents


G-Cloud 11

Service ID

8 7 5 3 3 9 2 2 3 0 7 6 2 5 2


CivicActions, Inc.

William Ogilvie

(202) 415-0947

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints As needed CivicActions schedules downtime for routine maintenance or system upgrades for its Services. CivicActions exercises commercially reasonable efforts to schedule Scheduled Downtime outside of peak traffic periods for each customer.
System requirements
  • Internet Connection
  • Supported browsers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our support desk prioritizes support requests based on priority categories. Category: Critical (Production system is down; or operations severely impacted; or critical security issue). Response Time: 2 Business Hours. Resolution Time: 4 Business Hours. Category: High (Significant disruption of operations; workaround is inadequate; or security issue.) Response Time: 4 Business Hours. Resolution Time: 2 Business Days. Category: Medium (Moderate or low impact on the customer’s business operations with workaround.) Response Time: 12 Business Hours. Resolution Time: 7 Business Days. Category: Low
(Issue is minor, without significant impact.) Response Time: 24 Business Hours. Resolution Time: May vary.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support No
Onsite support No
Support levels For all customers, we provide Unlimited Tier 1 Support tickets, plus a set
number of monthly Tier 2 and Tier 3 Support tickets based on the Support Level. Customers may purchase additional managed service hours. Tier 1: Basic help desk resolution and service desk delivery Support for basic customer issues such as solving usage issues and fulfilling service desk requests that need IT involvement. This includes using the standard features of DKAN and assistance resolving or working around known problems. Tier 2: In-depth technical support Support personnel and/or engineers with deep knowledge of the product or service, consult on issue. Tier 3: Expert product and service support Support from the most highly skilled product specialists, may include the creators, chief architects, or engineers who created the product or service. Bronze Support: Unlimited Tier 1 Support requests for 1 individual; 3 Tier 2 or 3 escalations/month. Silver Support: Unlimited Tier 1 support for 3 individuals; 6 Tier 2 or 3 escalations/month. Gold Support: Unlimited Tier 1 support requests for five (5) named individuals; ten (10) Tier 2 or 3 escalations/month. See pricing sheet for support level costs.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started New CivicActions DKAN customers receive online training sessions to get them started, and hold regularly scheduled online check-ins with an account manager who can answer use questions. Complete documentation is available online, and customized trainings and guides can also be provided on an as-needed basis.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Since the DKAN software is open-source, the basic structure of the website can be replicated at any time. At contract end, a complete export of website data can be made available to customers so that they can install a new copy if they so choose. Open data content from DKAN websites is also publicly available at all times via API and JSON, making export of that content easy and automatable.
End-of-contract process All data is transferred to the customer. Customers also have the option of requesting DKAN being installed on their own hosting platform and all of the data migrated for an additional one time cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service DKAN uses media queries to create different layouts for optimal mobile,
tablet and web experiences. DKAN is designed "mobile first" to ensure
that mobile uses have the best possible user experience.
Service interface Yes
Description of service interface N/A
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing We use the Pa11y continuous integration tool to ensure that DKAN is accessible for users using assistive technology. We test to assure adherence to the latest WCAG and EN 301 549 standards.
What users can and can't do using the API DKAN has a REST API for accessing the catalog metadata and data.
Anonymous users can query the catalog via an API as well as data stored
in the catalog's datastore. Credentialed users can create, edit and delete
site content as well as add, remove, or edit items in the datastore. DKAN
also has DCAT compliant RDF endpoints as well.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation DKAN provides a full administrative interface which allows users to
customize the content and look and feel of the site. Administrators can change page layouts, colors, and add and remove users with a number of different roles. There are a number of modules that can also be turned on or off per request. Some of these modules include "workflow", which creates a review system for new and existing site content. There are also a number of integrations that can be enabled by request including Carto or AWS services for consuming and sharing data. Finally new sections of the site can be added such as a blog or new section, feedback section or other requested site features.


Independence of resources DKAN is hosted on Acquia Cloud Enterprise (ACE) which is designed for high availability, with guaranteed 99.95% uptime. ACE is built on AWS services and offers high availability by using multiple AWS Availability Zones (AZ) with redundant servers serving each layer of the technology stack. A load balancer is deployed with a hot standby in a different AZ in the same region. Web servers use a shared network file system (GlusterFS). A scalable database cluster serves the application. DKAN is also available with a hot standby in an alternate region providing live failover capabilities.


Service usage metrics Yes
Metrics types DKAN uses Google Analytics for metrics. Clients are provided full access to the Google Analytics dashboard. An analytics dashboard can also be enabled in the catalog upon request.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach DKAN's hosting provider complies with the following security and
privacy standard's: SOC 1 (SSAE No. 16 and ISAE No. 3402); SOC
2; ISO 27001 certification; FedRAMP; FISMA; CSA STAR (Cloud
Security Alliance Security, Trust and Assurance Registry); EU cookie
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Anonymous users can query the catalog via an API which allows them to export the full catalog metadata. Anonymous users can also save files added to the system and can save data from the datastore which is also available via API. Additional file types can be added per request.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • JSON
  • XML
  • RDF
  • XLS
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • JSON
  • XML
  • RDF
  • XLS
  • PDF
  • Any file type can be uploaded

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability DKAN on Acquia includes 24x7 infrastructure and application monitoring with guaranteed 99.95% uptime SLA.
Approach to resilience DKAN is hosted on Acquia Cloud Enterprise (ACE) which is designed
for high availability, with guaranteed 99.95% uptime. ACE is built on
AWS services and offers high availability by using multiple AWS
Availability Zones (AZ) with redundant servers serving each layer of the
technology stack. A load balancer is deployed with a hot standby in a
different AZ in the same region. Web servers use a shared network file
system (GlusterFS). A scalable database cluster serves the application. DKAN is also available with a hot standby in an alternate region providing live failover capabilities.
Outage reporting Our hosted DKAN provides 24x7 monitoring. If there is any kind of outage that will be reported immediately to the client via email. Our support is available 24 hours a day by phone.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels DKAN uses Drupal-based permissions and authentication systems.
Administrators can create new users, or can allow new users to request
access. Users are typically defined with standardized permissions
roles: Anonymous users (not logged in, can view and search published
content); Content Creator (authenticated user, can add certain content
types); Editor (authenticated user, can create and edit content within
their site group); Site Manager (authenticated user, can manage admin
functions and other users), Administrator (can access all site functions).
The primary customer support channel requires a login and password;
users can create their own, or submit questions by email.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman & Company, LLC
ISO/IEC 27001 accreditation date 06/02/2018
What the ISO/IEC 27001 doesn’t cover The certification covers the hosting infrastructure for the catalog. It does not cover the DKAN application itself.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 12/1/2013
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover The CSA STAR certification covers the Acquia cloud hosting infrastructure. The DKAN application is not covered.
PCI certification No
Other security certifications Yes
Any other security certifications
  • NIST SP 800-53 Rev. 4
  • NIST SP 800-63 Rev. 3
  • NIST SP 800-171 Rev. 1

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We have defined and documented common security controls based on NIST SP 800-53 (Federal), NIST SP 800-171 (non-Federal), and the new NIST Cybersecurity Framework. The CivicActions development, operations and management teams are trained in these common controls.
Information security policies and processes Specific client needs may append to CivicActions commons control baselines (based on NIST standards). Reporting through the CivicActions security office to the customer's information security officer.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach DKAN is hosted on Acquia using Amazon Web Services (AWS) data centers; Amazon maintains service agreements with the hardware and software manufacturers in use in its data centers, which is necessary to achieve ISO 27002 and SAS70/SSAE16 audit certifications. DKAN on Acquia uses custom APIs and central management tools to provision hosting clusters, attach storage volumes, and install software and dependencies. Acquia also uses these central management tools to manage OS and platform configurations and to apply security patches. DKAN is audited via OWASP Zed Attack Proxy to ensure application security.
Vulnerability management type Supplier-defined controls
Vulnerability management approach DKAN is hosted on Acquia. Acquia obtains vulnerability information
from a variety of sources including US-CERT, the FBI, threat intelligence feeds, and vendor announcements. Upon receipt of this information, Acquia determines the criticality, risk, and applicability of the vulnerability, and takes necessary action to resolve it. In addition,
vulnerability scans are performed on a monthly basis to identify any
new vulnerabilities. A third-party penetration test is also performed
on an annual basis. Patching of these vulnerabilities is performed
based on the scan results and the Acquia triage and review. The DKAN application is audited periodically using Owasp Zed Attack Proxy.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach DKAN on Acquia features extensive security event logging and monitoring program. This includes many custom alerts and dashboards within the Security Information and Event Management (SIEM) system. These alerts and dashboards are specific to the platform and the threats customers face. The security, operations, and engineering teams proactively monitor these alerts and dashboards to look for specific (anomalous) events. The DKAN application has separate logging and monitoring with alert for high resource utilization. Potential compromises are assessed immediately. Incidents are responded to within 24 hours.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Yes, we have a written incident response plan. User's can report incidents through email. We provide reports through email.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £14814.81 to £74074.07 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑