Upland Software


A leading provider of innovative marketing technology software and services, Adestra’s industry-leading email platform helps companies and organisations communicate more effectively with their customers and subscribers. Robust reporting features allow marketers to efficiently evaluate and optimize their campaign results.


  • Multi- tenant account and reporting structure
  • Advanced reporting and customer intelligence
  • In app support
  • Account management and customer success
  • Easy to use platform
  • Open platform
  • Automated journey builder
  • Targeted segmentation and personalization
  • Deliverability
  • Digital design studio


  • Customiazble account structure
  • Actionable insights
  • Real time export support
  • Proactive account management and customer success lead approach
  • Low resource up skill and speed to market
  • Easy to connect with the existing marketing stack
  • Timely, relevant communications without the heavy lifting


£350 per unit per month

Service documents


G-Cloud 11

Service ID

8 9 2 5 3 1 3 2 4 9 1 1 2 5 8


Upland Software

Dominic Aelberry

+44 (0) 800-048-8575


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints N/A
System requirements
  • Internet browser
  • Internet connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email response time is typically 2 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Users can access the web chat feature via logging into the platform. No installation of any software is required by users to access this feature. The web chat functionality allows the support team to converse with and view the users actions and provided the appropriate required support.
Web chat accessibility testing N/A
Onsite support No
Support levels Support levels are the same for all clients for the standard working day. Out of hours support is provided as an additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started You will be assigned a dedicated Project Manager as part of your account set up to ensure your migration to MessageFocus runs as smoothly as possible.

We can complete simple account setups within 1-2 weeks, however exact timescales will depend on the complexity of your account and the level of integration required.

A typical account set-up will follow these stages:

Data Source Questionnaire
Testing and Acceptance
Go Live
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Customers are required to request their data. Adestra will supply on receipt of the request. If data is not requested, data is retained for 3 months and then deleted. This can be brought forward at the customers request.
End-of-contract process Upon termination or expiry of the Contract:

the Customer shall immediately pay to Adestra all of Adestra's outstanding unpaid invoices and interest and, in respect of Products used and Services ordered but for which no invoice has been submitted, Adestra may submit an invoice, which shall be payable immediately on receipt; and
all rights to use or access the Products and/or the Platform granted to the Customer under the Contract shall terminate.

Following termination or expiry of the Contract:

Adestra reserves the right to cease responding to, recording, collecting or processing any data arising from the subsequent use of the Products that were previously provided under the Contract; and
Adestra will, after 3 calendar months from termination or expiry, (or sooner if the Customer so requests and all charges due have been paid, or later if the Customer so requests and pays Adestra data storage charges at its then prevailing rate) permanently delete all Customer Data in its possession.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface MessageFocus is a cloud-based email marketing system capable of sending large volumes of highly-targeted responsive emails, and gathering reporting and ROI information. The MessageFocus system is built across dozens of discrete servers running a combination of proprietary, third-party and open source software.
Accessibility standards None or don’t know
Description of accessibility MessageFocus is a cloud-based email marketing system capable of sending large volumes of highly-targeted responsive emails, and gathering reporting and ROI information.
Accessibility testing N/A
What users can and can't do using the API The MessageFocus API allows users to develop software to manage their MessageFocus account remotely. This can be used for various things, such as: building sign up forms, integrating your CRM or data analysis system, sending transactional emails from your website, as well as creating and launching campaigns automatically and more
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The multi tenant account structure can be customized, in most cases companies will replicate their existing business structure.
User access rights can also be customized depending on the role and the customers business structure.


Independence of resources All hardware is never used to above 70% capacity. The system infrastructure can be easily scaled to accommodate user demand and and when required.


Service usage metrics Yes
Metrics types Campaign reporting will include the standard summery, which includes the metrics outlinded above.
In addition to these statistics, the following additional reports are generated for each campaign:
Links Report
Inbound Report
Forms Report
Conversion Report
Social Report
Timeline Report
Heatmap Report
Email Clients Report
Geo Tracking
Domains Report
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach Data at rest encryption.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data is typically exported via the export manager. This would be as a CSV file to a SFTP.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Adestra will during a Service Period use its reasonable endeavours to ensure that neither interface uptime nor tracking uptime (as published on the “status” page on the Adestra website) will be less than 95%, disregarding planned maintenance and maintenance of which notice is given under, in any calendar month.

Platform uptime can be monitored publicly at:
Approach to resilience The MessageFocus infrastructure is designed to be modular and robust, with no single points of failure and security at every level:
• All hardware is collocated in Tier 3 or Tier 4 datacentre facilities
• N+1 or 2N+1 network hardware redundancy
• Redundant cooling systems, power delivery and networks.
• 15kW backup power with 30 hours of fuel in case of complete power failure
• Multiple uplinks for reliable connectivity
Outage reporting Platform users can view the system status publicly at https://status.adestra.com/. Users are able to register for updates via email, text message or Atom / RSS feed

Statistics available include:
Platform Interface
Hosted Images and Files
SFTP Servers

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Access to customer accounts for management purposes is restricted by IP address, limiting access to our offices only. In addition, users are required to enter a username, password and one-time passcode generated by a hardware two-factor authentication token. Further restrictions in the platform prevent our support staff from downloading data from customer accounts.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Assessment Bureau
ISO/IEC 27001 accreditation date 04/04/17
What the ISO/IEC 27001 doesn’t cover Our ISO27001 accreditation only covers our data centers and our head office in Oxford. It does not cover or apply to any satellite office.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Data Seal

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes As part of our controls we have policies and procedures in place for Acceptable Use, Access Control, Asset Management, Business Continuity, Data Security, Incident Management and Operations security.

Information security risks are regularly reviewed and assessed through the key areas of Vulnerability, Probability and Impact. Following this analysis, risks are prioritised and evaluations are drawn as to what the most appropriate action.

A security audit schedule is prepared on an annual basis. We use a combination of internal audits and an external third party auditor.

Any non-conformances are logged and corrective and preventative actions are monitored and documented through to completion.

Formal management reviews take place every 6 months, with an informal catch up every month. The attendees present are ‘ISO Business Management Team’ and any other appropriate persons of the business.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change management generally include the following steps:

Planning - Planning the change, including the implementation plan, schedule, communication plan, testing plan, roll-back plan.
Evaluation - Evaluate the change, including determining the priority level, risks of the proposed change, change type and the change process to use.
Review - Review the change with Change Advisory Board or Change Manager as appropriate
Approval - Obtain approval for the proposed change by the Change Manager
Communication - Communicate about changes with stakeholders
Implement - Implementation
Documentation - Document the change
Post-change review - Retrospectively review the change with plans to improve the process
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach High priority issues are:
Designated high priority by the software vendor
Designated as high priority by external penetration test
Affects our public facing services
Widespread media attention

Medium priority issues are:
Designated medium priority by the software vendor
Designated as medium priority by external penetration test

Low priority issues are:
Designated low priority by the software vendor
Designated as low priority by external penetration test

High risk vulnerabilities will be patched as soon as possible after discovery

The methods used to discover high risk vulnerabilities include:
Penetration report
Vulnerability scans
Notifications from vendors
Protective monitoring type Supplier-defined controls
Protective monitoring approach We have an extensive monitoring suite that can detect anomolous behaviour, we use third party penetration testing and vulnerability monitoring services, and we employ technologies such IDS to identify potential compromises. Security incidents are treated with the highest priority, we target response times of 15 minutes to high priority incidents. Clients are notified or responded to as quickly as possible, but as leasdt within our 2 hour Support SLA.
Incident management type Supplier-defined controls
Incident management approach We follow an industry standard incident management process. Incidents are logged in a central system and staff are alerted via an automated alert system to ensure incidents are triaged quickly.

Users can report incidents via our support team or account manager. Incident reports are provided either directly to users via email from our support account management team, or via our automated status page.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £350 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑