DutySheet Ltd

DutySheet: Online Volunteer Management

DutySheet is the UK's leading volunteer management system. Accessible via any internet enabled device and with its user friendly design, DutySheet allows volunteers to log & manage their shifts, view upcoming events, communicate with colleagues and supervisors, keep their details up to date.


  • Volunteer Management
  • Event Management
  • Communications via Email, Internal Messaging, SMS, Announcements, Event Feedback
  • Skills Database
  • Document Library
  • Expenses
  • Personal Development Plan (PDP)
  • Personal Development Review (PDR)
  • Working Time Regulation Compliance
  • Remote access


  • Increased volunteer retention
  • Accurate reporting on volunteer activities
  • Streamlline volunteer management using proven workflows
  • Self service allows volunteers to keep details up to date
  • Plan and manage volunteer deployment
  • Central repository of all volunteer based data
  • Identify areas of improvement through inteligence
  • Central repository of all volunteer based data
  • Mobilise volunteers with ease and speed
  • Comprehensive support


£23.92 to £35.07 per user per year

Service documents


G-Cloud 11

Service ID

9 0 1 6 9 7 5 7 0 8 9 8 5 7 2


DutySheet Ltd

Matthew Hayes



Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Internet connection
  • Web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
See SLA for info.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Access to our UK Telephone helpdesk. We back our 99.95 uptime guarantee with a robust SLA. Maximize your technology investment;
Support from DutySheet experts to ensure early success;
Wealth of knowledge from UK police forces;
DSSG - DutySheet Steering Group Access.
Support available to third parties

Onboarding and offboarding

Getting started
User data is imported by DutySheet staff who then train all supervisors on the functionalities of the system.
Service documentation
Documentation formats
End-of-contract data extraction
When requested in writing, DutySheet can provide a full export of all user data in Excel format.
End-of-contract process
Customer system is disabled which blocks access to all users. Data is retained for 12 months unless customer requests otherwise.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Fully responsive mobile app.
Service interface
What users can and can't do using the API
The API is not accessible by end users of the system and is only used for mobile App and other external integration processes with DutySheet.
API documentation
API documentation formats
  • PDF
  • Other
API sandbox or test environment
Customisation available
Description of customisation
Administrators for the organisation have access to tools that allow them to configure most of the settings of the system. They have access to their own help centre section which details how to configure the system.


Independence of resources
Our DRS enabled VMWare infrastructure allows us to dynamically increase resources to our service if there is a large surge of activity. This is automatically handled by Vmware.


Service usage metrics
Metrics types
Authorised users have access to real time usage statistics how many users have logged in to the system along with a live view of number of users currently logged in.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
Sensitive data is encrypted at rest using AES 256 salted hashing.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
There are built in export tools.
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
We also follow ISO 27001: 2013 Annex A policies and controls 13 for communications security and 14 System Acquisition Development and Maintenance that address data in transit.

Availability and resilience

Guaranteed availability
Our Commitment:

We understand that any interruption to service is too much. So we've set the bar high because we believe that you should be able to depend on the service you need to run your volunteers. This is why we offer an SLA to organisations that guarantees 99.95% monthly uptime. If you’ve read software SLAs before, you’ll know that they can be pretty confusing. So we made ours simple and transparent.What happens if we fail to hit our target in any given month?

If we don’t meet our 99.95% monthly uptime guarantee, we’ll refund you 5x whatever you paid us for that period of downtime.

If our uptime falls to 99.94% in a given month, that results in about 26 minutes of Downtime. We’ll give you service credits equivalent to 5x your organisations cost for that period of time. Service Credit can’t be exchanged for cash (monetary compensation); it is added as a credit on your account and, as always, we use any credits you have first, before charging you.

Service credits are capped at a maximum of 30 days worth of paid service for your organisation.
Approach to resilience
DutySheet runs a MySQL cluster which uses synchronous replication through a two phase commit to guarantee that data is written to multiple nodes upon commitment. Database updates are synchronously replicated between the cluster members to protect against data loss and fast automatic fail over in the event of node failure.
Outage reporting
Publicly available status updates on website.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Management interfaces are tied to the company network and/or use two factor authentication.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials
  • Police Approved Secure Facilities (PASF)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Police Approved Secure Facilities (PASF); --

We are working towards ISO 27001:2013 so follow all the security policies and controls based on our Statement of Applicability. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.
Information security policies and processes
We are working towards ISO 27001:2013 so follow all the security policies and controls based on our Statement of Applicability. The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also a senior leader. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our secure development, change management, testing and asset management polices are comprehensively documented as part of our ISO 27001:2013 information security management system including in line with Annex A 8 (assets) and 14 (secure development) of ISO 27002 .
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic. We respond with; blocking of source IP addresses, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences via SIRT. Real time monitoring takes place with immediate response for suspicious alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
DutySheet has a comprehensive internal information security incident management policy and its practices follow Annex A 16 for ISO 27001: 2013. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes are ready for EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£23.92 to £35.07 per user per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑