RaceBest Ltd


Online entry, fee collection and result publishing for endurance events. Suitable for road and off-road running (10k, 5k, marathons) and triathlons. Includes dedicated landing page, online entry, online payment, team entry, entry management including offline entries, online promotion and direct email promotion to out subscribers.


  • Online ticket purchase and entry.
  • Online entry management for one or more events.
  • Publishing and promotion of your race and results.
  • Single or multi person entry with a simple forms.
  • Flexible entry form, UKA ready, and bespoke age categories.
  • Real-time collaboration to share the workload.
  • Charity donations can be collected as part of race entry.
  • Discount codes.
  • Direct email communication with your entrants.
  • Manual entry to handle offline entries, such as postal entries.


  • Manage all your races and entrants from one place.
  • Sell more tickets, fill your event.
  • Easy entry and ticket purchase with no login required.
  • Access on the move by mobile and tablet.
  • Reduce risk with our proven platform.
  • Collect more for your chosen charity with in-purchase donations.
  • Track how your race is selling in real-time.
  • Consistent and correct club names from our club database.
  • Entrant download suitable for chip and manual timing equipment.


£0 per transaction

Service documents


G-Cloud 11

Service ID

9 9 8 8 9 5 0 2 1 8 6 7 5 2 7


RaceBest Ltd

Phill Luby



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Currently only accepts Pounds Sterling.
System requirements
  • Standards compliant HTML web browser.
  • Works on Windows, Android, iOS, Linux and more.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Typically same-day including weekends and bank holidays.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support No
Support levels We have a single level of support by telephone and email and aim to answer all enquiries with one working day. We also take support requests through Facebook and Twitter.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Our system has been designed and is continually improved to eliminate the need for training. All documentation and help is embedded in the system where needed. Event organisers are able to sign up online and get their race listed in minutes without assistance. Support is provided by email and telephone.
Service documentation No
End-of-contract data extraction Entrant data, including all information captured except payment card data, can be downloaded at any time in CSV format for each event/race. Results are published and can be copied easily from the system at any time into a suitable spreadsheet. Race information can be printed or copied from the public pages.
End-of-contract process Access to data continues for up to five years after the event date after which entrant data is archived. Event information and results will normally continue to be published and available on our site. There are no additional costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Every feature works on mobile and tablet as it does on desktop. Presentation is different to accommodate narrower screens on mobile and tablet.
Service interface Yes
Description of service interface The entire service is accessed online via a standards compliant web browser. Organisers (buyers) are able to fully configure their race from description, banner image to pricing. Entrants (your customers) can find your race and enter without logging in.
Accessibility standards WCAG 2.1 A
Accessibility testing We have both event organisers and entrants with visual impairments that have used our system for years. We regularly involve all organisers in testing new features and actively solicit feedback. As a high-traffic system that has been refined over years we quickly get reports of any issues that entrants encounter.
Customisation available Yes
Description of customisation Each event/race gets its own custom page with over a hundred options. Race organisers or collaborators can customise how races are described and how people enter. Main customisation includes race title, short description and full description, banner image, price points, discount codes, age categories, UKA affiliation, charity collections, custom entry fields, courseinformation and event information. Our specialist race configuration page walks you through all of the options to ensure your race is listed correctly to maximise entries.


Independence of resources We currently handle hundreds of events per year across dozens of customers with heavy usage spikes without incident. System use is highly predictable due the time-based nature of events and we use this to ensure we have sufficient capacity on key dates. We have automated monitoring in place and are able to scale the system at any time.


Service usage metrics Yes
Metrics types Live entrant numbers compared against entry limit across all races. Live statement of income and costs for each event. The statement covers each price point, charity, refunds and other costs separately.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Never
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach There is a download option for each event/race that provides a CSV file in various formats. There are download options specifically tailored for chip timing equipment.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Secure Linux Shell restricted to RSA keys.

Availability and resilience

Availability and resilience
Guaranteed availability Typically, we see no unplanned downtime for months. The service is occasionally interrupted for a couple of minutes during certain types of upgrade. We have not had an incident causing prolonged downtime for over three years.
Approach to resilience We use a public cloud infrastructure provider that has high levels of redundancy in all of their equipment across two data centres. We are able to move the entire system to a different provider within one hour should there be a total failure of their systems. The underlying database technology provides real-time multi-master replication, a feature that we mainly use for downtime-free upgrades.
Outage reporting We have an online dashboard provided by Uptime Robot covering the current status and last three months of downtime. This checks every 5 minutes and at the time of writing shows 100% uptime for three months.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels Each event/race has it's own access control list allowing the creator to invite collaborators. All collaborators get the same level of access. Support is provided over email and phone and is not restricted, although we may take steps to verify the identify of the person requesting support for certain actions.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification First Data
PCI DSS accreditation date 24/01/2019
What the PCI DSS doesn’t cover Servers only, SAQ type A.
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach All our secure services are run at a third-party data centre with the security managed according to PCI-DSS and ISO 27001. We do not keep data on any other devices except for temporary handling. All our workstations are managed in line with Cyber Essentials, although we are yet to apply for accreditation.
Information security policies and processes As a micro-business, both the reporting structure and ensuring policies are followed is far less complex that in a larger business.

All security decisions and reviews are taken at board level. All security reporting is made by board members to the board. Infrastructure security is handled by a named board member.
GDPR compliance is handled by a named board member. We do not manage our own infrastructure, we use a cloud service that has a range of security accreditations. We do not have any workstations that share a network, either physical or logical, with our infrastructure except at its internet connection points.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are approved by the board and peer reviewed before consideration for deployment. The board determines the level of testing that is appropriate and performs GDPR and security assessments. Testing options include the use of the main test environment and/or a live-data upgrade rehearsal on a staging system. Our cloud platform provides a management interface to track existing assets and their configuration throughout their lifetime.
Vulnerability management type Undisclosed
Vulnerability management approach Our infrastructure provider managed network and physical security in accordance with ISO27001 and PCI-DSS. We manage operating systems and install security patches automatically as soon as they are available, typically within one day. Our bespoke software tools provide information about out-dated or known vulnerable components used in our systems. Our testing includes verifying key multi-tenant separations in our system that divides access for different customers.
Protective monitoring type Undisclosed
Protective monitoring approach We use an automated monitoring system that makes regular checks of our systems and infrastructure. This is under continuous development and review.
Incident management type Undisclosed
Incident management approach Due to the rarity of security incidents, all incidents are referred to the company board, and the board will take action and produce incident reports where appropriate. Users can report incidents by email, telephone or social media.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0 per transaction
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑