Flowz Ltd

Work Flowz

No code automated work flow platform on which to create any business process or record keeping requirement. Designers determine granular access control such that steps in a process can be revealed as required in response to user activity or external input. SMS/Email/System messages are triggered as well as sub processes.

Features

• Bespoke process design
• Granular access controls
• Tailored activity response
• Subprocess triggers
• Responsive to organisation change
• Template marketplace
• Internal and external messaging
• Integrated governance controls
• Detailed reporting
• Single-sign on and or Active Directory integration

Benefits

• Management oversight of business operations
• Quality control of business processes
• Removes management by email dependency
• Exposes business systems to all necessary staff
• Provides audit evidence of compliance with policy
• Supports standards compliance
• Reduces risk
• Adjusts to business changes
• Responds to staff turnover (sickness, promotion, absence)
• Reduces organisational risk

£1.00 a user a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.stone@flowz.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

218038529854732

Contact

David Stone
07947052704
david.stone@flowz.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: The platform can take inbound and send outbound structured messages to any software with open APIs.; ; Some software publishes these, from which we can create an adaptor, or we can work with Zapier.; ; We work with external software integration coders where required to ensure our responsiveness to changing business needs.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Although the system works on mobile devices perfectly well, users have a better experience on larger screens.
• System requirements:
  • Web browser
  • Device running web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Typically, less than 1 hour during normal UK working hours. ; ; Depending on the question, we have video calls to demonstrate a function or view a system behaviour to better understand an issue.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Any support requirement to understand how the platform works, or to understand why the user is experiencing a particular system behaviour, is included in the licence fee.; ; Support to design processes and responses in the system is charged extra.; ; Training, onsite or online, is charged extra. ; ; Bespoke functionality requested will be treated on a case-by-case basis. We have our own development team and if we consider the new function to be of a general benefit, we either wouldn’t charge or would charge a small amount. If the requirement is truly unique and of no use to other clients, we would charge for our development time.; ; Depending on the size of the customer, we may appoint a dedicated account manager to ensure that customer achieves maximum benefit from the platform. This customer account manager would ensure that training and adoption is widespread in the customer organisation and support the customer to achieve the organisation change necessary to make this happen.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We can provide onsite and online training, standard or bespoke documentation.; ; In the early stages, we provide onsite or online workshops for organisation managers to understand what the platform can do to support business process automation, quality control and risk management. We record these sessions and provide them to the customer for future access.; ; We are developing a structured training system to accredit Designers, Administrators and Managers, which will include annual updates.; ; From 2025, we will reinstate at least annual face-to-face events, which we used to have pre-COVID, to engage customers and share best practice. These were very popular and we know customers have been requesting these.; ; We also have a fairly active online community, where new users can post questions and have responses from the wider user community. This would be subject to each customer’s policies as some processes and records would be confidential.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We advise customers to extract whatever they want using the reporting tools on the platform. ; ; Support is available if required.
• End-of-contract process: At the contract termination date, we delete all of the customer’s data. There is no charge for this.; ; We take down their unique URL such that users can no longer login.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The API is tailored to user requirements. ; ; Work Flowz is a business process platform on which each customer designs their own processes. ; ; We design the API to import/export depending on the design of that customer’s process. The structure and content of the API is created for each customer, not automatically by the platform.
• API documentation: No
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Almost everything the user experiences is determined by the Designer of the process or record. What a user can see and do is all in the control of the Designer.; ; The menus, icons, menu order, ability to see content, write content, export content, etc., is all in the control of the Designer. ; ; Transition between process steps, state changes of incidences of processes, changes to the design of processes, reporting screens, etc. are all in the control of the Administrator. The Administrator also determines membership of Teams, Sites, and Groups.; ; The Manager has both the Designer and Administrator roles, and is also the only Role that can allocate the Designer and Administrator Roles. There can be more than one Manager.; ; The Manager is the only Roel that can incur costs. This includes allocating Designer and Administrator Roles, subscribing to additional storage space, and buying Process and Record Templates from the Marketplace.; ; We have in the pipeline the ability to change languages.

Scaling

• Independence of resources: Currently, we monitor this and receive reports from our host platform provider and scale up as required.; ; We are moving to elastic resourcing on AWS in 2025.

Analytics

• Service usage metrics: Yes
• Metrics types: Usage metrics depend on the chosen connection. Most customers use Single Sign On (SSO) via Active Directory (AD), from which they can produce their own usage metrics.; ; If our SSO module is used (Duende) we can generate the same usage metrics as can be obtained from AD.; ; Within a process or record instance, Filters and Views can be used to generate specific response times, user submissions, etc.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Each process and record instance has a dedicated menu page which includes customisation options of Views and Filters.; ; The table view generated can be exported using the MS-Excel button.; ; Custom Views and Filters can be saved for that user’s reuse. Custom Views and Filters can also be saved for all user use by Instance Administrators.
• Data export formats:
  • CSV
  • Other
• Other data export formats: .xlsx
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We don’t have this at the moment but would be happy to consider if a customer requirement.
• Approach to resilience: We use a specialist data centre in London with failover in Kent. We haven’t had any downtime for years.; ; We are moving to AWS in 2025.; ; We take backups daily, and will be increasing these to hourly in 2025, with a view to more frequent as usage grows.; ; If a customer has a particular requirement, we would be happy to address this.
• Outage reporting: Email alerts - we haven’t had one for many years (at least 5 years)

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: In the software, security configuration controls are only accessibly to Managers.; ; In the company, there are only three people and we each have access to ensure resilience to appropriate tools.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials Plus
• Information security policies and processes: We are a three-person company. We commission Cyber Essentials Plus on the company and external CREST-certified testing annually.; ; Our product and company policies are updated and assessed annually as required by changes in our internal or external environments and or recommended by our security audits.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes are assessed and tested by the team in QA, and then released into UAT for customer testing before being published to Live.; ; Security is considered at every step and our security policy principles applied and checked.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to services, including NCSC, that monitor the external environment for emerging threats and address these in the system design.; ; Where an identified threat could exploit a vulnerability, this becomes a priority above everything for our developers and a patch is developed, tested and deployed ahead of anything else.; ; Typically, depending on the severity, this can take from a few hours to a few days.; ; For example, in our 2023 security audit, the amber issues identified were corrected in two days.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Platform activity is monitored as a part of our service package from our host. Any unusual traffic is notified immediately. If at potentially damaging levels, the host will close external connections. Suspicious activity is notified and investigated immediately.; ; If a compromise is discovered it is assessed for severity and, in the most extreme event, the platform could be taken off line until fixed.; ; In such an event, patching the vulnerability would be a priority for all staff, and the focus of development until a patch is tested and deployed.
• Incident management type: Supplier-defined controls
• Incident management approach: All incidents are reported to the Managing Director, who determines response. In the unlikely event the Managing Director isn’t available, the Senior Development Engineer is authorised to act.; ; User reported incidents come to the helpdesk.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Our product is designed to use the least possible processing power to reduce electricity consumption.; ; All of our staff work from home and communicate using online services (MS-Teams, WhatsApp) and only travel to meet face-to-face once a year.; ; We do not produce anything on paper and nothing is printed.; ; Redundant hardware is securely cleansed and sent to charities for reuse.

Pricing

• Price: £1.00 a user a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We set up a complete copy of the platform with sample processes and records. Everything is deleted at the end of the trial unless the customer wants to licence.; ; There is no limitation in the software.; ; Time is by negotiation - up to 12 months for a proof of concept

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.stone@flowz.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.