Forfront Limited

e-shot™ marketing automation platform

e-shot can help you modernise your email and SMS strategy and embrace more efficient and targeted ways of communicating, whilst delivering the highest data protection and security standards that are essential to public sector organisations.

e-shot’s user-friendly interface gives you extensive campaign and contact management, analytics capabilities, and Open API.


  • Email and SMS marketing and communications
  • Easily design and edit high impact, responsive, beautiful emails
  • Marketing automation
  • GDPR-compliant contact subscription and preference management (inc data collection)
  • Dynamic content and personalisation based on data-driven variables
  • ISO27001:2013 and Cyber Essentials Plus accredited and NCSC compliant
  • Self-documenting Open API and bespoke integration
  • Role-based user configuration; full activity audits; unlimited users
  • 2FA (enforceable) and Microsoft authentication (SSO)
  • Campaign reporting, analytics, engagement metrics and deliverability dashboard


  • Use professional high impact ready to send templates
  • Drive behaviour change using email and SMS marketing campaigns
  • Deliver contact-centric communications automatically and analyse interaction
  • Free up resources by automating processes and sending dynamic updates
  • Manage up to 50 brands or departments through one interface
  • Send through official domains e.g. or
  • Email security and anti-spoofing follows NCSC guides
  • Government baseline personnel security standard (BPSS) customer success team
  • UK based infrastructure, data storage and operations
  • Use channels that provide the best Return on Investment (ROI)


£249 a licence a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

3 0 6 2 8 1 7 5 2 7 2 2 0 9 9


Forfront Limited Daniel Hare
Telephone: 020 3320 8777

Service scope

Software add-on or extension
Cloud deployment model
Hybrid cloud
Service constraints
We always proactively inform our customers of any scheduled maintenance or if there is an issue affecting the services both by e-mail and on the e-shot™ dashboard. In the case of peak time traffic overload, we apply contingency in the form of intelligent delivery procedures in order to protect the reputation of our customers’ domains and IPs.
System requirements
Requires internet access

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our Customer Success team will respond promptly during standard support hours. Monday - Friday, 8:30am - 6pm.

Median first response time (Jul - Dec 2021) was 57 seconds.  

Median time to close (Jul - Dec 2021) was 1h 24m.  

24/7 support is also available for critical issues. Our team also proactively monitor our systems 24/7.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
We have not systematically undertaken testing of this nature.
Onsite support
Yes, at extra cost
Support levels
Support is included as part of your software subscription. Our Customer Success team provide remote support for a full range of issues including technical support, training, best-practice advice, account management and administration.

On demand support materials are also provided in the form of videos, interactive guides, written guides and help documentation.

We also provide proactive support to ensure customers can derive maximum benefit from using our solutions.

Priority is given to issues that prevent a customer from using the software to complete a time sensitive task as per our published SLAs. Should a support requirement be deemed as consultancy, then additional charges may apply.

Our Customer Success team are supported by our technical teams including Infrastructure, Deliverability and Development. Technical Account Management is provided by the Customer Success team and Cloud Support is provided by our Infrastructure team who continually monitor our solutions and solve issues proactively.
Support available to third parties

Onboarding and offboarding

Getting started
We offer a fully managed onboarding service. Our G-Cloud pricing document sets out various onboarding options that represent a typical deployment for different use cases and different types of public sector organisation.

Our onboarding team will provide project management, consultancy, training and design work to get things set up to your specific requirements. Simple projects can be delivered in days. Projects for larger organisations typically last between 6-8 weeks depending on the requirements in areas such as integration and migration from another solution.

New user training is included as standard at any time and our team can also provide bespoke training remotely or in person.

For all G-Cloud customers we provide a dedicated testing account, support for official domains and proactive DNS monitoring via NCSC Mailcheck.

GovDelivery Migration service is also available
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The platform caters for bulk data export via UI or API with relevant permissions.
End-of-contract process
The contract will end at the point the license expires, unless a renewal is agreed. The license includes the purchased software, hosting arrangements, all product updates and standard support.

All data, reports and templates are available for extraction up until the date of leaving without charge. Once deadline has been reached, account is closed and archived. After this period the account will be deleted from the system and only an archived backup copy will be kept for the period required by data protection guidelines.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Email and campaign authoring is only available on desktop service. Mobile service is restricted to reporting and analytics.
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
What users can and can't do using the API
E-shot™ has a REST API that is accessible over HTTPS.

API access is granted by an API key that can be restricted to specific sub-accounts and IP addresses where necessary. API key requests must be submitted by an authorised administrator via our support system. The appropriate login credentials are then supplied to the client who will use these credentials in all API requests made to e-shot™. Further documentation detailing the functionality available for the APIs can be found at:

The REST API has full read and write capabilities over the main entities including contacts, campaigns, sources, groups and website activity.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
E-shot™ can be customised extensively to accommodate different needs with control over user management, branding, templates and sending identities.

e-shot™ can also be set up into sub-accounts so that different organisational units can have their own customisations.

Each e-shot™ sub-account can be white-labeled by a customer to have their own logo that appears on the UI and reports sent by the system.

Individual users can customise reporting and analytics and certain elements of the UI.

From an API perspective, customisation is extremely versatile with e-shot™ functions built into third party systems on a bespoke basis where needed.


Independence of resources
The e-shot platform is housed on its own infrastructure in a secure UK data centre with scalable architecture and a significant headroom.

Each client data is stored on a separate database dedicated to the client.


Service usage metrics
Metrics types
All interactions with a campaign sent by e-shot are tracked and reported in real time. Data is recorded against the sent Campaign and individual Activity Log of each contact.

Graphical presentation of opens, clicks, forwards, unsubscribes and bounces of every email campaign you send. Build and save custom reports that can be configured with all the power of a database query from within our user interface.

Saved custom reports can then be run with a single click and shared throughout your organisation.

All service usage metrics are also available via API integration.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Via user interface
Data export formats
  • CSV
  • Other
Other data export formats
Via API or integration
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • Via API or integration

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The platform operates a 99.9% availability with scheduled maintenance windows out of hours. Customers are immediately informed if there is an issue affecting services via e-mail and platform notification. If it is a high or crisis priority issue, the customers will be periodically updated with the status. All the time frames above are based on the working hours schedule 09:00 – 18:00 Monday to Friday excluding Public Holidays. Please refer to Forfront Service Level Agreement pdf for full details.
Approach to resilience
High availability architecture
Outage reporting
Outages detected by our monitoring systems result in 24/7/365 notifications to the Operations Team. They would triage and if necessary, escalate these issues.

Clients are notified in the dashboard and by email to the client's authorised administrator . Details of cause and mitigation available on request.

Any serious unexpected or long outages result in communication to authorised administrators of affected customers. Details of cause and mitigation available on request.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Username and password.

Restriction based on IP can be implemented upon request.

e-shot includes the ability to be authenticated using MFA and enforce this on all users of an account, as well as the ability to login using your Microsoft account details.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
The management of the e-shot™ platform can only be performed from a separate Office network which is linked via dedicated/permanent IPSec Site to Site VPN Tunnel. This VPN Tunnel is protected by AES256 encryption and SHA256 authentication with pre-shared key. Access via this Site-to-Site VPN is further restricted at user level to only authorised personnel by 3rd party software with encrypted username password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
URS Holdings (United Registrar of Systems) A UKAS accredited organisation
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Not Applicable. All Forfront activities, including those related to the provision of the e-shot platform are covered by the ISO27001:2013 certification.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
DMA DataSeal

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We are ISO 27001:2013 accredited and Cyber Essentials Plus Compliant. We have implemented DevOps processes and practices. The website adheres to the OWASP standards for web security.

Only tested code is promoted from Development to UAT to Production via use of automated deployment system. It is not possible for code to be promoted to Production without first going to the Development and UAT environments.

We review our implemented policies annually.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes requested to a system are written up into a UAC driven change request specification document, with supplied estimates for delivery. This takes into consideration standards agreed with the client; e.g. OWASP.

The deliverable components of a specification are created as tasks in our issue tracking system and assigned to a SPRINT delivery. Code changes are checked-in against a task to provide an audit that will be reviewed and tested.

Only the release management team can promote software to public facing environments. This is carried out using an automated delivery platform.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Issues encountered by users of the system go to first line support who will triage the issue. Issues encountered by the application or monitoring facilities are triaged by the Operations Team. These issues can be received by: Text, Phone, Web Chat or Email.

Triaging takes into consideration the impact of an issue according to our definitions associated with Critical, High, Medium and Low priority issues.
E.g. Critical issues are where the system is unusable or cannot be used to carry out critical business functions and no work around exists.

The following is a link to our SLA:
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Firewall logs and application notifications are monitored and Forfront can respond quickly to any incidents.

Cloud security services including WAF OSWAP and DDoS protection.
Incident management type
Supplier-defined controls
Incident management approach
Users may report incidents by phone, email or via chat. Once escalated, we have incident management processes which cover roles and responsibilities for incident handling. Updates will usually be provided to affected customers in real time. Details of cause and mitigation are available on request to authorised administrator contacts.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

Forfront recognises the importance of ensuring our business has a positive environmental impact.

Our products and services are maintained in a way that seeks to continually improve effectiveness and sustainability in accordance with legislation, international standards and best practice.

We integrate environmental considerations into everyday operations in a number of ways:

Reduce levels of energy consumption: We use energy efficient equipment; we use efficient LED lights for our office lighting, and we maintain strict recycling policy.

Procure items and services from sustainable sources: We obtain services, equipment, and power from providers that are committed to environmental protection – such as our current hosting partner, one of the UK’s most energy efficient data centres, which uses 100% carbon neutral, renewable energy provided from UK wind farms. The centre maintains ISO14001 for best practice in environmental management. All equipment and infrastructure installed and sourced is of the highest energy efficiency rating possible.

Reduce use of consumables: We recycle equipment and limit the use of office consumables including paperless invoicing and other communication.

Reduce travel impact: We achieve this by using technology for collaboration and meetings. A significant proportion of our staff cycle to work and we have provided employees with facilities for bicycle storage.

Prevent and reduce pollution: We actively pursue the reduction of our use of substances and processes that adversely affect the environment.

Encourage employee awareness and participation: We encourage all employees to apply and practice this policy in our day-to-day operation.

The e-shot infrastructure is housed in one of the UK’s most energy efficient data centres, which uses 100% carbon neutral, renewable energy provided from UK wind farms. The centre maintains ISO14001 for best practice in environmental management. All equipment and infrastructure installed and sourced is of the highest energy efficiency rating possible that can be deployed.
Covid-19 recovery

Covid-19 recovery

We will continue supporting our team to manage and recover from the impact of COVID-19 with flexible working conditions including remote working.

Over the past 12 months, we have helped many of our customers to mitigate the impact of COVID-19 in their respective businesses with measures including additional consultancy, training and restructuring of commercial arrangements.

Over the past 12 months, we have also offered our services with the help of our local MP, to local schools, charities and other organisations who have been engaged in providing important advice or guidance to local stakeholders in relation to COVID-19:
Tackling economic inequality

Tackling economic inequality

Recruitment: We continue to develop and review our recruitment policies and employment conditions in line with the five foundational principles set out in the Good Work Plan. Our recruitment policy addresses recruiting for additional staff from the local area, in roles that encompass areas where there are known national skills shortages.

Apprenticeships: Additionally, we actively support the government apprenticeship schemes. We currently have 3 apprentices work at Forfront. We also continue to offer work experience and work placement opportunities to local schools and colleges and assess opportunities to widen this remit with each additional successful tender.

Continuing Professional Development: We fully support the team’s ongoing commitment to personal and professional development (CPD) and ensure that they are able to benefit from skills growth and undertake a minimum of 12 hours CPD per annum. We will look for ways to exceed this level where possible. The team will also continue to benefit from a range of internal training and distance learning materials on relevant topics including cybersecurity.

New Technologies: This forms part of a wider and sustained effort to embrace innovative and disruptive technologies for both our own operations and as part of delivering innovative solutions to our clients. In tandem with this, we continue to work towards ensuring we modernise delivery in areas including security, accessibility and collaboration.

Cybersecurity: We are committed to continually mitigating the risks of cybersecurity and have worked extensively over the past 12 months on this area. We have been accredited with Cyber Essentials plus certification and implement the National Cyber Security Centre (NCSC) Cloud Security Principles. We also work closely with CISP and SEROCU Cyber Protect & Cyber Choices to help promote cyber security to SMEs and in Local Government. Find out more about our security commitments.
Equal opportunity

Equal opportunity

Forfront consider its social responsibility to the community in general and the local community in particular, as a core part of its DNA. Over the 20 years of its operation in the software provision business, it is extremely proud of its achievements in this area. The current workforce of Forfront includes:

Gender – male 56% and female - 44%

Non-British nationalities – 39% from 6 different countries

Ethnicity – Asian or Asian British – 17%, Black, Black British, Caribbean or African – 6%, White – 72%, Other ethnic group – 6%

Disability – 17%

Apprenticeship – 17%

But there is always room for improvement, so we are constantly reviewing our recruitment process, our support for the local community with our apprenticeship scheme and other initiatives.

In this contract we are committed to apply the same equal opportunity principals as listed above.

As part of our commitment we also make sure that we use the same criteria when choosing our suppliers.

Our Executive Board of Directors is responsible for making sure that all diversity targets are met. We believe that the reputation of Forfront is improved by having a representative Board and committees.

Although it is not obligatory for a company of our size, we still display our statement of zero tolerance to modern slavery and human trafficking, both in our organisation or anywhere in our supply chain. We incorporate measures to identify, mitigate and manage modern slavery risks in our activities and those of our supply chain.


Our procedures include structured activities at the beginning and end of each week for all staff, designed to promote health and wellbeing.

Through our optional private medical insurance scheme, we provide staff who opt in with the facility to get a health assessment and access to professional support and advice in relation to physical and mental health.

As an organisation, we have made The Commitment to the 6 Standards of Mental Health at Work.


£249 a licence a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.