XLeap GmbH

XLeap Managed Server (G-Cloud)

XLeap is secure facilitation software trusted by UK government departments and other UK public sector organisations for over 10 years. XLeap Managed Server (G-Cloud) is the enterprise-class deployment for large UK government departments or UK public sector organisations. The software service is hosted in London or Dublin as required.


  • Supports any facilitated meeting process. Virtual or face-to-face.
  • Personal flat-fee for unlimited concurrent meetings and participants.
  • Brainstorm workspace with anonymity and theming. Highlighting with sticky dots.
  • Discussion workspace for discussing multiple topics. Anonymously or by team.
  • Rating workspace with all customary rating methods. Multi-criteria analysis.
  • Presentation workspace for crisp scalable slide shows. Interactive feedback channel.
  • Full and instant reports easily stored in SharePoint, MS Teams
  • Process templates for easy reuse and sharing of best practice.
  • Easy collaboration between Hosts (Co-facilitation).
  • Video conference included (voice, video & screen sharing).


  • Intensive interactivity and collaboration alongside existing conferencing platforms.
  • Stakeholder engagement, cross government, and managing complex stakeholder groups.
  • Inclusive and diverse group working, giving space to diverse voices.
  • Advanced prioritisation and decision making for policy making and delivery.
  • Engagement with citizen and stakeholder groups for 'open policy making'.
  • Collaborative remote workshops for core project and programme management processes.
  • Repeatable processes for developing business cases, impact assessments, project planning.
  • Remote workshops on risk, benefits realisation and lessons learned.
  • Virtual learning reviews, hot and cold debriefs for operational units.
  • Futures work with including stakeholder analysis and horizon scanning.


£47,350 an instance a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@xleap.net. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

7 0 0 6 8 0 2 2 8 1 9 9 6 1 0


XLeap GmbH John Turner
Telephone: +49 40 6891 4578
Email: g-cloud@xleap.net

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Computers must run Chrome, Firefox, Edge, Opera, or Safari
  • IPads and iPhones require Safari 11 (iOS 11 or later)
  • Android devices require the Chrome, Edge or Firefox browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
4 hours on weekdays.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support is included for technical issues such as access to the service or functionality of a software feature. Technical support does not include consulting on facilitation processes or meeting design.
Support available to third parties

Onboarding and offboarding

Getting started
The appointed administrator receives 90 minutes online training which includes a walk through the administrative options.

Licensed users (users who can run meetings and workshops as Host) are supported in context by extensive and in-depth online help and how-to videos.

Online and on-venue training is available at extra cost.Participants do not require any training or onboarding.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Hosts typically download the automatic report (the minutes) of a meeting or workshop directly after it has ended. This contains all content.

Storage of meetings on the XLeap Center serves the limited purpose of easy in-system re-use of content and meeting processes. Hosts can save the content and process of their meetings to disk.
End-of-contract process
At the end of the subscription period - unless instructed to the contrary - the XLeap Center is maintained for a grace period of 90 days during which the subscription can be renewed. After the grace period, the deployment, its database and all backup files are deleted irrevocably. The customer's administrator is warned/informed of these successive steps repeatedly by email.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile service is functionally identical with the desktop service, except for active screen sharing not being supported on mobile devices.

The layout is responsive, meaning that workspaces will look different on a phone.
Service interface
User support accessibility
WCAG 2.1 A
What users can and can't do using the API
The meeting center supports SSO (SAML 2.0)
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Center administration can (1) control access and authentication requirements, use restrictions etc. (2) brand the login page, holding screen, meeting report.


Independence of resources
The XLeap Managed Server runs with generously allocated dedicated resources. Systems trigger timely utilisation alerts for resources to be increased. This hardly ever happens.


Service usage metrics
Metrics types
Host and participant log in, total and new meetings created in last 180 days. Customizable statistics module.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Hosts typically download the automatic report (the minutes) of a meeting or workshop directly after it has ended. This contains all content. They can also export the content of workspaces to Excel or text.

Hosts can also save meetings (process configuration with content) to disk in XLeap's .xleap-format.
Data export formats
  • CSV
  • Other
Other data export formats
  • Docx
  • Xlsx
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
XLeap commits contractually to 99.9% uptime on a monthly basis, excluding regularly scheduled maintenance times or Force Majeure Events. If in any Account Period this uptime commitment is not met by XLeap and customer was negatively impacted, XLeap shall provide, as customer’s sole and exclusive remedy, a service credit equal to the number of minutes the Subscription Service was unavailable during that Account Period. If the service failed for a consecutive 4 hours, a full day shall be credited.
Approach to resilience
We follow industry best pactice under Amazon AWS's shared responsibility model. Details are available on request.
Outage reporting
Our service is continually monitored via AWS-supplied and other mechanisms. AWS supplies a dashboard. Responses are triggered via APIs and email alerts to XLeap's response team.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Management interfaces fall into three categories: 1. The management interface of the AWS service is protected by username, password and an AWS-supplied token device. 2. Privileged access to productive XLeap systems can only occur via a bastion server which can only be accessed from a defined set of IP addresses and 2-factor authentication. 3. Privileged access by users (customer-appointed administrators) can be limited to separate user accounts with 2-factor authentication or SSO.
User support requests which involve access to customer systems or information are only accepted in writing (email) and verified via a separate channel, e.g. call back.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication
Restriction by source IP address.

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Bureau Veritas Certification Germany GmbH
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Service is fully covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our security awareness and training policy defines basic and role-based training requirements.
The information security policy follows the ISO 27k standards.
The information security team ensures compliance by a variety of measures verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback. The Infosec team leader reports to the CTO who is responsible for security and reports to the CEO.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap maintains under automated configuration control a current baseline configuration of the information system. The configuration is reviewed annually and on significant change. Older configurations are retained should a rollback be required. Configurations are based on a deny-all permit by exception policy which extends to software permitted to execute on the system. Changes to the configuration are assessed for risks and require approval by the Infosec team leader after testing in the staging network.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap routinely scans of its systems for vulnerabilities with an industry standard vulnerability scanner employing the latest definitions and signatures based on i.a. the NIST vulnerability database and the CWE list. 'Critical' and 'Important' Patches are deployed immediately, 'Low' patches within the day. XLeap subscribes to various sources of security feeds including US-Cert and Microsoft's Security Bulletin.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Amazon AWS is certified to comply with SSAE-16 / ISAE 3402. Under AWS' shared responsibility model, XLeap employs automated log analysis, continuous configuration monitoring and integrity scanning to identify security incidents. Events are correlated by TrendMicro's Managed XDR service. In the event of a suspected breach, the incident response team is alerted directly by email and SMS text for a verification of the incident. Further measures depend on the attack type and vector and the severity rating of the incident which is based on the functional and information impact, the appropriate containment, eradication and recovery strategy and required notifications.
Incident management type
Supplier-defined controls
Incident management approach
Amazon AWS is certified to comply with ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402. Under AWS' shared responsibility model XLeap operates an incident response policy and set of incident response plans for external and removable media, attrition, web, email, impersonation, improper usage or loss/theft of equipment.
Users report incidents by email to a specific email address.
The user's main or designated contact is informed of all security breaches which impact or threaten the function or integrity of their deployment including the findings of impact analysis and measures (to be) taken to contain, eradicate and recover from the breach.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

XLeap enables remote real-time collaboration thereby removing the need travel.
As a company, we follow our own advice working remotely where we can, avoiding travel, and leveraging the efficiencies of virtual computing, cutting our electricity consumption to the minimum.
The electricity we do use is 100% renewables.


£47,350 an instance a year
Discount for educational organisations
Free trial available
Description of free trial
The XLeap trial is limited to 14 days and includes the full functionality for Hosts (the person who can plan and run meetings and workshops) and participants. The meeting report and the export of content are cut off after 10 line items per workspace.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@xleap.net. Tell them what format you need. It will help if you say what assistive technology you use.