Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 2: Cloud software
  3. Umbraco CMS Deployment and Development
Factory73 Ltd

Umbraco CMS Deployment and Development

Our service provides the delivery of a modern, responsive website underpinned by the powerful and flexible Umbraco content management system (CMS).
This CMS enables rapid content generation, is scalable and is always focused on the end user and content manager to provide the best possbile viewing and editing experience.


  • User-centred strategy on design
  • Customer-friendly, attractive and easy to use
  • Supports book/ apply/ report/ pay functionality for all relevant service
  • Fully conforms with W3C Web Accessibility Initiative (WAI) standards.
  • Wide experience of designing around the user experience and journey
  • Popular WYSIWYG editor and easy to navigate, intuitive menu structure
  • Templates and pages can be previewed on different viewports


  • Content can be easily uploaded and updated
  • Supports self-service and integrates with our other digital solutions
  • Follows Government Digital Service design principles
  • Level AA Conformance to Web Content Accessibility Guidelines 2.0
  • Helps join up systems across organisation
  • Fast access to information saves time and money
  • Customer experience enhanced considerably


£700 to £900 a person a day

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

7 5 7 8 7 0 4 0 6 1 5 6 4 2 5


Factory73 Ltd Graeme McClurkin
Telephone: 0141 416 0733

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Factory73 will perform non-essential updates on a defined schedule, normally outside of standard working hours. Customers will be given at least 2 weeks’ notice where possible of scheduled maintenance tasks. Essential updates, e.g. security patches, would be installed at the first available opportunity, to be agreed with the customer.
System requirements
No specific requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support response times:
Priority level/ Response Time - 1) 30 minutes 2) 1 hour 3) 4 hours 4) 1 day. By agreement for weekends and bank holidays.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
• Standard support level per SLA included in service cost
• Alternative levels of support by agreement
• A service manager is part of our standard service
Support available to third parties

Onboarding and offboarding

Getting started
A set-up facility and full user documentation is provided. Training (including) online training is available
Service documentation
Documentation formats
End-of-contract data extraction
A wide variety of formats and platforms are supported for secure export. Factory73 can provide a "data out" policy if required.
End-of-contract process
• All client data returned to client
• All client access deactivated
• Relevant secure processes fully applied
• Above at standard cost

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
All of the projects we develop are designed to perform brilliantly on devices of all sizes as we adopt User Experience and accessibility best practice whilst ensuring the designs are responsive.
The content editing experience is also responsive although as is the case with all Content Management Systems, the editing experience can be somewhat cramped on a mobile device.
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
What users can and can't do using the API
Core functions through web services. User authentication. Document upload. Key metrics retrieval. Service requests cannot be configured directly through the API but can be called via the API once configured on the platform. Changes can be made through the API via web-service calls. Configured service requests can be called via the API but not setup via it.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
• Scope for localisation of software
• Customers can use configuration tools
• Users can customise


Independence of resources
We ensure a fully scalable, yet cost effective, service exists through auto-scaling of cloud services both horizontally and vertically, utilising scalable cloud databases, use of Content Delivery Networks and enhanced service monitoring. Most importantly however, we demand highly efficient code within our products, so the core platform performs well under load in the first instance.


Service usage metrics
Metrics types
• System availability
• Response times
• Unscheduled outages
• Incident response times
• Incident resolution times
Reporting types
Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
A wide variety of formats and platforms are supported for secure data export
Data export formats
  • CSV
  • Other
Other data export formats
  • CSV
  • Other
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
• Service Availability 99.5% (uptime) per month
• Service Availability Window 7*24 hours (all days) – 24 hours a day
• Response time for accessing screens - Should be within 3 seconds (at a minimum) 99% of the time
• Response time for searches Response time for basic system searches for information and return of results system should be within 5 seconds 97% of the time

Factory73 will work with each of our customers on an individual basis to determine if a recompense model is required to meet the needs of the specific council or public department/ organisation.

We strive to exceed, wherever possible, our SLA targets for service levels. In the unlikely event of failure to meet our SLA targets we would invoke the agreed process which would award an appropriate level of service credits by way of compensation.
Approach to resilience
Available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Access is managed via User Groups and Permissions roles. Only Factory73 Administrators can access systems to change user permissions, which are on the whole pre-defined and hard coded within our platforms. User Management can be delegated to client administrators, however they must work within these pre-defined role and permissions structure.

All user passwords are hashed through many iterations to achieve a high work factor, making them very difficult or impractical to brute-force.

We require 2 Factor Authentication for any top-level administrator.
Access restriction testing frequency
Less than once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials
Information security policies and processes
We have a full set if InfoSec policies in place which all staff, clients and partners are aware of and have signed up to. These include:
•IT Acceptable Use Policy
•Data Security Policy
•Data Protection Policy (GDPR aligned)
•Risk Assessment Policy
•Firewall Management Policy
•Anti-Malware Policy
•Change Management Policy

All technical team staff report to the Technical Director on all data security issues. Our Technical Director is our Data Protection Officer and takes a hands-on role in all security-related areas of the business.

•Staff handling of data is managed through a variety of measures and processes:
•Personal data is not used in development of any services
•Personal data does not leave our production environment
•All data and backups are encrypted
•Staff access to systems and databases is provided based on direct need
•Spot-checks are carried out on development databases, company servers, and staff laptops
•Endpoint security is centrally managed, including anti-malware, patch management and laptop firewall
•All staff are aware that any breach of the above policies is a disciplinary issue

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All code changes are tracked in our Source Control where we use the GitFlow process of branching and merging.

Use of Automation Pipelines tracks version numbers allowing us to run multiple releases side-by-side. This system also runs Continuous Integration build and automated testing, and releases are rolled back easily should an issue occur.

All releases are documented with a full changelog.

All development work is carried out to a high standard, by security-aware developers. Code is peer-reviewed prior to release, and we build on existing, secure frameworks. All our developers are aware of OWASP top threats and coding standards.
Vulnerability management type
Vulnerability management approach
• monitors information systems to detect attacks and/or signs of potential attacks, including unauthorised network local or remote connections.
• deploys monitoring devices strategically within information technology environment to collect information security events and associated information.
• protects information obtained from intrusion-monitoring tools from unauthorised access, modification, and deletion.
• monitors inbound and outbound communications traffic to/ from the information system for unusual or unauthorised activities or conditions.
• heightens the level of information system monitoring activity whenever there is an indication of increased risk to Meritec operations, individuals and assets.
Protective monitoring type
Protective monitoring approach
Our Protective Monitoring processes comprise a set of control alerts and reports that provide feedback to those with responsibility for monitoring and addressing compromises. This includes such information security control activities as inspecting firewall logs, investigating operating system security alerts and monitoring Intrusion Detection Systems (IDS). Our Protective Monitoring also includes putting in place mechanisms for collecting ICT log information and configuring ICT logs in order to provide an audit trail of security relevant events of interest. Compromises and incidents are immediately logged, analysed and rectified.
Incident management type
Incident management approach
The Factory73 ITIL compliant support desk called ServicePoint is responsible for receiving requests and notifications regarding user help and support. Incidents are allocated unique identification and calls are monitored and if necessary escalated as appropriate. The output report(s) provide part of the preparations that the Service manager will use at the next Service Management meeting. Given due authorisation levels it is possible for client staff/management to access the calls database and enquire directly regarding status, progress, etc.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Public Services Network (PSN)

Social Value

Equal opportunity

Equal opportunity

Factory73 are committed to following Fair Work Practices that are based around:

• Providing an effective voice
• Opportunity
• Security
• Fulfilment
• Respect


£700 to £900 a person a day
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.