Skip to main content

Help us improve the Digital Marketplace - send your feedback


Legend by Xplor - Leisure Management Software

Our leading, easy-to-use software helps sports, leisure, and recreation centres, communities, clubs,federations attract and retain customers, spend less time on admin,deliver a great experience. With online booking, scheduling, access control, payments, reporting, management, self-service, and automated mareting, Legend is everything needed to run business, grow your revenues, build leisure community.


  • Fully managed SaaS solution
  • Fully hosted service
  • Disaster recovery and backup as standard
  • Fully responsive online member portal
  • Built-in KPI dashboards and Business Intelligence (Reporting)
  • 24x7 support with remote access to system
  • Open architecture with full access to API library
  • Integrated DD solution with realtime updates
  • Software upgrades every 4-5 weeks
  • Self-Service capabilities including online and mobile platforms


  • Configure multiple sites from within the one database
  • Reduce third party integrations with single solution
  • All users have access to the staffed support desk 24x7
  • Schedule reports to be produced and sent via email
  • Track company progress with dashboards and targets
  • Automate customer journey marketing campaigns
  • Reduce front desk staff pressure with Self-Service software
  • Members manage their own account through online portal
  • Optional outbound calling campaigns to re-engage and retain members
  • Access to end-to-end service for revenue collection with contact centre


£79.00 to £119.00 a user

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

8 4 4 1 7 8 2 6 1 7 2 9 1 2 6


Telephone: 02038 301 400

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
No, all maintenance is conducted with no downtime experienced
System requirements
  • Supported Microsoft Windows Operating Systems (Windows 10 or above)
  • Latest versions of Microsoft Edge, Google Chrome
  • Browser: IE 11.0 (or later)
  • Citrix Receiver 4.9 LTSR
  • Processor: Pentium 2 upwards
  • Hard Disk: minimal500 MB of available space is required
  • Display: 1024 X 768 high colour, 32 bit or higher
  • Mozilla Firefox, Safari – must support TLS 1.2 and above
  • Google Chrome (preferred)
  • Tablets for use with the Program Registration software

User support

Email or online ticketing support
Email or online ticketing
Support response times
Incidents are acknowledged depending on their Priority, as detailed below:
Priority 1 = 1 business hour
Priority 2 = 3 business hours
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Legend provides a support desk 24 hours a day 7 days a week to all customers at no extra cost. We also provide an online service to raise and monitor tickets as well as 'Legend Bytes' which is an online Wiki which provides documentation on Legend modules. Legend Bytes supports a 'fuzzy search' to enable customers to be directed to the exact documentation they require.
All staff users have access to Legend support.
Support available to third parties

Onboarding and offboarding

Getting started
Legend has adopted the internationally recognised project methodology of PRINCE2 for delivering projects in partnership with our clients. Legend conducts training onsite with the customer in groups of up to 15. The training is split into specific categories and is tailored to the specific customer and the modules they have selected. As standard Legend will conduct Front of House, Back of House and Super User training and all training sessions are supported with documentation. If the customer selects added value modules such as KPI reporting or Active Outcomes then an extra days training is required to ensure they are fully trained in the specialised modules.
Legend also has the option to provide online training which can be used for initial set up or ongoing training for new starters. All new customers will be given a project manager through out the implementation and a project tracker which is managed by the Legend PM and customer PM ensuring the project is delivered on time and implemented exactly how the customer requires.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data is readily available for extraction by using the Legend Reporting tools. The format of the extract will be CSV. Where specialist intervention is required from Legend, you should expect to pay the full daily rate. Legend will always work to minimise the likelihood of this additional cost being incurred.
End-of-contract process
Legend shall:
a) return all Customer Data held by the Supplier to the Customer within thirty (30) days of termination in an industry standard format and on an industry standard media, or as otherwise mutually agreed;
b) destroy or delete any copies of the Customer Data on the earlier of: (i) ninety (90) days from the date of termination and (ii) fifteen (15) days of the request of the Customer, and provide; and
c) upon written request of the Customer, execute and deliver to the Customer a certification that all Confidential Information of the Customer including all Customer Data, has either been returned, deleted or destroyed.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
All of Legend's web modules are fully responsive and therefore no difference between mobile and desktop service.
Service interface
User support accessibility
None or don’t know
What users can and can't do using the API
Legend has a robust API library which is available upon request which allows customers IT teams to access the APIs they require.
Legend's integration options currently include the following:
RESTful WebApi APIs for retrieval of prices, timetables, Member information and supporting data.
RESTful WebApi APIs for creating members account-holders and prospects.
SOAP based APIs for creating accounts, discovering pricing, polling for changes (these are being deprecated in favour of RESTful services).
Timed export of reports in various formats to (secure) FTP, email or shared Legend folders.
Synchronisation service to export data to SOAP or RESTful WebApi services on internal changes.
Interface points for querying external systems for account synchronisation, payment card updates and other data from point of sale.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
Legend offers a heavily customisable service that is configured alongside our customers staff throughout the implementation project. There are numerous areas of Legend that can be customisable some highlights being:
-Front of House
-Sports Courses Module
-Active Outcomes (GP Referral Module)
-Customer Communications
-Prospecting and joining

In each instance there is a massive amount of functionality that allows customers to configure their own workflows, layout and configuration. Legend allows the configurable areas of the system to be extremely granular for example Active Outcomes can be built by the customer from available schemes to the individual healthcare workers that could refer a member.

Users can customise Legend in a easily in separate configuration sections of the system that is reflected instantly on their live system. Legend provides a fully managed SaaS solution including its own active directory user setup. Customers are then responsible for the assignment of security groups. It is only staff who have the relevant security clearance (selected by the customer) that can configure the system, it is completely down to the customer who has access to do this. The security groups are as well completely configurable.


Independence of resources
All Legend’s systems are scaled to meet enterprise performance levels of responsiveness and redundancy.
Legend is a Windows Enterprise solution running on a virtualised infrastructure in a private cloud run on Legend’s servers with load balancing within the infrastructure and capacity planning.


Service usage metrics
Metrics types
Logins over time and data volumes are provided through real-time dashboards and regular reports.
Legend also provides customers with monthly dashboards keeping them updated with the amount of support tickets that have been raised, investigated and closed. The dashboards allow customers to see detail on how the tickets were closed and by which department.
Legend also supplies a customer scoresheet which shows the spread of bookings I.e. online, self-service or in house. Legend also provides details on the amount of users, risk scores and financial income.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Other data at rest protection approach
Optional TDE
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Legend provides full access to Legend reports where customers can extract all member data from the system and export in XLSX, CSV or PDF.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XLSX
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), monthly network scans and periodic external penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed, and server hardening and patching policies in terms of our ISO 27001 processes. All key systems are monitored 24x7 ongoing.

Availability and resilience

Guaranteed availability
Our standard uptime target is 99.95%
Approach to resilience
High Availability (HA) configurations with redundancy in all aspects including databases clustering, enterprise SAN, virtualization and load balancers, along with N+2 host server configuration.
Outage reporting
Outages are reported to our customers through incident notifications, via e-mail

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Other
Other user authentication
Users are initially authenticated within our Active Directory domain. Once successful at this stage, they must also authenticate against the Legend database. Their workstations must also be registered within the system otherwise, access will not be granted.
2FA is available as an optional service.
Access restrictions in management interfaces and support channels
Management access is restricted to specific pre-authenticate users. Some areas are only accessible over a VPN (with IP based whitelisting) and other areas are only accessible through MFA (mobile token)
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
All management access requires usernames and passwords to gain initial access onto the system. For certain functions, this must take place over a dedicated VPN (with IP based termination). For sensitive areas of the system, users must also use MFA to gain access (second token is a mobile device)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
Self certified
PCI DSS accreditation date
What the PCI DSS doesn’t cover
All services provided by Legend relating to Membership Management are included in the scope.
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
ISO27001/ISMS. The Management team reviews the ISMS quarterly looking closely at risk, new standards, incidents, audits and corrective actions seeking to continuously improve the system
All staff are given training on Information Security and the Legend ISMS as part of their induction process. Annual refreshers are conducted in the form of briefings and staff surveys to test understanding and awareness. Developers regularly hold briefing sessions on threats pertinent to coding and system administrators regularly review infrastructure threats. Management periodically tackle scenarios to role-play situations and ensure preparedness to respond swiftly in event of an incident.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
As part of our ISO27001 and ISMS procedures, a full change control process is followed for any change in components, services or configuration. This includes a full security assesment.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
The Legend solution has a number of independent security measures to detect and block any attacks originating from an outside source. This includes firewall intrusion detection and intrusion prevention monitoring (IDS/IPS), quarterly internal network scans and quarterly ASV scans, and annual penetration tests to ensure identification of vulnerabilities on a proactive basis so that these can be addressed. Server hardening and patching policies are also in place and governed by our ISO 27001 processes. All key systems are monitored 24x7.
All known vulnerabilities are logged in a risk register as part of our ISMS processes and tracked until closure.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Legend has a set SLA for support incidents covering system recovery. For Information Security incidents we follow our Incident Response Plan. This is backed up with a detailed Incident Response Process which forms part of our ISO27001 certified ISMS.
This will be dependant on the failure, if for instance there is total failure, whilst waiting for system recovery through Disaster recovery or other means, it will not be possible to send a system message to users through Legend. However, Legend has a documented process for contacting your key staff members to inform and help disseminate information on system status.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

We have made a commitment to net zero by 2025.
We plan to scope, publicly report on and reduce our scope 1, 2 and 3 carbon emissions globally as part of our Environment, Social, Governance (ESG) strategy. We will be commencing that work in 2022.
We have identified that our major sources of emissions are business travel, offices and cloud computing. Our first step will be carbon offsetting for all our business travel which we will do in 2022. Our cloud computing partners (Microsoft and AWS) have measurement tools that can help us measure, track and offset our emissions from cloud computing


£79.00 to £119.00 a user
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.