Skip to main content

Help us improve the Digital Marketplace - send your feedback

Cyber-Duck

Headless CMS Development (Storyblok/Drupal)

Cyber-Duck can help you select the headless CMS that’s right for your organisation and implement it across all your channels, through native or custom APIs. We can help you personalise your UX with automation and AI.

We integrate CMSs with Google Analytics, CRMs, Algolia/Elastic search, automation and personalisation tools.

Features

  • Headless CMS development and testing
  • Low and High Fidelity Prototypes for user journey validation
  • Sandbox environments for training and approvals
  • Enterprise CMS features out of the box
  • Customisable publication workflows
  • Dynamic forms management & 3rd party integrations
  • Multiple content types
  • Dynamic "drag & drop" layout builder
  • Taxonomy and tagging features
  • Analytics tracking, reporting and conversions monitoring

Benefits

  • Greenfield and Brownfield development capabilities
  • ISO27001 Cyber Essentials Plus Certified for information security
  • ISO9241-210 Accredited User Centred Design Process
  • Accessibility/Inclusivity solutions in-line with WCAG standards
  • Dedicated multidisciplinary team, embedded in your organisation
  • Lean Agile methodology, overseen by SCRUM certified Project Manager
  • ISO9001 certified for quality management and customer satisfaction
  • ISO14001 certified for sustainability

Pricing

£450 to £1,500 a unit a day

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at DX-Tender-Team@caci.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

9 3 6 4 4 1 5 1 1 9 5 0 8 3 5

Contact

Cyber-Duck Matt Gibson
Telephone: 02089530070
Email: DX-Tender-Team@caci.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
The organisation (client) should cover any licence fees for proprietary services that are requested as part of the service. If open source software is being used, this will not be required.
System requirements
Licences for any commercial or proprietary application

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times vary depending on the severity (urgency) of the issue:
Severity 1 (most urgent) - 2 hour maximum response time
Severity 2 - 24 hour maximum response time
Severity 3 - 24 hour maximum response time
Severity 4 (least urgent) - 24 hour maximum response time

Out of hours and weekend support is available at additional cost, and would follow the same structure.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Service Level Agreement:
Urgent issues - Response within 2 hours, resolution within 24 hours.
High priority issues - Response within 24 hours, resolution within 5 working days.
Normal issues - Response within 24 hours, resolution within 2 weeks
Low priority issues - Response within 24 hours, resolution within 4 weeks or next major deployment.

Cost: per our rate card.

Resource: Quality Assurance Analyst to manage the issue and relevant engineer from our technical team to resolve the issue. Free account management is also provided.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We can provide training and release notes throughout the project as well as end user documentation.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
All content can be extracted in raw format from the database (into CSV or other common formats) and via an API if it needs to be migrated to another platform.
End-of-contract process
Transferring the technical and billing contact of the cloud software solution to your team is included in the contract. Any training, data and assets migration or termination of services would need to be scoped and quoted for.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
N/A
Service interface
No
User support accessibility
WCAG 2.1 AA or EN 301 549
API
Yes
What users can and can't do using the API
We rely on the API provided by the open-source platform used (Drupal, Laravel...)
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
We will work with the buyers to define the requirements and permissions around customisation of the themes, admin settings, form rules and publication workflows.

Scaling

Independence of resources
We set up each hosting account individually with no shared resources between users.

Analytics

Service usage metrics
Yes
Metrics types
The Content Management Platforms will come out of the box with basic analytics and usage metrics. We can configure more advanced solutions such as Google Analytics or corporate audit log monitoring tools.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can export their data via the Admin area or with direct but restricted access to the database.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • JSON
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • JSON

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We rely on the SLA provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia) which is usually at least 99.99%. We also guarantee P1 response time within 30 minutes and provide service credits if we fail to achieve those SLA.
Approach to resilience
We rely on the resilience provided by the underlying hosting provider and core platform used for the cloud software. Our engineers guarantee an additional layer of support for all requests.
Outage reporting
We report service outages by email alerts by default. We can deliver custom workflows into back-office systems or other internal tools.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels
As per our ISO-27001, we enforce MFA and group policies to access to all management inferfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI
ISO/IEC 27001 accreditation date
22/08/2016
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
ICO Tier 1

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We are ISO-27001 and Cyber Essentials Plus certified.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use source code versioning, peer-reviews and database monitoring tools to track and assess any configuration and change management process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
For all cloud software platforms, we rely on the vulnerability management process provided by the open-source community. Once notified, we have our own policy to respond and process such vulnerabilities.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
For all cloud software platforms, we configure secure cloud hosting solutions including tracking and monitoring tools. We provide SLA to respond to any incident or compromise with an optional 24/7 upgrade available.
Incident management type
Supplier-defined controls
Incident management approach
We follow our ISO 9001 and ISO 27001 policies to manage incidents. These can be triggered by our automated monitoring or raised by users via our email or phone helpdesk system. Once the incident is resolved, we provide a full root cause analysis in a post-mortem report.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Fighting climate change

Fighting climate change

Cyber-Duck is ISO14001 certified, and has published a detailed Carbon Reduction Plan, available on our website.

We have set a target of being Net Zero by 2035 for greenhouse gas emissions and, as part of our Carbon Reduction Plan, report on progress annually.

We provide staff with support for purchasing electric vehicles, and encourage staff to use public transport where feasible. We also offer staff the opportunity to sign up to the Cycle to Work Scheme.

We operate a hybrid working policy, with staff working remotely the majority of the time. Face to Face meetings and office days are planned in advance, and where meetings can be done remotely, this is encouraged.

Other actions we take to reduce the carbon footprint of our business is how we manage file transfers. Emailing large attachments to multiple recipients consumes a lot of energy, and in our line of work we can send large design files or presentation documents. Instead, we host documents on a central repository, such as DocSend for sales materials, and only send a link to the recipient, saving a considerable amount of energy.

Finally, we work proactively with our clients to support them in their own missions towards Carbon Net Zero. We do this by ensuring their websites and other digital products are hosted on architecture that is powered by renewables, and by optimising the user journeys and flow of data, we can cut the amount of energy dedicated towards powering our products.
Covid-19 recovery

Covid-19 recovery

Cyber-Duck is committed to supporting both staff and the wider community in recovering from COVID-19. To that end we have developed robust procedures to both maintain operational capabilities, whilst ensuring staff are supported both in their day-to-day work, and in their emotional and physical wellbeing. This includes:

1. Providing new employment opportunities regardless of location. We employ people based on talent, skillset and compatibility with our community, regardless of location. We operate hybrid and remote working, and ensure all staff have the tools required to work to their full capacity.

2. Support for those affected by COVID, and those shielding. As a hybrid company, we can facilitate remote working for those who are vulnerable. Where in-person meetings can take place, social distancing is supported where possible. As a global organisation, all meetings are virtual and we facilitate those at risk through providing the tools to join remotely.

3. Supporting businesses and clients by offering fully remote capabilities including support for new and unfamiliar ways of working. Every member of our team is trained in working remotely, and we are tech-agnostic, meaning we work with the tools best for our client.

4. Supporting physical and mental health of those affected by COVID-19 through well-established policies and procedures. All Senior Management and Leaders are trained Mental Health First Aiders, and we also offer all staff access to counselling, gym memberships, and support to maintain physical health.

5. Improving workplace conditions through supplying staff with all relevant required tools, including laptops, additional screens and funding to set up home offices as required. We also offer sustainable travel solutions including support for staff in purchasing electric vehicles, and providing access to the Cycle To Work scheme.
Tackling economic inequality

Tackling economic inequality

In-line with Cyber-Duck’s Diversity & Inclusion (D&I) Policy, Cyber-Duck has implemented a Gender Pay Gap policy and will voluntarily produce a Gender Pay Gap report from next financial year: introducing transparency to promotion, pay/reward processes. We will calculate the difference between the mean/median/hourly rate paid (salary/bonus) for all full-paid relevant employees, accompanied by the banding, to male/female employees.

Within 6 months of calculating our gender pay gap statistics, we will develop an action plan to be applied in the following 12 months, aiming to reduce or remove any pay/promotion disparity. Wherever possible, the plan will contain actions which have specific targets or timelines that can be objectively measured. Cyber-Duck is proud to already be an Accredited Living Wage and London Living Way employer.

We hire staff that are the mutual best-fit, in terms of culture and expertise, regardless of their background or circumstances. HR and Line Managers create adverts that clearly explain the role and our inclusive culture. We ensure equality/accessibility, without discrimination, to work opportunities for those with protected characteristics.

We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales, Girls in AI, London Pride, AXSChat, and 1,000 Black Voices.

Our end-to-end process for Learning & Development is integrated with our HR systems, to ensure it’s part of our team’s day-to-day. It includes previous (30%); on-the-job (40%); CPD (20%) and specialist external training (10%).

We’re always looking to improve our male/female balance (67/33%) and diversity: 13% of our team are black, 27% are “Black Asian and Ethnic Minorities”, 31% are white (non-British), and 42% are white (British).
Equal opportunity

Equal opportunity

Cyber-Duck applies its Diversity & Inclusivity Policy that explores how we can safeguard protected characteristics like gender. We’ve committed to the Miscarriage Association’s Pregnancy Pledge, ensuring we have supportive policies around pregnancy-related leave including pregnancy loss and illness, and the Menopause Policy, raising understanding for health challenges caused at that time.

HR and Line Managers create adverts that clearly explain the role and our culture of inclusivity. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales and Girls in AI.

We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/assessment tasks/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities.

We have implemented a Gender Pay Gap policy, introducing transparency to promotion, pay/reward processes. We calculate the difference between the mean/median/hourly rate for all full-paid relevant employees, accompanied by banding, to male/female employees, which determines actions aimed to reduce or remove any pay/promotion disparity.

We are members of the International Association of Accessibility Professionals and are expert in providing digital services utilising assistive technologies. We are also members of the Royal National Institute of Blind People, and have provided training to staff on ways to ensure accessibility and inclusivity is at the forefront of all day to day operations.

We monitor progress using Progression App, enabling leadership to identify areas where staff require additional support, including assistive technology and measures, to enable staff to carry out their duties and progress to higher paid roles within Cyber-Duck and develop new skills. We are passionate about supporting our staff, contractors and the people we work with and these measures ensure that no one from protected characteristics, disability, disadvantaged or minority backgrounds are held back from achieving their full potential.
Wellbeing

Wellbeing

Focusing on health and wellbeing is especially important to Cyber-Duck. We hold a weekly company-wide townhall with all staff, openly sharing news and challenges together. We also use it as a safe space for open dialogue and active listening on internal or external topics affecting the team.

Mental health is very important to Cyber-Duck; 15% of Cyber-Duck’s team, including most of the company’s senior management team are certified mental health first aiders, trained by MHFA England. This means they are familiar with the signs of poor mental health, and are competent and confident in assisting with a mental health problem in a non-judgemental way.

We have implemented a Mental Health Policy which includes an active employee toolkit and references to external guidance. Measures include: Encouraging audio-only walking meetings, encouraging team members to take breaks and go for walks, and offering flexible working hours.

We monitor the team’s well-being through FridayPulse, a platform that uses NPS-style Happiness KPI functions, team building tools, culture profile and predictive people analytics.

Using the FridayPulse platform, each department holds weekly meetings to discuss social and emotional well-being. Line managers also hold monthly 1:1 meetings to build deep and qualitative feedback loops with their teams. Our CIPD qualified HR team also regularly meets to staff to support them in an impartial manner.

Voluntary reporting mechanisms on wellbeing/mental health are shared via HiBob, our second HR platform, every quarter. Environment questions explore whether staff’s work environment is comfortable, enabling effectiveness and productivity; if they had the equipment and resources required; and whether their setup is conducive to healthy remote working in the long-term.

Employees have access to benefits such as the Healthcare cash plan that rewards healthy living habits such as exercise or meditation; access to counselling, doctors, and resources; gym memberships; remote mindfulness and yoga sessions.

Pricing

Price
£450 to £1,500 a unit a day
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at DX-Tender-Team@caci.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.