Bubble Ltd.

Bubble PPM - Project Portfolio Management Software

Bubble PPM is a powerful project and portfolio management software. Dashboards and metrics provide outstanding visibility and control for senior management, while process models support project governance and team collaboration. A single source of truth for fact-based decision making and project management, it’s highly configurable, quick-to-deploy, easy-to-use and well supported.


  • Portfolio Dashboards (Fully configurable to plan / monitor investments)
  • Real-time Portfolio Analysis & Scenario Planning Tools
  • Critical path analysis
  • Supports waterfall and hybrid project management processes
  • Business Case, Financial and Risk Management tools
  • Project Selection and Prioritisation tools (e.g. Balanced scorecards)
  • Project Process Governance and Management
  • Fully configurable Metrics (e.g. 1-click Chart builder / Reporting tools)
  • Resource, Task & Capacity Management Tools
  • Personalised / Team Task Lists, Timesheets, etc.


  • Better performing portfolios (in both the short and long term)
  • Productivity and efficiency gains across all projects
  • A flexible and usable system that’s quick to deploy
  • Improved visibility and control at both portfolio & project level
  • Forecast future resource needs and ensure they are balanced
  • Ensure projects align to strategic goals and interdependencies are clear
  • Shorten project leadtimes
  • Highlight, monitor and manage Project Risks
  • Streamlined / simplified reporting at both portfolio & project levels
  • Multi user and remote access to aid team collaboration


£25 to £45 a user a month

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at peterhoyland@bubblegroup.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

9 4 0 5 2 7 1 5 8 7 1 4 0 6 3


Bubble Ltd. Peter Hoyland
Telephone: 01223 852 664
Email: peterhoyland@bubblegroup.com

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Bubble PPM software has a better than 99.9% availability record, including minimal downtime for scheduled upgrades. Required maintenance slots are typically bug fixes, minor improvements and system enhancements.

Maintenance slots are usually performed outside of client business hours. EU hosted instances are updated between the hours of 06.00 and 08.00am (GMT).

Generally planned maintenance slots require less than a few minutes of downtime per week (clients are advised in advance if outage is anticipated to be longer than 30 minutes).
System requirements
Modern Web Browser (Chrome, Safari, Firefox etc)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our cloud software includes: User support desk, help site and ticket resolution, and a Personal account contact point (for key stakeholders). Support requests and tickets are monitored continuously (including weekends/public holidays - during which time urgent/critical requests are addressed). Bubble have 4 support level standards for response. Severity 1 incidents are addressed 24 x 7. All other severity incidents are supported 07:00 – 18:00 (GMT) Mon – Friday. During this time, we have a target response time of 1 hour for severity 1-2 incidents, 4 hours for severity 3 incidents, and 1 working day for severity 4 incidents.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
During the deployment phase of our software, the following support is provided as part of the one-time set up fee:
• Initial system configuration
• Setting up of the customer data archives
• System validation
• Deployment of the customer instances (Production and Test)
• Initial user training for up to 50 users.
• Support for initial population of system data.

Additional user training, if required, can be organised separately as part of our Lot 3 Bubble PPM Cloud Support services.

Once deployed, the following support is provided as part of the license fee, at no additional cost to the customer:
• A range of on and off-line training support materials (e.g. Quick Start Guides, Help Sheets and ‘How-To’ Videos)
• Online help site
• Live help desk (e.g. direct emails and ‘feedback’ button)
• All clients have an Account Manager with whom they can address all aspects of the software and service.
Support available to third parties

Onboarding and offboarding

Getting started
Bubble PPM software deployments are performed by our specialist consultants who work with each customer to define a configuration document. Through this process, we identify deployment objectives; process scope; process models; financial models and metrics; training and technical support needs. Each implementation is configured to suit the individual customer's needs, so there is no absolute rule for timings of deployment. However, depending on the degree of configuration required, an initial instance of the Bubble PPM software can be made available to system administrators within 2 weeks of the award of the contract, and a fully configured system is usually ready for deployment within 6-12 weeks. The deployment process focuses the customer’s implementation needs and the formalization of delivery requirements. This commonly includes (remote or in person) workshops to define: - Process models - Roles and responsibilities - Financial models - Resource management - Governance and relevant business processes - Metrics, dashboards, and reports - Interfaces with other processes - Training and roll-out planning. Once the system has been configured we go through a sequence of: - User acceptance testing - Training for users - Training for Administrators/superusers.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Bubble will make all reasonable efforts to provide data in a format that customers require. Our Bubble PPM software has a number of existing API endpoints that can be utilised by 3rd party applications to transfer data to, and read from, the system (e.g. retrieve detailed project and financial data from the system and / or export data to other systems). Almost all data can be accessed via report building function and this can always be exported into Excel.
End-of-contract process
Upon termination of the Bubble PPM Cloud Software contract, the customer can access: • A secure site to retrieve archive export file of data for 60 days. • Relevant files, logs, configuration data such as: - Database data - Database metadata - Document attachments - Customer specific application archives During this time the Bubble support team remain available remotely to assist with general customer inquiries or questions (at no extra cost). On-site or bespoke requirements (outside the remit of the original contract) incur an additional charge.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Desktop service is usable on mobile devices
Service interface
User support accessibility
None or don’t know
Description of service interface
As an end-to-end Project and Portfolio Management web application, Bubble PPM has multiple service interfaces. The system includes a range of text, data and image based modules/sub-modules.
Accessibility standards
None or don’t know
Description of accessibility
Generally speaking all modules (and sub-modules) are broadly accessible, but due to the multifaceted nature of the software, some advanced functions are not compliant with WCAG guidelines.
Accessibility testing
Have carried out limited selenium tests on main modules within the application.
What users can and can't do using the API
We use our API to integrate and interface with a variety of 3rd party tools. Bubble PPM supports API calls for extracting data from its platform using REST API calls. Options are:

- Pre-existing REST API
- Webhooks via IpaaS

Integrations form part of the Bubble PPM optional Cloud Support services (searchable under Lot 3 - Cloud Support Services)
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Bubble PPM software offers a very high degree of configurability at both the system and individual user levels. This includes, but is not limited to, configurable: • Portfolio & Project Dashboards. • Process Templates. • Planning Tools (i.e. Roadmaps, Scorecards etc). • Charting & Reporting Templates. • Project & Delivery Milestones. • Project Descriptors. • Allocation of Resources / Tasks. In addition, there is a finely grained permissions system that enables the client administrators to control access and functionality levels for every user.


Independence of resources
As a web-based system, Bubble PPM allows simultaneous access, communications, and project progression. There is no upper limit to the total number of users, user types or projects that the software can support at a given point in time. Our AWS hosting enables us to scale our capacity at will.


Service usage metrics
Metrics types
The application monitors and logs all user access. System access and service usage metrics are restricted to Super Users / Administrators. Other user types are governed by the Bubble PPM permissions model (e.g. most user types can select a wide range of project and portfolio metrics, such as project progression status, completed tasks & milestones/risk flags and other information). Permission to view metrics data can be granted to users on a per-project basis or by role type.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Bubble PPM data is stored on PostGres database instances provided by AWS Relational Database Service (RDS). These instances are upgraded automatically by RDS when new versions of PostGres are available. Data is encrypted both in transit between the database and application layers and at rest in the database. RDS provides the capability to restore the database to any point in the last 35 days to a 5-second resolution.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be seen live and at all times within the system or exported in a variety of common formats. There are a number of standard project reports available via a 1-click download feature. This includes project-to-a-page, launch / go-live reports, and key milestone reports. The report builder tool also allows users to select any metric, data table or project information to create bespoke tabulated or chart views and reports. Exports are configurable and provide options for numeric, text commentary, status summaries, and RAG indicators etc. Output formats are editable Excel spreadsheets, PPT or PDFs
Data export formats
  • CSV
  • Other
Other data export formats
  • MS Excel (e.g XLS / XLSX)
  • PDF
  • PPT
Data import formats
  • CSV
  • Other
Other data import formats
  • MS Excel (e.g. XLS / XLSX)
  • Images can be uploaded in Tiff, JPEG, PNG formats
  • Attachments can be uploaded in any desired format
  • Manual input to system

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Bubble PPM software has a better than 99.9% availability record, including minimal downtime for scheduled upgrades.
Approach to resilience
Kubernetes pod rolling restarts on failure, in data centre resiliency to outages. Active / passive cross data centre resiliency is available on request but may incur additional charges.
Outage reporting
In the unlikely event of a system outage, Bubble have a procedure in place to alert users. Administrators / Super Users and key contacts would be sent an e-mail alert from a recognised contact within the Bubble support team. Bubble's e-mail system resides on servers which are unrelated to our application servers.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Data input is only permitted from authorised users and only authorised users can view system output. Designated system administrators have access to a detailed permissions system which can control user access to both project and system level content.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
Original accreditation date: 16/12/2019. Last audit: October 2021
What the ISO/IEC 27001 doesn’t cover
All data handling operations at Bubble are covered by our ISO certification (e.g. payroll, application development, data transport security etc).
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
Amazon Web Services (AWS) holds ISO 27001 certification.

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
Bubble has written policies (available on request) governing key aspects of information security relevant to the service. They include policies on: • IT Security • Security Awareness and Communication • Logical Access • Physical Access • Security Monitoring • User Authentication • Incident Management • Asset Classification and Management • Systems Development and Maintenance • Personnel Security • Change Management Separate policies cover our development and administration processes, technical infrastructure, networking, application layer frameworks.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Bubble uses SAFe Lean Enterprise 5.0 as its development methodology, with Scrum and Kanban as the day-to-day drivers of agile ceremonies.

Specific secure by design attributes include:
• Formally documented data privacy requirements in all work items.
• A secure development training program for all software engineers with annual refreshers, completion of which is evidenced and recorded.
• Integrated data privacy tooling within software engineering development environments.
• Robust mandatory peer review of all code prior to acceptance of a merge request.

The version control process is Gitflow operated within a Gitlab repository hosted on the Bubble AWS estate.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Bubble undertake vulnerability scans, keep track of vulnerability announcements and monitor information about potential threats from security mailing lists (e.g. USCERT). Where any potential vulnerabilities are identified, patches are applied as appropriate in a timely manner. Incoming traffic to Bubble PPM is routed through: a) AWS Web Application Firewall which automatically blocks IP addresses making requests at an excessive rate. b) AWS CloudFront which protects internal Bubble PPM components from common forms of DDoS attack such as UDP reflection and SYN floods. c) Nginx which directs traffic to the necessary Bubble PPM component and log unusual requests.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Includes OSSEC HIDS (Host based intrusion Detection System), Trend Micro security suite and Nagios. All services are hosted inside an AWS Virtual Private Cloud (VPC). Traffic between infrastructure components (e.g. database instances) is routed over private network links, not over the Internet, and is encrypted where appropriate. Routing tables are configured to prevent inappropriate data egress and connections to internal Bubble PPM components. All traffic is encrypted using SSL/TLS encryption and modern cipher suites to prevent common SSL attacks such as POODLE. The same encryption technologies are used to protect traffic between Bubble PPM and its users.
Incident management type
Supplier-defined controls
Incident management approach
Data can only be viewed by authorised users. Unauthorised access attempts result in an account being locked until an administrator confirms the user’s identity/resets access. Security Groups, which block/allow traffic based on originating/destination IP and port, provide additional protection. In the unlikely event of an incident or breach, notifications are sent to administrators (by OSSEC) for investigation. E-mails are sent to affected users and communications continue until the issue is resolved. System data is secured against accidental/intentional loss. The feedback system allows users to communicate concerns at any time.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

- Influence staff, suppliers, customers and communities through the delivery of the contract to support environmental protection and improvement.
Covid-19 recovery

Covid-19 recovery

- Support organisations and businesses to manage and recover from the impacts of COVID-19, including where new ways of working are needed to deliver services.

- Improve workplace conditions that support the COVID-19 recovery effort including effective social distancing, remote working, and sustainable travel solutions.
Tackling economic inequality

Tackling economic inequality

- Support innovation and disruptive technologies throughout the supply chain to deliver lower cost and/or higher quality goods and services.

- Support the development of scalable and future-proofed new methods to modernise delivery and increase productivity.
Equal opportunity

Equal opportunity

- Influence staff, suppliers, customers and communities through the delivery of the contract to support disabled people.

- Demonstrate action to identify and manage the risks of modern slavery in the delivery of the contract, including in the supply chain.


- Influence staff, suppliers, customers and communities through the delivery of the contract to support health and wellbeing, including physical and mental health.


£25 to £45 a user a month
Discount for educational organisations
Free trial available
Description of free trial
Limited trial access is available on a case by case basis (where requested). We also provide in-person extended/rich demo's that cover specific modules or the software as a whole.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at peterhoyland@bubblegroup.com. Tell them what format you need. It will help if you say what assistive technology you use.