APM Technologies SA


APMCrewConnect app features a design that allows Crew Members to interact with their roster and track daily activities on Tablet or Mobile devices. The App offers multiple everyday functions such as send requests, set preferences, availability status, receive roster changes, manage their personal information and check their Qualifications list.


  • Remote access
  • Real Time Information
  • Off Line Mode


  • Airline Crew Roster with Month, Week and Day calendar views
  • Airline Crew Requests including Flights, Destination, Stopover, Off and Absences
  • Crew Data including personal information access
  • Access to Airline Crew Reports and Forms, e.g. GenDecs
  • Airline Crew Qualifications and Checks


£1,999.99 to £4,999.99 a server a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.osullivan@apmtechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 3 6 9 4 3 8 3 1 1 8 9 9 7 8


APM Technologies SA Michael OSullivan
Telephone: 00447789637467
Email: michael.osullivan@apmtechnologies.com

Service scope

Software add-on or extension
What software services is the service an extension to
Aircraft Scheduling,
Aircraft Crewing,
Aircraft Flight Watch
Cloud deployment model
Public cloud
Service constraints
Is compatible with devices using IOS or Android operating systems.
This must be the current version of the OS or one of the two previous OS systems or as printed on the APM Technologies SA Web Site.
System requirements
An Android or Apple mobile or tablet device.

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA 1 (Serious) objective to make fix within 24 days,
SLA 2 (Inconvenient but not a blocker) objective to make fix within 7 days,
SLA 3 ( Cosmetic or minor inconvenience) objective to make fix in next quarter
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
We can assist with the software installation but the cost depends on the organisations size. We can also provide training of the software.
Support available to third parties

Onboarding and offboarding

Getting started
We provide on site training
Service documentation
Documentation formats
End-of-contract data extraction
We provide a copy of the data normally in JSON when the contract ends in various technical formats. We also make available GDPR sanitation tools to ensure the compliance of such data.
End-of-contract process
Standard data extract and data sanitation as per the last release is included in the contract. Additional data sanitation will be subject to quote and development.

Using the service

Web browser interface
Supported browsers
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Differences between the mobile and desktop service
The information available on the Mobile app covers the following areas,
Crew Roster
Crew Data
Crew Requests
Crew Qualifications/Checks
Crew Rule Reports
Crew operational reports
Service interface
Description of service interface
We supply a Rest server to support the app
Accessibility standards
None or don’t know
Description of accessibility
The information on the devices is accessed via Native applications.
This in turn links to the database server via a Rest Server.
The deployment architecture is three tier User Interface/Logic/Data Server.
Access is password and user log on controlled with token verification.
There is an option to link log on with an OKTA profile
Users can access the information via the internet or a Bluetooth connection.
The User can elect to log in and save the information to work off line.
Accessibility testing
We use Smart Bear automatic scripting, volume and API testing. This is all automated.
What users can and can't do using the API
APM will deploy the API to the hosting environment.
Changes to the API are made under a change management process using functional and technical specifications.
Once a Change request is accepted, the feature will be added to a future release and following unit and regression testing will be deployed for user access and deployment
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The features of the service can be controlled via User Rights or Group User Rights.
It is normally the airlines IT manager who will control the customisation access.


Independence of resources
We will advise the purchasing organisation on the required hardware to host the data and service to ensure scaling is sufficient for the number of users within the organisation as previously volume tested by us.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
The Airline Crewing data is the confidential data of the purchasing organisation (employer).
If the individual user requires such data, they must all apply to their employer for a copy of the data and this can be provided directly from the host database to the user.
The personal data of a crew member is already available to the user with an enabled device in accordance with the EULA and they can save this data in PDF format.
Data export formats
Other data export formats
  • We provide the data in PDF format.
  • We will provide their personal data in an JSON format.
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Severity level 1 (hereinafter “SLA 1”)
The Licensed Software (or a component thereof): (A) is unusable, catastrophically fails or ceases to provide its material, documented, functions; provides erroneous/incorrect output or displays (based upon the accurate input of data) or (B) causes a system, server, workstation, or application to be substantially unusable, catastrophically fail or cease to provide material functions. A viable workaround to restore such operation or functionality is not readily available.
Severity level 2 (hereinafter “SLA2”)
The Licensed Software (or a component thereof) is not fully functional (e.g., the Licensed Software has major restrictions on functionality; the Licensed Software performs most, but not all, material documented functions), or causes performance degradation of a system, server, workstation, or application. A viable workaround to restore such operation or functionality is not readily available or such workaround is available but material problems remain. The application usability is to the point that its value to Customer is substantially diminished.
Severity level 3 (hereinafter “SLA 3”)
The Licensed Software (or a component thereof) operates with minor, non-material restrictions on certain functions or causes minor performance degradation of systems that are not material to their operation.

Refund re SLA is defined within each Contract.
Approach to resilience
Available on request in general terms we use oAuth and Rest Service Spring Security
Outage reporting
A Service Manager dashboard interface.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
Access and Refesh Tokens are also exchanged.
Access restrictions in management interfaces and support channels
APM Rest Services are deployed with Management Log Ons and Passwords.
The data is partitioned by the Token process so user A cannot see User B's data with a direct request on the API.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Accreditation
Information security policies and processes
We use Access Tokens and Refresh Tokens. This can be supplemented with OKTA profiles if the organisation prefers.
We use oAuth security standards
Our REST services use the Spring Security Framework and an SSL exchange.
For WebServices we use HTTPS

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use GIT as the repository for Code Changes to approved specifications as defined in our Jira system.
We use SmartBear for function and API testing as defined in our scripts and in conformance to Sonar Cube Code KPIs with our ISO standards
Approved builds are then compiled using Jenkins.
We then deliver the improvement to the Apple and the Google play store where they go through the test and approve process before being released.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We firstly monitor our servers and network
We are able to deploy a patch within 4 hours if there is a security need
We would get information of potentials threats from our own testing, our controls, our customers and market data.
We use password protected logons
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our Mobile App services are password protected.
They all have audit logs.
Our Mobile App services send notifications when the service is down,
Incident management type
Supplier-defined controls
Incident management approach
With an SLA1, all other work stops as needed so the correct resources are automatically allocated to deal with the SLA1. The reporting of an SLA1 by an external party is available by using JIRA customer interface. An SLA1 will normally be corrected and patched within 4 hours of reporting.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£1,999.99 to £4,999.99 a server a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.osullivan@apmtechnologies.com. Tell them what format you need. It will help if you say what assistive technology you use.