Unify Business Solutions Limited

Unify Call Control System (UCCS) PIN Phone for Prison Estates and Secure Facilities

The Unify Call Control System (UCCS) is a secure platform which enables prisons and secure facilities to manage phone calls internally and externally. The UCCS allows staff to control, monitor and record phone calls and includes integrated reporting. Call rates are adjustable enabling differing tariffs to be set for detainees.


  • Fully customised and scalable to meet clients’ needs.
  • Modular design for easy expansion and live hardware replacement.
  • Multiple PBX controllers for redundancy and load balancing.
  • Circuit failover in the event of ISDN service interruption.
  • Personal Identification Number for prisoner/detainee allows individual call restrictions.
  • Cashless system using talk time or currency units for billing.
  • Real-time monitoring for phone calls.
  • Recorded calls played back on demand.
  • Pre-authorised numbers integrated with allowed global numbers list.
  • Flexible and customised call reporting system.


  • UCCS can be self-funded or generate income for the client.
  • Encourages family contact which can support rehabilitation.
  • Easy to contact support groups and get legal advice.
  • Allows call privacy whilst remaining secure.
  • Administrative flexibility and time saving through user-friendly interface.
  • When prison based the UCCS can help support intelligence teams.
  • Cashless system saves time on administration.
  • Disallowed numbers can shared on the global numbers list.
  • Integrates with client CMS and other systems where required.
  • Integrates fully with in-cell, wing and other phones.


£0.98 per person per day

  • Free trial available

Service documents


G-Cloud 11

Service ID

1 4 5 8 5 9 4 0 5 1 8 7 0 3 2


Unify Business Solutions Limited

Keith Bean



Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints Not applicable
System requirements
  • Sound cards required
  • IP/SIP handsets required
  • Data network required to facilitate software in the cloud

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 4 working hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Fully inclusive maintenance charged on a monthly/quarterly or annual basis. Online and telephone support is offered 24/7, 365 days a year with a 4 hour response time.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Onsite training will be provided along with user documentation.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction All data remains accessible via the API at the end of the contract. Furthermore, direct database access can be provided on request.
End-of-contract process Included in the pricing would be the decommissioning of hardware products, excluding cabling. Software services would end with the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface Service interface is to administrate users of the PON phone system and also to listen to recording of calls etc. The interface is a major part of the solution and will be required.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Testing is conducted on a regular basis along with new tests once a change is made to the existing firmware.
What users can and can't do using the API Every data point in the system e.g. user data, phone numbers etc, is administrable through the API. The call flow (IVR) can be administered via the API.
In addition data retrieval (call recordings, call records, user account specifics) is done via the API. All API operations are user access controlled allowing enablement or restriction of features as desired. Overall this means the entirety of a system endpoint (administrative, in-cell) could be replaced by a user-built alternative if required.
There are no limitations to the API, all system functions are abstracted through the API.
API documentation No
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The entire flow of the call can be customised, this extends to the billing model, audio playback and the logical flow of the call.
The customisation is controllable by the customer.


Independence of resources By providing dedicated hardware we can affirm in advance the maximum concurrent capacity of the system. This would mean that users engaging the system at or beyond it's concurrent limit would be denied access to the system thus preserving function for the current users.


Service usage metrics Yes
Metrics types Concurrent and cumulative call and user statistics.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach API endpoints expose all system data as JSON formatted messages. The Unify client allows export of system data is desktop file formats.
Data export formats
  • CSV
  • Other
Other data export formats Encrypted MP3
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability SLA's are agreed in consultation with the customer and service availability is similarly a product of discussion around security risk tolerance with regard to patching and associated downtime.
We typically achieve in excess of a 99.9% up time.
Approach to resilience In broadly generic terms all pieces of equipment are deployed alongside one or more failover counterparts. All pieces of equipment are automatically monitored for health and their redundant counterparts take control unbidden.
Outage reporting Private health monitoring of low-level system health is available to Unify, high-level system health data is available to the user through our maintenance utility.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels LDAP authentication is used to control access to our management interface by integration with the customers own active directory infrastructure.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Assessment Bureau
ISO/IEC 27001 accreditation date 11/10/2013
What the ISO/IEC 27001 doesn’t cover Our ISO 27001 certification is complete as per the 2015 standards.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 9001 and 27001 accredited.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change is requested, requester, change details, impact, testing and rollback procedures are logged. Approval required by both the customer and Unify before change is carried out. All changes tracked in a change log.

Changes are assessed for security implications at the time of request and dealt with accordingly.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach All inbound network traffic is restricted based on endpoint and port and deviations from these are reviewed for their threat level.
We periodically assess the contents of the firewall logs to check for new vulnerabilities and/or threats.
We have a scripted rolling rebuild on a cycle agreed with the customer to suit their downtime tolerance. This rebuild process always delivers an up to date system and thus negates entirely the risk of patching and associated testing overheads.
Information regarding potential threats comes from a trusted security partner.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We periodically check firewall logs to identify potential compromises, along with file integrity of each component of our system.
Our response would be tailored to the customer's specific wishes, but taking into account the nature of the potential compromise and the degree of risk associated with it.
Customers would be notified immediately of a system compromise.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We ascertain the number of individuals affected, the type of data involved and the impact on the particular system(s).
Incidents are reported to the Directors of the business. The report includes full details of the incident including the person reporting, type of data involved and if the data relates to individuals (and if so how many).
An investigation is conducted by a designated individual who creates a formal incident report which depending on the type of incident is either filed internally or sent to the appropriate customer.
We have pre-defined processes for common events.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.98 per person per day
Discount for educational organisations No
Free trial available Yes
Description of free trial A small-scale trail either based in a live or non-live environment - Unify will cover all costs associated with the trail with the exception of cabling.

Service documents

Return to top ↑