Armour Mobile - Platform FLEX - Secure Communication - Official Sensitive

FLEX + Armour Mobile, A fully managed Nine23 owned UK infrastructure - Secure Communication platform accredited(NCSC/GPG) to OFFICIAL-SENSITIVE-SECRET(OS-S). Armour Mobile is an CPA certified secure voice, messaging, video and chat application that runs on iOS and Android devices. A fully secure remote working WhatsApp replacement, combined with advanced security techniques.


  • Secure voice calls, video calls, messaging, group chat and conferencing
  • Simple to use, simple to deploy, end to end encryption
  • Supports popular COTS devices such as Android, iOS, Windows 10
  • Message Burn/Time to Live (TTL) determines message life
  • Advanced features for potential use at SECRET / Advanced Mobile
  • Compatible with Samsung Knox, Trustzone and dual factor authentication
  • Secure connection to landlines and voice services inc Skype
  • Compatible with supporting software such as MDM MAM EMM UEM
  • Standards based PKI architecture utilising MIKEY SAKKE
  • Secure scaleable Nine23 owned UK hosted managed platform Accredited OFFICIAL-SENSITIVE-SECRET


  • Native mobile experience for end-users from fully accredited cloud infrastructure
  • Secure data from private network to wireless enabled mobile devices
  • Complete end-to-end secure managed solution set-up and in service quickly
  • Connect mobiles to secure services on HSCN/PSN/PND via one platform
  • Complete end-to-end secure managed solution set-up and in service quickly
  • Secure, CPA certified alternative to WhatsApp, Viber, SIGNAL
  • Members of Secure Chorus Interoperability, security and auditability by design
  • Ideal for remote workers and teams travelling globally
  • Fully Managed secure official-sensitive service NCSC Cloud Security Principles
  • Secure-container App Secure-messaging Secure-calls Secure-endpoint secure-cloud Remote Device-wipe


£15 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

1 7 5 5 6 8 4 6 4 2 7 8 7 7 8



Stuart McKean

+44 (0) 23 8202 0300

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Armour Mobile can be applied to iOS and Android phones and tablet devices and Windows Desktop.
System requirements
  • System outline will be discussed with client
  • No pre-conditions or extra licences required outside the service
  • COTS Apple devices (phone or tablet) iOS Version 8+
  • COTS Android devices (phone or tablet) OS Version 4.3+
  • Windows 10 Desktop

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within one hour
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels We provide a standardised SLA for clients to ensure the service is understood by you, and is sufficiently supported by our engineers. You will be able to interact directly with engineers who know your account and can deal with issues directly without having to first negotiate an unskilled Helpdesk.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Clients can follow documentation on how to initiate and start receiving our services. This can be augmented with training onsite, or delivered remotely. We deliver a standardised service, honed during deliveries to existing public sector clients, meaning a low risk and swift deployment without unexpected consultancy costs.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Client will provide secure physical media to Nine23, which will then be populated with the specified client data and returned to the client.
End-of-contract process The client will have extracted the data they need to keep for archive or transition purposes. Any managed devices are taken off management which will wipe enterprise and managed data from the devices. The client is then free to undertake any disposal requirements that may be stipulated under IS5. Hosted areas are then made inaccessible to the internet and deleted. This is all provided without cost to the client. Any additional services will be charged based on the day rates on our SFIA rate card.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No differences between the mobile and desktop service - Works the same on both.
Service interface No
Customisation available No


Independence of resources Technical separation of resources to client areas is achieved at virtualisation level so that one client is not competing for the same resources as another; client areas are independent private clouds so processing is not shared. Our ITIL aligned service processes have defined scaling markers to ensure the service team is not short-staffed.


Service usage metrics Yes
Metrics types Nine23 FLEX Platform infrastructure is fully reported as per SLA.

App deployment is reported via UEM/MDM.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Armour Comms

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach For security reasons the only data that can be exported from the device is the contacts. A user can export their contacts to an encrypted file and store or email it off their device (platform-dependent).
Data export formats Other
Other data export formats Encrypted file
Data import formats Other
Other data import formats Encrypted file

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Armour secure services are protected by at least AES-128 with PKI using MIKEY-SAKKE between end user devices and up to AES-256 with TLS1.2+ in client/server interactions.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network All inter-server communications within the Armour secure service use at least TLS1.2+ with AES-256, multi-zone server security, firewalling, intruder detection, monitoring, etc.

Availability and resilience

Availability and resilience
Guaranteed availability We provide SLAs to each client outlining the expected availability of each service. Unplanned outages that lead to decreased availability from the levels set out in the SLAs lead to credits on those services during the next period.
Approach to resilience Architectural resiliency is designed into the hosted environment and is backed by the Tier 3+ UK Data Centre. Details can be given to clients upon request.
Outage reporting Email alerts to nominated client representatives, with quantitative and qualitative detail.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels We restrict management interface access to known personnel on known devices that are authenticated with 2FA and connect via VPN to secured management hosts with limited permissions.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS
ISO/IEC 27001 accreditation date 30/4/2019
What the ISO/IEC 27001 doesn’t cover 14.1.1 Information security requirements analysis and specification
14.1.2 Securing applications services on public networks
14.1.3 Protecting application services transactions
14.2.1 Secure development policy
14.2.6 Secure development environment
14.2.7 Outsourced development
14.3.1 Protection of Test Data
16.1.7 Collection of evidence
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Government Ministries' accreditations at OFFICIAL-SENSITIVE (available on request)
  • CPA (up to OFFICIAL SENSITIVE) for key service components
  • Cyber Essentials Plus for company-wide IT security
  • CPA Build Standard assessment of development mechanisms
  • NPV3 Vetting
  • 14 Cloud Security Principles

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Independently tested and accredited by existing government clients. References available on request.
Information security policies and processes We apply NCSC and industry best practice to ensure 14 Cloud Security Principles are applied during design, deployment, operation, and decommission. We provide IS1&2 compliant RMADS and maintain our own Security Management Plan which is integral to our ISO9001 accreditation, which is independently audited every year.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Services are configured and documented for reference. Changes are initiated with internal or external requests that start a Change Acceptance Process, during which the business imperative, security risks, user impact, and costs are considered. A lightweight process is adopted for agility of service, but If necessary, a full security impact assessment is undertaken and when the requisite authorisations are received, the change is effected and documentation updated.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We subscribe to a number of vulnerability and threat monitoring agencies including the NCSC threat newsletter. A baseline patching process is maintained monthly for all services, and emergency responses to critical threats are evaluated and actioned appropriately.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our protective monitoring tools examine SIEM data from our platform and client areas, including GPG13 compliant reporting. Incidents are responded to based on the severity of the event and can be immediate notification to clients to allow fixes to be effected straight away.
Incident management type Supplier-defined controls
Incident management approach Our SyOPs and Security Management Plan outline procedures for incident management and reporting. Our SMP is aligned with ISO27k controls and verified by a CCP qualified IA lead.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • Health and Social Care Network (HSCN)


Price £15 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Nine23 have a dedicated secure solution that can offer a limited number of test users the ability to trial the service.

Service documents

Return to top ↑