Facewatch Limited

Facewatch facial recognition

Facewatch is a secure cloud-based platform that uses facial recognition technology to send instant alerts to businesses or police when subjects of interest enter business premises. Facewatch also provides secure access control using facial recognition for use in Govt properties (eg prisons) enabling comparison of visitors across properties.


  • Instant alerts when subjects of interest enter properties
  • Access control using facial recognition
  • Comparison of faces instantly against watchlists
  • Mobile App based search database function for stop and search
  • Add subjects to watchlist from mobile Apps at business properties
  • Track Major Crime suspects in real time via camera network
  • Identify potential hostile reconnaissance
  • Identify potential drug mules in prisons
  • Share watchlists of low risk criminals with businesses securely
  • Highly secure and GDPR compliant system


  • Identify an individual on your watchlist instantly
  • Search watchlist of up to 40million faces in 1 second
  • Enable approval of visitors to prisons in 15 seconds
  • Mobile alerts if Suspects enter businesses in your location
  • Prevent low level crime by sharing watchlists with businesses
  • Full GDPR compliance with no hassle
  • Simple ISA to share data already approved by leading QC
  • View history of matched crimes and alerts for Suspects
  • Add Suspect to watchlist from mobile in 20 seconds
  • Quick search of all faces for last 7 days


£2200 per licence per year

Service documents


G-Cloud 11

Service ID

2 1 1 8 6 8 6 6 6 5 0 6 6 9 7


Facewatch Limited

Simon Gordon



Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Requires AWS cloud to run. The main Facewatch system for businesses runs on AWS and is maintained by Facewatch staff however Govt can use their own instances of AWS and have full control of the software.
System requirements
  • AWS Tier 3 or Tier 4 servers
  • Mobile phones with internet access (Android or IOS)
  • Internet access via local network
  • Hardware (eg laptops) if not provided by client

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 30 minutes
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
We use Freshdesk for support - see https://facewatch.freshdesk.com/support/home
Web chat accessibility testing
None but Freshdesk is a widely used portal so presumably has been tested.
Onsite support
Yes, at extra cost
Support levels
Support for local hardware installed by Facewatch (eg Cameras; Edge boxes or computers) is available at £1000 per day.

A technical account manager to support the cloud services could be provided at £1,250 per day.
Support available to third parties

Onboarding and offboarding

Getting started
Online training is provided. The system can however be used without training because the user interface has been made so simple.
Service documentation
End-of-contract data extraction
Data can be provided in whatever form required.
End-of-contract process
Facewatch operates a very simple license over 3 years which includes the "Edge box" for processing CCTV streams but may include cameras and laptops if required.

At the end of the contract the service ends and any hardware specified as part of the contract fee is returned to Facewatch.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The functionality is very similar except that the mobile user can take a photograph of a subject using the camera.
Service interface
Description of service interface
There is an admin portal to set up users and entities which Govt would have access to if they ran their own AWS platform.
Accessibility standards
None or don’t know
Description of accessibility
All wording is readable by readers.
Accessibility testing
What users can and can't do using the API
API's are available on request but are chargeable if bespoke at £1,000 per manday of work.

Standard APIs allow access using Oauth and can interface watchlists and alerts into local systems. For prisons (for example) the system can integrate with NOMIS.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
We are open to making changes to the service if applicable for multiple use cases.

Administrators can set threshold limits for Alerts and area limits for location based alerts.


Independence of resources
Govt would use their own AWS instances completely independent of the main Facewatch system for businesses.

The system includes load balancing and split services to ensure no bottlenecks arise.


Service usage metrics
Metrics types
We provide data showing:

Alerts received
Alerts confirmed
Alerts ignored
Alerts where there was no match

Biometric data of all faces passing in front of a camera:
Number of faces, Age, Race, Gender, glasses

For access control system:
Number of new visitors enrolled
Number of known visitors visiting
+ many others (flexible)
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
This would only be at the end of a contract and would be done using a specific export function which Facewatch can provide.
Data export formats
  • CSV
  • ODF
Data import formats
Other data import formats
  • Jpg
  • Png
  • Mjpeg

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
AWS 99.99% availability of objects guarantee
Facewatch guarantees 99% availability of system during working hours (09:00 to 17:00)
Approach to resilience
AWS resilience described earlier. Resilience is described in our Police ISA as follows:

The system is hosted centrally at AWS, one of the world’s leading ISO27001 security level providers of secure hosting, using their 3 London data centres. These are:

Backed with the Amazon S3 Service Level Agreement for availability.

Designed for 99.999999999% durability and 99.99% availability of objects over a given year.

There are separate DNS addresses and applications for the Facewatch client facing application and Facewatch administrator application
Outage reporting
Notices will be put on our publicly viewable Freshdesk support site if required.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
The management interface is a separate cloud based Admin system which can only be access by Facewatch staff from pre approved IP addresses using username/password access. The admin system is completely separate from the client side system and is where all key operations such as:

Set up legal entities and properties
Add licenses for facial recognition
Add managers and role specific positions
Add radii for sharing of intelligence

The support channel is a third party system (Freshdesk) and is totally separate from the operational systems.
Access restriction testing frequency
At least every 6 months
Management access authentication
Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
Who accredited the ISO 28000:2007
We use AWS who are certified ISO27001
ISO 28000:2007 accreditation date
Not sure
What the ISO 28000:2007 doesn’t cover
N/A - AWS are recognised and global
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Facewatch holds: Cyber Essentials, ISO9001
AWS servers are ISO27001
Information security policies and processes
We follow ISO9001 and are subject to annual audit by BSI.

We have full documentation of policies and procedures as part of our Quality Management System.

Reporting responsibilities are:

Board - overall responsibility for governance
Chairman (Executive)
Data Protection Officer
Plus 3 experienced non executive directors

The quality manual is reviewed and maintained by the Executive Chairman, reporting to the CEO and board

The CTO is responsible for IT security and development

The DPO reviews all IT security reports (Quarterly Pen tests etc) and GDPR relevant documentation (DPIAs etc)

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Company operates an agile development approach with software update releases when new releases are available. All development tasks are tracked through Pivotal Tracker and approved by the Chairman and CEO (with DPO input where GDPR relevant) prior to commencement.

There are separate test and development environments and all system updates are tested using automated tests as well as user testing to ensure that there is no loss of service or reliability for users.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Quarterly penetration testing by Trustwave is carried out and results are reviewed by the CTO, DPO and Chairman + CEO with reporting to the board when complete.

The system has instant reporting of unusual activity, DDOS attacks etc and these are monitored 24/7 by our dev team who will act immediately on any issues.

All software is updated using the latest patches within 14 days of publication.

Full documentation available on request.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Development team/CTO receives live reports of any potential compromises or attacks and immediately acts on these to ensure the system is not compromised. The system is upgraded as required to deal with any perceived threats and then penetration tested as part of our quarterly Pen testing contract with Trustwave.

As an example, attacks are and have been blocked on several occasions successfully and a recent system upgrade has further hardened against such attacks by splitting all services further.
Incident management type
Supplier-defined controls
Incident management approach
Using our ISO9001 incident reporting system we record common events such as SAR's. We report incidents through Slack to our dev team and create Bug reports or Feature requests in Pivotal Tracker if necessary.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£2200 per licence per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑