Bramble Hub Limited

Bramble Hub Box-it - Omnidox

Box-it provide fully integrated outsourced document management services ranging from offsite document storage to digital hosting via Omnidox our award winning Cloud based EDM solution by scanning paper and microfilm documents.


  • Access document from anywhere or restrict to specific IP address
  • Document Retention Policy control
  • Workflow
  • User Administration - Roles & Permissions new users & password


  • Allows for home working or remote site working
  • Either alert or delet expired records by document type
  • Approve documents for processing ie. Invoices for payment
  • Self administer for immediate change and saving money
  • Documents can be accessed simultaneously and shared easily
  • Frees up office space
  • Increases productivity and improves efficency
  • Safeguards (back-up) critical business information previously restricted to single copy


£346.53 per licence per month

Service documents


G-Cloud 11

Service ID

2 6 4 5 1 8 6 7 6 5 0 5 7 4 0


Bramble Hub Limited

Roland Cunningham

+44 (0) 2077350030

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Designed for use on a Windows Browser we support, Microsoft Internet Explorer (ideally version 9 or above), Google Chrome, Firefox.
System requirements
Adobe Viewer installed on desktop (Preferably version X or XI)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Suppoort tickets are graded by severity
Level 1 system cant be operated / accesses within 2 hours
Level 2 system accessible but perfomance is slow 4 hours
Level 3 all other questions within 24 hours
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard Support - As standard We target a response within 1 hour of reciept. We will provide telephonic & email support operating on a Monday to Friday basis (excluding UK public holidays) between the hours of 08:00 to 18:00 with 1st line telephonic support provided by our in-house Customer Services Team.
Technical Support is undertaken by our in-house IT Support team which is made up of 1st, 2nd & 3rd line analysts with clear escalation paths between each sets of staff. All tasks are tracked on a ticketing system with full access provided to Customer Services to be shared with the client.
On reporting an incident a unique reference number will be allocated.
1. Error Message
2. Performance Issue
3. Data
4. Login / User Admin
5. Suggested Improvement
The customer will also be asked to provide a full description of the problem. All issues will be dealt as ‘Red – High Priority’ however these may be downgraded following discussions with the customer by our support team. Our support contract will cover all elements of software maintenance,
Support available to third parties

Onboarding and offboarding

Getting started
Omnidox is simple and intuitive to use and from experience is quickly mastered by users even with basic computer and internet skills. Nonetheless we recognise that people’s abilities to absorb training differs and that’s why our trainers are carefully selected with the right degree of interpersonal skills together with 1st class presentation skills. Omnidox training is delivered on a train the trainer basis in the form of a 1-day training event. The event is split into 2 parts. A half day is devoted to System Administration training. This covers the following: -Using the Security Administration tools e.g. setting rules around password administration
-Administration area to include:
-Administration levels explained.
-Creating roles for Users permissions.
-Creating Users.
-Activating & locking out Users explained.
-Understanding & Creating Criteria.
-Understanding Help Desk support.
The 2nd part is devoted to user training and covers the following:
-Creating link to Omnidox & Logging in.
-Search area to include:
-Wild card searching.
-Workflow tools.
-Viewing/Editing data.
-Count explained.
-Use of Viewing tools.
-Use of Print functions.
-Use of the Desktop upload.
-Using the Indexing functions.
-Handling orphaned documents.
-Handling the Expired Documents work-queues.
-Accessing MI Reports.
Service documentation
Documentation formats
End-of-contract data extraction
At the end of the contract users can request the data to be extracted. Box-it will work with the user to develop an Exit Plan. The Images and documents are stored in industry standard format and can be exported to an agreed format and specification to meet the users replacement supplier.
This will be dealt with as a separate project and quoted on a time and material basis to an agreed project time line once the output specification has been agreed.
End-of-contract process
At the end of the contract we develop an exit plan and work with the user to export the data in a usable format on a time and materials basis.After the specification is signed off we will provide a fixed price proposal.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
We can use web-services for system to system integration - However this is bespoke to each implementation.
API documentation
API sandbox or test environment
Customisation available


Independence of resources
We use a combination of in-house developed monitoring software and monitoring dashboards provided by 3rd party providers .Omnidox in monitored constantly for presence and performance by the support team. To maintain performance where new services are spun up if demand requires.


Service usage metrics
Metrics types
Omnidox performance matrix measures service uptime and retrieval time. On a monthly basis we provide billing reports with the following detail: Users – number of named users enrolled onto the system / Functionality – which of the optional modules / Storage – GB of volume stored
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Bulk back scanning would be done at our centre in Winchester and we handle the image upload. Occasional desktop upload is completed using the desktop upload functionality. Pre-populated data for example approved supplier list update, purchase order data or any other regular feed can be imported into our system for validation and indexing or exported into line of business or ERP system by Secure File Transfer Protocol or Virtual Private network.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Other protection within supplier network
To access any data on our network all users need to authenticate against our domain active directory, only then can any data be access if the user has the appropriate permissions.

Availability and resilience

Guaranteed availability
Omnidox is provided as a fully managed service. Box-it therefore includes responsibility for system availability in respect of infrastructure components provided by Box-it including but not limited to:
Hosting environment -
Operating System -
Security Software -
Database Software -
EDM Application(s) -
Data Backups -
Box-its connections to the Internet -
Technical Disaster Recovery -
Technical & Help Desk Support -
System Availability -
Excluding any pre-notified maintenance periods, Box-it will ensure availability in any fixed 3 calendar month period will be no less than;
Service Availability Period 1: - Between the hours of 09.00 to 17.00 UK time Monday to Friday - not less than 99.8%
Service Availability Period 2: - Between the hours of 0.00 to 09.00 and 17.00 to 24.00 UK time Monday to Friday – not less than 99.8%
Service Availability Period 3: - Between the hours of 0.00 Saturday and 24.00 UK time Sunday - not less than 98.0%
Approach to resilience
BCP and DR procedures are aimed at maintaining as comprehensive a service delivery to clients as possible whilst ensuring staff are not endangered in so doing in the event of a catastrophe or other disaster is of paramount importance to Box-it.

The aim of this plan is to prepare the business to cope with the effects of an emergency and build confidence in client partnerships of this ability. The types of emergencies that this plan covers includes the following:
Organised and/or Deliberate Disruptions,
Loss of Utilities and Services,
Equipment or System Failure,
Serious Information Security Incidents
Other Emergency situations.

The site at Winchester is covered by a fallback generator that kicks in 10 seconds after electrical power failure and all servers (and workstations in operations) are protected by UPS.
All key servers are duplicated on site.
Mirrored site: All servers are replicated at a 3rd Party data centre - Currently manually enabled but by the end of 2017 this will be automatically switched over should the primary site fail.
Two separate internet connections are in place these enter the facility from different locations.
Our DR plan also details recovery to a new site in the event of total loss.
Outage reporting
Our Customer Services teams will notify users of any scheduled maintenance or any unplanned outages.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication
We can restrict to specific IP address.
Access restrictions in management interfaces and support channels
1st line support is handled by our customer services team. The customer services team has the same permissions as the user Administrator. All access is controlled by user name and password permission and all access is logged.
2nd 3rd and 4th line support has a dedicated super administrator account. This is on an as needs basis and the control of this account is by user name and password and all access is audited
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Certified by Intertek - Certificate number ISMS1796-02
ISO/IEC 27001 accreditation date
03/12/2013 recent renewal 20/01/2017
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO 9001
  • ISO 14001
  • IG tool kit (for NHS work)
  • BS 10008

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Box-it has certification in ISO 27001:2013 – Information Security Management Systems (ISMS), ISO 9001:2008 – Quality Management Systems; ISO 14001:2004 Environmental Management systems and ISO BIP0008 – Evidential Weight of Information Stored Electronically along with other industry related ISO accreditations and applies these standards to all works undertaken for document scan processes, along with our archive and destruction services.
Box-it routinely places its staff on Awareness programs and training courses for all related requirements in the work place and regular refresher courses are carried out to ensure operating staff are fully aware of all privacy and legislation when processing client documentation.
Our systems and CCTV routinely register all activity within the Box-it complex and incident reporting protocols has allowed Box-it to be incident free for over 25 years.
Box-it takes very seriously the security & integrity of personal data, either in storage or in process and have developed security standards based upon appropriate risk assessments, industry expectations and in Pre-
accordance with our Data Protection Policy and our Information Security Policy.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change requests are raised, these are managed by the Change Manager role, all requests need to have supporting information, such as change request date (needs to at least 7 days before implementation), change description, if testing performed, implementor, backout plan, etc, the change is then reviewed a CAB. There is an Emergency Change process which is approved by Senior Management.
Vulnerability management type
Vulnerability management approach
We do not currently perform vulnerability testing, this is something we will be looking to implement in the futur
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We have monitoring software in place to alert us of any impending issues, tickets are raised and escalated as necessary to resolve issues. Issues are responded to within a set criteria depending on their impact.
Incident management type
Supplier-defined controls
Incident management approach
Our clients report issues to our Customer Services team, who then raise a ticket on our Service Desk system. These tickets are given a priority which is used to determine how the issue will be dealt with by the Service Desk team. Our Service Desk system can be used to create reports.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
Health and Social Care Network (HSCN)


£346.53 per licence per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑