Bramble Hub Limited

Bramble Hub Box-it - Omnidox

Box-it provide fully integrated outsourced document management services ranging from offsite document storage to digital hosting via Omnidox our award winning Cloud based EDM solution by scanning paper and microfilm documents.


  • Access document from anywhere or restrict to specific IP address
  • Document Retention Policy control
  • Workflow
  • User Administration - Roles & Permissions new users & password


  • Allows for home working or remote site working
  • Either alert or delet expired records by document type
  • Approve documents for processing ie. Invoices for payment
  • Self administer for immediate change and saving money
  • Documents can be accessed simultaneously and shared easily
  • Frees up office space
  • Increases productivity and improves efficency
  • Safeguards (back-up) critical business information previously restricted to single copy


£346.53 per licence per month

Service documents

G-Cloud 11


Bramble Hub Limited

Roland Cunningham

+44 (0) 2077350030

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Designed for use on a Windows Browser we support, Microsoft Internet Explorer (ideally version 9 or above), Google Chrome, Firefox.
System requirements Adobe Viewer installed on desktop (Preferably version X or XI)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Suppoort tickets are graded by severity
Level 1 system cant be operated / accesses within 2 hours
Level 2 system accessible but perfomance is slow 4 hours
Level 3 all other questions within 24 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard Support - As standard We target a response within 1 hour of reciept. We will provide telephonic & email support operating on a Monday to Friday basis (excluding UK public holidays) between the hours of 08:00 to 18:00 with 1st line telephonic support provided by our in-house Customer Services Team.
Technical Support is undertaken by our in-house IT Support team which is made up of 1st, 2nd & 3rd line analysts with clear escalation paths between each sets of staff. All tasks are tracked on a ticketing system with full access provided to Customer Services to be shared with the client.
On reporting an incident a unique reference number will be allocated.
1. Error Message
2. Performance Issue
3. Data
4. Login / User Admin
5. Suggested Improvement
The customer will also be asked to provide a full description of the problem. All issues will be dealt as ‘Red – High Priority’ however these may be downgraded following discussions with the customer by our support team. Our support contract will cover all elements of software maintenance,
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Omnidox is simple and intuitive to use and from experience is quickly mastered by users even with basic computer and internet skills. Nonetheless we recognise that people’s abilities to absorb training differs and that’s why our trainers are carefully selected with the right degree of interpersonal skills together with 1st class presentation skills. Omnidox training is delivered on a train the trainer basis in the form of a 1-day training event. The event is split into 2 parts. A half day is devoted to System Administration training. This covers the following: -Using the Security Administration tools e.g. setting rules around password administration
-Administration area to include:
-Administration levels explained.
-Creating roles for Users permissions.
-Creating Users.
-Activating & locking out Users explained.
-Understanding & Creating Criteria.
-Understanding Help Desk support.
The 2nd part is devoted to user training and covers the following:
-Creating link to Omnidox & Logging in.
-Search area to include:
-Wild card searching.
-Workflow tools.
-Viewing/Editing data.
-Count explained.
-Use of Viewing tools.
-Use of Print functions.
-Use of the Desktop upload.
-Using the Indexing functions.
-Handling orphaned documents.
-Handling the Expired Documents work-queues.
-Accessing MI Reports.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At the end of the contract users can request the data to be extracted. Box-it will work with the user to develop an Exit Plan. The Images and documents are stored in industry standard format and can be exported to an agreed format and specification to meet the users replacement supplier.
This will be dealt with as a separate project and quoted on a time and material basis to an agreed project time line once the output specification has been agreed.
End-of-contract process At the end of the contract we develop an exit plan and work with the user to export the data in a usable format on a time and materials basis.After the specification is signed off we will provide a fixed price proposal.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API We can use web-services for system to system integration - However this is bespoke to each implementation.
API documentation No
API sandbox or test environment No
Customisation available No


Independence of resources We use a combination of in-house developed monitoring software and monitoring dashboards provided by 3rd party providers .Omnidox in monitored constantly for presence and performance by the support team. To maintain performance where new services are spun up if demand requires.


Service usage metrics Yes
Metrics types Omnidox performance matrix measures service uptime and retrieval time. On a monthly basis we provide billing reports with the following detail: Users – number of named users enrolled onto the system / Functionality – which of the optional modules / Storage – GB of volume stored
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Bulk back scanning would be done at our centre in Winchester and we handle the image upload. Occasional desktop upload is completed using the desktop upload functionality. Pre-populated data for example approved supplier list update, purchase order data or any other regular feed can be imported into our system for validation and indexing or exported into line of business or ERP system by Secure File Transfer Protocol or Virtual Private network.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Other
Other protection within supplier network To access any data on our network all users need to authenticate against our domain active directory, only then can any data be access if the user has the appropriate permissions.

Availability and resilience

Availability and resilience
Guaranteed availability Omnidox is provided as a fully managed service. Box-it therefore includes responsibility for system availability in respect of infrastructure components provided by Box-it including but not limited to:
Hosting environment -
Operating System -
Security Software -
Database Software -
EDM Application(s) -
Data Backups -
Box-its connections to the Internet -
Technical Disaster Recovery -
Technical & Help Desk Support -
System Availability -
Excluding any pre-notified maintenance periods, Box-it will ensure availability in any fixed 3 calendar month period will be no less than;
Service Availability Period 1: - Between the hours of 09.00 to 17.00 UK time Monday to Friday - not less than 99.8%
Service Availability Period 2: - Between the hours of 0.00 to 09.00 and 17.00 to 24.00 UK time Monday to Friday – not less than 99.8%
Service Availability Period 3: - Between the hours of 0.00 Saturday and 24.00 UK time Sunday - not less than 98.0%
Approach to resilience BCP and DR procedures are aimed at maintaining as comprehensive a service delivery to clients as possible whilst ensuring staff are not endangered in so doing in the event of a catastrophe or other disaster is of paramount importance to Box-it.

The aim of this plan is to prepare the business to cope with the effects of an emergency and build confidence in client partnerships of this ability. The types of emergencies that this plan covers includes the following:
Organised and/or Deliberate Disruptions,
Loss of Utilities and Services,
Equipment or System Failure,
Serious Information Security Incidents
Other Emergency situations.

The site at Winchester is covered by a fallback generator that kicks in 10 seconds after electrical power failure and all servers (and workstations in operations) are protected by UPS.
All key servers are duplicated on site.
Mirrored site: All servers are replicated at a 3rd Party data centre - Currently manually enabled but by the end of 2017 this will be automatically switched over should the primary site fail.
Two separate internet connections are in place these enter the facility from different locations.
Our DR plan also details recovery to a new site in the event of total loss.
Outage reporting Our Customer Services teams will notify users of any scheduled maintenance or any unplanned outages.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication We can restrict to specific IP address.
Access restrictions in management interfaces and support channels 1st line support is handled by our customer services team. The customer services team has the same permissions as the user Administrator. All access is controlled by user name and password permission and all access is logged.
2nd 3rd and 4th line support has a dedicated super administrator account. This is on an as needs basis and the control of this account is by user name and password and all access is audited
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certified by Intertek - Certificate number ISMS1796-02
ISO/IEC 27001 accreditation date 03/12/2013 recent renewal 20/01/2017
What the ISO/IEC 27001 doesn’t cover Nothing
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 9001
  • ISO 14001
  • IG tool kit (for NHS work)
  • BS 10008

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Box-it has certification in ISO 27001:2013 – Information Security Management Systems (ISMS), ISO 9001:2008 – Quality Management Systems; ISO 14001:2004 Environmental Management systems and ISO BIP0008 – Evidential Weight of Information Stored Electronically along with other industry related ISO accreditations and applies these standards to all works undertaken for document scan processes, along with our archive and destruction services.
Box-it routinely places its staff on Awareness programs and training courses for all related requirements in the work place and regular refresher courses are carried out to ensure operating staff are fully aware of all privacy and legislation when processing client documentation.
Our systems and CCTV routinely register all activity within the Box-it complex and incident reporting protocols has allowed Box-it to be incident free for over 25 years.
Box-it takes very seriously the security & integrity of personal data, either in storage or in process and have developed security standards based upon appropriate risk assessments, industry expectations and in Pre-
accordance with our Data Protection Policy and our Information Security Policy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change requests are raised, these are managed by the Change Manager role, all requests need to have supporting information, such as change request date (needs to at least 7 days before implementation), change description, if testing performed, implementor, backout plan, etc, the change is then reviewed a CAB. There is an Emergency Change process which is approved by Senior Management.
Vulnerability management type Undisclosed
Vulnerability management approach We do not currently perform vulnerability testing, this is something we will be looking to implement in the futur
Protective monitoring type Supplier-defined controls
Protective monitoring approach We have monitoring software in place to alert us of any impending issues, tickets are raised and escalated as necessary to resolve issues. Issues are responded to within a set criteria depending on their impact.
Incident management type Supplier-defined controls
Incident management approach Our clients report issues to our Customer Services team, who then raise a ticket on our Service Desk system. These tickets are given a priority which is used to determine how the issue will be dealt with by the Service Desk team. Our Service Desk system can be used to create reports.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Health and Social Care Network (HSCN)


Price £346.53 per licence per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑