Syrenis Ltd

Cassie (formerly The Preference Centre)

Cassie is a secure, cloud-based, enterprise-level application managing all aspects of personal data including SAR and FOI requests (GDPR compliance including Legal Basis).Complete audit-able history of personal data, integrates into your infrastructure and offers self-service where individuals can directly access Cassie to manage their privacy settings & personal data 24/7.


  • Low cost secure enterprise personal information management platform, cloud based
  • Enterprise level scalability and future proofing, Multilingual and Multi-Brand
  • Can absorb historic personal data & preferences, configurable business rules
  • Can connect to multiple online platforms gathering data & preferences
  • API, widget & push technology to update host systems
  • Customisable and Configurable Consumer & Customer service preference portals
  • 3-way preference values, Preference Holidays and Granular Level Consent
  • Advanced data collection, form builder and data distribution
  • Cookie management, website scanner & security identification
  • SARS/Data Rights Management Modules


  • Protect IT investment by connecting to existing systems
  • Secure & fast to commission
  • Automatically scales to meet demand
  • Single point-of-truth for all personal data across the enterprise
  • Traceable forms/widgets gather preferences & managing data
  • Update systems with privacy changes in real-time or batch mode
  • Dedicated customer/consumer/stakeholder management portal
  • Ensures that ‘no response’ doesn’t result in unnecessary opt-outs
  • Configurable customer service interface for call centres & sales teams
  • Gather additional data directly into Cassie via widget or API


£500 to £4500 per licence per month

  • Education pricing available

Service documents


G-Cloud 11

Service ID

2 7 7 7 2 8 1 7 1 2 0 8 0 6 7


Syrenis Ltd

Glenn Jackson

+44 (0)1928 622302

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Any web based form.
Any CRM.
Any data warehouse.
Full API to connect to any system that supports connections.
Cloud deployment model
Private cloud
Service constraints
System requirements
The management portal is web based

User support

Email or online ticketing support
Email or online ticketing
Support response times
9am-5.30pm Monday-Friday 1 hour. Emergency support available out of hours by arrangement
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Service desk hours are 08:30am to 17:30pm however tickets can be raised electronically at any time. Contact details are: +44(0)1928 622-302 (Europe) or +1 (613) 801-0799 (USA/Canada). Service response times: P1 – 1hr P2 – 4hrs P3 – 8hrs Technical account management available at extra cost.
Support available to third parties

Onboarding and offboarding

Getting started
Account and project managers are assigned and an agreed project plan is created with timescales and key deliverables. Flow diagrams showing the full data audit and processing are also created at the beginning to help maintain an over view of the interaction between processes and systems.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
We will export as per instruction from the client, typically this would be a standard format using CSV text files delivered securely.
End-of-contract process
Any formatting (away from its native form) of the preference data and history that is required will be chargeable on a time basis. Also if any special delivery instructions are required this might incur a fee (such as secure manual delivery).

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The administration portal (manages options and configuration) needs a larger screen.
Service interface
Description of service interface
Web based portal for configuration of the platform.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
A regulatory body has worked with us to audit and confirm that our technology meets the standards above and also executes in real life situations.
What users can and can't do using the API
Almost everything can be done via the restful API. Full documentation is available on request.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Every customer journey is different. Cassie allows for complete customisation and configuration via the admin portal. Marketing resource can deliver customised forms, widgets and emails. Consent statements can be created quickly and easily within the portal. All external facing portals can be customised and configured to ensure that the experience of managing personal data and preferences feels familiar and seamless to your end users. All managed and controlled by you.


Independence of resources
We use independent secure instances and distribute tasks by type across a load balanced architecture.


Service usage metrics
Metrics types
Cassie has a comprehensive report suite that enables real time reports to be generated at any time. All reports can be saved and exported. In addition regular reports can be scheduled to be delivered via email to a distribution list of users.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export data if they have permission in either a PDF, CSV or Excel format.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
All data in encrypted at rest and user permissions are constantly reviewed.

Availability and resilience

Guaranteed availability
Measurement period: Month Target service level: 99.9% (no more than 43 minutes and 12 seconds downtime in 30 days) Minimum Service Level: 99% (no more than 7 hours and 12 minutes downtime in 30 days ) Service credits Licence value credit per day late in excess of Minimum Service Level
Approach to resilience
We have mirrored locations, services, storage and full redundancy. Details available by request.
Outage reporting
We use a range of external and internal service management systems to notify support staff via email and SMS to any outages.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Cassie users have individual permission profiles that control access. These are regularly reviewed and administrated by the client. User activity is also monitored and recorded. This is available to the client by specific request.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
Who accredited the ISO 28000:2007
EY Certify Point
ISO 28000:2007 accreditation date
December 15, 2017
What the ISO 28000:2007 doesn’t cover
All services are provided by Amazon Web Services
CSA STAR certification
CSA STAR accreditation date
31st March 2018
CSA STAR certification level
Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover
Services outside of AWS (Amazon Web Services)
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials Certified
  • Approval to Operate from the Home Office

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Approval to Operate from the Home Office. Cyber Essentials Certified
Information security policies and processes
Syrenis have a documented Information Security programme in place. The Information Security programme must maintain as a minimum a data flow diagram demonstrating the flow of information through our environment and descriptions of the technical and physical safeguards designed to protect Syrenis Ltd and/or Customer Information. Our Information Security programme includes a risk assessment, to determine the value and sensitivity of the information we hold, and the level of protection currently being applied to that information. This programme is reviewed on an annual basis. Any material changes to operations or business arrangements or other circumstances are assessed to see if they impact the Information Security Program and documentation is updated along with additional training if required. Syrenis only disclose information to those third parties whom are contractually bound to protect information in a manner consistent with the applicable privacy policies, limit the use of the information only for expressed purposes, and in accordance with the express implicit or explicit consent, unless a law or regulation specifically allows or requires otherwise.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We operate a change management system and a software version control capability that together allow us to manage technical changes to our products. Services are first tested in isolation, then incorporated into a Quality Assurance platform for user group acceptance testing, and then finally released onto Production once they have passed all these tests. We also operate a scheduled programme of penetration testing to scan for vulnerabilities. Finally as a backstop measure we take images of our environments before and after upgrades so we can quickly revert if problems are encountered.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We carry out a risk assessment and always err on the side of caution. We are part of the CISP alert community, and the Checkpoint Threat Cloud. Our environment consists of two types of intrusion prevention technology, and has anti-bot and anti-virus capability at the network layer. We also implement geo protections which block large ranges of IP addresses for countries that have no need to access our systems. Much of this gets automatically updated but we also manually apply patches as needed. Servers are usually patched within 7 days of patches being issued.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring is as follows: 1) Intrusion Prevention Monitoring – Servers have an IPS service running on them connected to a central dashboard warning us of hacking attempts, allowing us to take pre-emptive actions. 2) Firewall Monitoring – Our firewall is from a different technology vendor to the IPS used as part of our defence in depth approach. Alerts and Events are streamed in real-time to a monitoring station, critical events are then issued to staff. Server Monitoring - . This is via AWS Cloudwatch which issues alerts and caries out simple actions such as starting up additional capacity if required.
Incident management type
Supplier-defined controls
Incident management approach
We have a web based incident management tool that our customers can also access. It allows users to report incidents and provides Management Information to customers that need it. We review the incidents on a daily basis as a team and discuss every one so we can ensure a) someone is working on it and b) assess if there is a security element to the incident.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
Police National Network (PNN)


£500 to £4500 per licence per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑