Aetopia Police Digital Evidence Management (DEM)
Aetopia Police DEM provides a secure and easy to use software solution for Police Evidence Management. Critical digital evidence such as CCTV, body-worn video, images, documents can be centrally stored, classified and instantly shared on-line with 3rd parties including the CPS using the provided secure portal.
- Secure evidential asset upload to central storage
- Fast and flexible searching
- Automated, multilevel retention rules for enhanced compliance
- Support any digital asset type (Video, Images, Audio, Documents)
- Controlled sharing with external 3rd parties, CPS and HM Courts
- Out of the box integration with the national DETS service
- Completely browser-based with no plugins or downloads required
- Connectors for body-worn cameras
- Powerful access control rules, down to the asset level
- MI reports show how and when shared evidence is accessed
- Improved security and control of digital evidence
- Easier legal and regulatory compliance, especially retention, to MOPI standards
- Huge manpower and travel cost savings via on-line sharing portal
- Promotes consistency and accuracy in the cataloguing of digital evidence
- More efficient collaboration with CPS via on-line sharing
- Real-time management reporting on the use of digital evidence
- Saves Police users' time for form-filling, e.g. MG0 MME
- Reduced outlay on consumables, e.g. USB drives and DVDs
£25 per unit per month
3 2 8 1 1 3 2 9 4 5 7 1 5 9 2
|Software add-on or extension||No|
|Cloud deployment model||
|Service constraints||Private cloud deployments may be subject to specific hardware and software pre-requisites.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Response during UK business hours is within one hour.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
We provide technical support for all aspects of our DEM solution. This is normally 3rd line support - we expect customers to nominate support representatives and provide a 1st line service (e.g. ICT helpdesk) to their internal users. Triage training to ICT helpdesk operatives will be provided.
All of our pricing include telephone and email support during UK business hours. Extended support (7.00am to 8.30am and 5.30pm to 10pm) can be provided for a reasonable extra cost.
All customers have access to cloud support engineers via the Aetopia helpdesk. Larger customers will be allocated a dedicated technical account manager.
|Support available to third parties||Yes|
Onboarding and offboarding
Aetopia provides a full suite of training options. These include:
- Onsite end-user training, including training exercises and product documentation
- Onsite 'train the trainer' sessions
- Web-based remote training
- Training videos
- Tailored product documentation, on-line and downloadable versions
|End-of-contract data extraction||
If the service is provided on Public Cloud, Aetopia will assist customers to extract their data in the safest and easiest possible manner for them. The exact method used will depend on the total size and complexity of the data held. Possible options are:
1) Media files and database data are downloaded to an encrypted hard drive which is then couriered to the customer.
2) Customer self-downloads their data using the DEM application.
3) Data is securely copied across the internet to an alternate location which is owned by the customer.
Regardless of the exact method used, Aetopia will assist at every step of the way, and after validation that the data has been successfully returned to the customer, we will destroy all other copies of the data held.
Advice and assistance of up to 8 hours are provided as part of the end-of-contract process.
Additional assistance may be chargeable at our daily rate. Most cloud providers impose data transfer charges and these may be passed onto the customer.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None - the desktop service uses a responsive design application that resizes intelligently for mobile device screens. Some administration functions may not yet support responsive design, though the number of these exceptions are gradually being reduced in product releases.|
|What users can and can't do using the API||
All major system user functions such as add digital evidence and metadata, search, edit, download, resize etc. are also available via our REST / JSON API.
Some administrator functions may not be yet available through the API.
|API documentation formats|
|API sandbox or test environment||Yes|
|Independence of resources||
Aetopia DEM's modern n-tier architecture scales predictably to meet the needs of users and is proven to work in a UK policing environment. Our cloud hosting environment has essentially unlimited compute and storage resources available. Whether delivered in public or private, Aetopia can accurately monitor system performance to ensure that the user experience is not compromised.
Most customer environments are in dedicated Docker containers and can be effectively scaled or moved as part of effective demand management.
|Service usage metrics||Yes|
|Metrics types||A reporting dashboard which shows various metrics including user logins, dormant users, asset downloads, evidence expiry, search terms with results, search terms without results, top asset downloads, used storage space, total asset uploaded. All of the metrics can also be downloaded in spreadsheet format. Dashboards can be scheduled for delivery via email on a regular basis.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Aetopia DEM offers a number of methods for this.
1) Using the provided functions in the user web application, i.e. download media and export data into a spreadsheet format. These are delivered to the user's browser.
2) Using the provided function to request media files which are then made available via a download link.
3) Using our API to export media and/or metadata in JSON or CSV format.
4) Via a request to Aetopia's support helpdesk, who can export data in bulk using cloud and database utilities.
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Aetopia can commit to 99.9% availability. Users may be refunded via a reduced subscription fee should this level be breached.|
|Approach to resilience||Through the use of multiple techniques: highly-redundant storage, compute clusters, and digital checksums to verify the handoff of assets between storage locations, Full details are available on request.|
|Outage reporting||Email alerts using our built-in notification service.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Aetopia manages its cloud servers with the following tools:
Secure Shell (SSH) - all console access to servers is over encrypted SSH channels. SSH key-based access means that our staff are issued with encrypted keys rather than username and passwords for the servers. A user’s key must already exist on the server before they can access it. These keys are issued on a needs-only and time-limited basis.
Application administrative tasks are carried out using the administration screens provided in the software - as per all web application access, these screens are encrypted using a SSL/TLS certificate configured with strong ciphers.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Exova BM TRADA|
|ISO/IEC 27001 accreditation date||1 May 2018|
|What the ISO/IEC 27001 doesn’t cover||The scope of the certificate is "The design, deployment and support of software, platforms and hosted services."|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our approach to information security is governed by our ISO27001:2013 Information Security Management System (ISMS). This takes a goal-based and risk-centric approach to information security, where all identified risks are subject to evaluation and appropriate controls are applied to them.
To ensure compliance with ISMS policies, staff awareness is key, and we hold regular training and discussion sessions. Compliance auditing is built into the process and provides assurance that policies are being followed. The ISMS policy owner is the Aetopia Commercial Director.
Aetopia is also a Cyber Essentials certified company.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
Aetopia's approach is governed by our ISO27001:2013 ISMS Change Management policy - brief summary:
Changes will be reviewed and approval given based upon the potential risks, benefits, effort required and urgency of the change.
The change will be scheduled, and if necessary communicated to anyone who may be affected.
Once the change is carried out, appropriate testing will be conducted (and documented) to ensure stability has not been impacted.
For urgent or critical changes, (for example, a security breach) the changes can be applied first and subsequently documented.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Our ISMS puts great emphasis on staff training and awareness, and especially the adoption of secure coding practices using resources from InfoSec special interest groups such as OWASP, Krebs on Security, the Internet Storm Centre and the National Cyber Security Centre (NCSC). Bulletins and advisories from these sources are frequently distributed to all staff, who are encouraged to discuss and learn from them.
External security testing, such as vulnerability scans and penetration testing is part of our regular testing framework. Security patches are given top priority and are often deployed with 24 hours of a vulnerability being identified.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Our ISO27001:2013 ISMS includes an audited monitoring process whereby server and application log files are regularly scanned to identify evidence of unauthorised access.
Any potential compromise or incident is subject to our ISMS Incident Management process which is given maximum priority in the company. Response to incidents tends to be immediate.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Aetopia manages information security incidents as per its ISMS Incident Management Policy - where an Information Security Incident has occurred (or is suspected) the following process MUST be followed.
Incidents are reported to a member of the Management Team as quickly as possible, and should provide as much information as possible. Customer-reported incidents can be reported using the support helpdesk.
Once investigations have been concluded, a customer report should be prepared detailing everything that happened, steps that were taken to mitigate the Incident at the time, and record any possible corrective actions which may be recommended to prevent a recurrence.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||Police National Network (PNN)|
|Price||£25 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|