Aetopia

Aetopia Police Digital Evidence Management (DEM)

Aetopia Police DEM provides a secure and easy to use software solution for Police Evidence Management. Critical digital evidence such as CCTV, body-worn video, images, documents can be centrally stored, classified and instantly shared on-line with 3rd parties including the CPS using the provided secure portal.

Features

  • Secure evidential asset upload to central storage
  • Fast and flexible searching
  • Automated, multilevel retention rules for enhanced compliance
  • Support any digital asset type (Video, Images, Audio, Documents)
  • Controlled sharing with external 3rd parties, CPS and HM Courts
  • Out of the box integration with the national DETS service
  • Completely browser-based with no plugins or downloads required
  • Connectors for body-worn cameras
  • Powerful access control rules, down to the asset level
  • MI reports show how and when shared evidence is accessed

Benefits

  • Improved security and control of digital evidence
  • Easier legal and regulatory compliance, especially retention, to MOPI standards
  • Huge manpower and travel cost savings via on-line sharing portal
  • Promotes consistency and accuracy in the cataloguing of digital evidence
  • More efficient collaboration with CPS via on-line sharing
  • Real-time management reporting on the use of digital evidence
  • Saves Police users' time for form-filling, e.g. MG0 MME
  • Reduced outlay on consumables, e.g. USB drives and DVDs

Pricing

£25 per unit per month

Service documents

Framework

G-Cloud 11

Service ID

3 2 8 1 1 3 2 9 4 5 7 1 5 9 2

Contact

Aetopia

Stephen McAreavey

02890998767

tenders@aetopia.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints Private cloud deployments may be subject to specific hardware and software pre-requisites.
System requirements
  • Must use a supported web browser
  • Server-side Java is required, though open source options are supported

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response during UK business hours is within one hour.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide technical support for all aspects of our DEM solution. This is normally 3rd line support - we expect customers to nominate support representatives and provide a 1st line service (e.g. ICT helpdesk) to their internal users. Triage training to ICT helpdesk operatives will be provided.

All of our pricing include telephone and email support during UK business hours. Extended support (7.00am to 8.30am and 5.30pm to 10pm) can be provided for a reasonable extra cost.

All customers have access to cloud support engineers via the Aetopia helpdesk. Larger customers will be allocated a dedicated technical account manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Aetopia provides a full suite of training options. These include:

- Onsite end-user training, including training exercises and product documentation
- Onsite 'train the trainer' sessions
- Web-based remote training
- Training videos
- Tailored product documentation, on-line and downloadable versions
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction If the service is provided on Public Cloud, Aetopia will assist customers to extract their data in the safest and easiest possible manner for them. The exact method used will depend on the total size and complexity of the data held. Possible options are:

1) Media files and database data are downloaded to an encrypted hard drive which is then couriered to the customer.
2) Customer self-downloads their data using the DEM application.
3) Data is securely copied across the internet to an alternate location which is owned by the customer.

Regardless of the exact method used, Aetopia will assist at every step of the way, and after validation that the data has been successfully returned to the customer, we will destroy all other copies of the data held.
End-of-contract process Advice and assistance of up to 8 hours are provided as part of the end-of-contract process.

Additional assistance may be chargeable at our daily rate. Most cloud providers impose data transfer charges and these may be passed onto the customer.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None - the desktop service uses a responsive design application that resizes intelligently for mobile device screens. Some administration functions may not yet support responsive design, though the number of these exceptions are gradually being reduced in product releases.
Service interface No
API Yes
What users can and can't do using the API All major system user functions such as add digital evidence and metadata, search, edit, download, resize etc. are also available via our REST / JSON API.

Some administrator functions may not be yet available through the API.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available No

Scaling

Scaling
Independence of resources Aetopia DEM's modern n-tier architecture scales predictably to meet the needs of users and is proven to work in a UK policing environment. Our cloud hosting environment has essentially unlimited compute and storage resources available. Whether delivered in public or private, Aetopia can accurately monitor system performance to ensure that the user experience is not compromised.

Most customer environments are in dedicated Docker containers and can be effectively scaled or moved as part of effective demand management.

Analytics

Analytics
Service usage metrics Yes
Metrics types A reporting dashboard which shows various metrics including user logins, dormant users, asset downloads, evidence expiry, search terms with results, search terms without results, top asset downloads, used storage space, total asset uploaded. All of the metrics can also be downloaded in spreadsheet format. Dashboards can be scheduled for delivery via email on a regular basis.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Aetopia DEM offers a number of methods for this.

1) Using the provided functions in the user web application, i.e. download media and export data into a spreadsheet format. These are delivered to the user's browser.

2) Using the provided function to request media files which are then made available via a download link.

3) Using our API to export media and/or metadata in JSON or CSV format.

4) Via a request to Aetopia's support helpdesk, who can export data in bulk using cloud and database utilities.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • Excel (.XLSX)
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • Excel (.XLSX)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Aetopia can commit to 99.9% availability. Users may be refunded via a reduced subscription fee should this level be breached.
Approach to resilience Through the use of multiple techniques: highly-redundant storage, compute clusters, and digital checksums to verify the handoff of assets between storage locations, Full details are available on request.
Outage reporting Email alerts using our built-in notification service.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Aetopia manages its cloud servers with the following tools:

Secure Shell (SSH) - all console access to servers is over encrypted SSH channels. SSH key-based access means that our staff are issued with encrypted keys rather than username and passwords for the servers. A user’s key must already exist on the server before they can access it. These keys are issued on a needs-only and time-limited basis.

Application administrative tasks are carried out using the administration screens provided in the software - as per all web application access, these screens are encrypted using a SSL/TLS certificate configured with strong ciphers.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Exova BM TRADA
ISO/IEC 27001 accreditation date 1 May 2018
What the ISO/IEC 27001 doesn’t cover The scope of the certificate is "The design, deployment and support of software, platforms and hosted services."
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our approach to information security is governed by our ISO27001:2013 Information Security Management System (ISMS). This takes a goal-based and risk-centric approach to information security, where all identified risks are subject to evaluation and appropriate controls are applied to them.

To ensure compliance with ISMS policies, staff awareness is key, and we hold regular training and discussion sessions. Compliance auditing is built into the process and provides assurance that policies are being followed. The ISMS policy owner is the Aetopia Commercial Director.

Aetopia is also a Cyber Essentials certified company.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Aetopia's approach is governed by our ISO27001:2013 ISMS Change Management policy - brief summary:

Changes will be reviewed and approval given based upon the potential risks, benefits, effort required and urgency of the change.
The change will be scheduled, and if necessary communicated to anyone who may be affected.
Once the change is carried out, appropriate testing will be conducted (and documented) to ensure stability has not been impacted.
For urgent or critical changes, (for example, a security breach) the changes can be applied first and subsequently documented.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our ISMS puts great emphasis on staff training and awareness, and especially the adoption of secure coding practices using resources from InfoSec special interest groups such as OWASP, Krebs on Security, the Internet Storm Centre and the National Cyber Security Centre (NCSC). Bulletins and advisories from these sources are frequently distributed to all staff, who are encouraged to discuss and learn from them.

External security testing, such as vulnerability scans and penetration testing is part of our regular testing framework. Security patches are given top priority and are often deployed with 24 hours of a vulnerability being identified.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our ISO27001:2013 ISMS includes an audited monitoring process whereby server and application log files are regularly scanned to identify evidence of unauthorised access.

Any potential compromise or incident is subject to our ISMS Incident Management process which is given maximum priority in the company. Response to incidents tends to be immediate.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Aetopia manages information security incidents as per its ISMS Incident Management Policy - where an Information Security Incident has occurred (or is suspected) the following process MUST be followed.

Incidents are reported to a member of the Management Team as quickly as possible, and should provide as much information as possible. Customer-reported incidents can be reported using the support helpdesk.

Once investigations have been concluded, a customer report should be prepared detailing everything that happened, steps that were taken to mitigate the Incident at the time, and record any possible corrective actions which may be recommended to prevent a recurrence.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Police National Network (PNN)

Pricing

Pricing
Price £25 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑