Aetopia Police Digital Evidence Management (DEM)

Aetopia Police DEM provides a secure and easy to use software solution for Police Evidence Management. Critical digital evidence such as CCTV, body-worn video, images, documents can be centrally stored, classified and instantly shared on-line with 3rd parties including the CPS using the provided secure portal.


  • Secure evidential asset upload to central storage
  • Fast and flexible searching
  • Automated, multilevel retention rules for enhanced compliance
  • Support any digital asset type (Video, Images, Audio, Documents)
  • Controlled sharing with external 3rd parties, CPS and HM Courts
  • Out of the box integration with the national DETS service
  • Completely browser-based with no plugins or downloads required
  • Connectors for body-worn cameras
  • Powerful access control rules, down to the asset level
  • MI reports show how and when shared evidence is accessed


  • Improved security and control of digital evidence
  • Easier legal and regulatory compliance, especially retention, to MOPI standards
  • Huge manpower and travel cost savings via on-line sharing portal
  • Promotes consistency and accuracy in the cataloguing of digital evidence
  • More efficient collaboration with CPS via on-line sharing
  • Real-time management reporting on the use of digital evidence
  • Saves Police users' time for form-filling, e.g. MG0 MME
  • Reduced outlay on consumables, e.g. USB drives and DVDs


£25 per unit per month

Service documents


G-Cloud 11

Service ID

3 2 8 1 1 3 2 9 4 5 7 1 5 9 2



Stephen McAreavey


Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
Private cloud deployments may be subject to specific hardware and software pre-requisites.
System requirements
  • Must use a supported web browser
  • Server-side Java is required, though open source options are supported

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response during UK business hours is within one hour.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We provide technical support for all aspects of our DEM solution. This is normally 3rd line support - we expect customers to nominate support representatives and provide a 1st line service (e.g. ICT helpdesk) to their internal users. Triage training to ICT helpdesk operatives will be provided.

All of our pricing include telephone and email support during UK business hours. Extended support (7.00am to 8.30am and 5.30pm to 10pm) can be provided for a reasonable extra cost.

All customers have access to cloud support engineers via the Aetopia helpdesk. Larger customers will be allocated a dedicated technical account manager.
Support available to third parties

Onboarding and offboarding

Getting started
Aetopia provides a full suite of training options. These include:

- Onsite end-user training, including training exercises and product documentation
- Onsite 'train the trainer' sessions
- Web-based remote training
- Training videos
- Tailored product documentation, on-line and downloadable versions
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
If the service is provided on Public Cloud, Aetopia will assist customers to extract their data in the safest and easiest possible manner for them. The exact method used will depend on the total size and complexity of the data held. Possible options are:

1) Media files and database data are downloaded to an encrypted hard drive which is then couriered to the customer.
2) Customer self-downloads their data using the DEM application.
3) Data is securely copied across the internet to an alternate location which is owned by the customer.

Regardless of the exact method used, Aetopia will assist at every step of the way, and after validation that the data has been successfully returned to the customer, we will destroy all other copies of the data held.
End-of-contract process
Advice and assistance of up to 8 hours are provided as part of the end-of-contract process.

Additional assistance may be chargeable at our daily rate. Most cloud providers impose data transfer charges and these may be passed onto the customer.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
None - the desktop service uses a responsive design application that resizes intelligently for mobile device screens. Some administration functions may not yet support responsive design, though the number of these exceptions are gradually being reduced in product releases.
Service interface
What users can and can't do using the API
All major system user functions such as add digital evidence and metadata, search, edit, download, resize etc. are also available via our REST / JSON API.

Some administrator functions may not be yet available through the API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
Aetopia DEM's modern n-tier architecture scales predictably to meet the needs of users and is proven to work in a UK policing environment. Our cloud hosting environment has essentially unlimited compute and storage resources available. Whether delivered in public or private, Aetopia can accurately monitor system performance to ensure that the user experience is not compromised.

Most customer environments are in dedicated Docker containers and can be effectively scaled or moved as part of effective demand management.


Service usage metrics
Metrics types
A reporting dashboard which shows various metrics including user logins, dormant users, asset downloads, evidence expiry, search terms with results, search terms without results, top asset downloads, used storage space, total asset uploaded. All of the metrics can also be downloaded in spreadsheet format. Dashboards can be scheduled for delivery via email on a regular basis.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Aetopia DEM offers a number of methods for this.

1) Using the provided functions in the user web application, i.e. download media and export data into a spreadsheet format. These are delivered to the user's browser.

2) Using the provided function to request media files which are then made available via a download link.

3) Using our API to export media and/or metadata in JSON or CSV format.

4) Via a request to Aetopia's support helpdesk, who can export data in bulk using cloud and database utilities.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • Excel (.XLSX)
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • Excel (.XLSX)

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Aetopia can commit to 99.9% availability. Users may be refunded via a reduced subscription fee should this level be breached.
Approach to resilience
Through the use of multiple techniques: highly-redundant storage, compute clusters, and digital checksums to verify the handoff of assets between storage locations, Full details are available on request.
Outage reporting
Email alerts using our built-in notification service.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Aetopia manages its cloud servers with the following tools:

Secure Shell (SSH) - all console access to servers is over encrypted SSH channels. SSH key-based access means that our staff are issued with encrypted keys rather than username and passwords for the servers. A user’s key must already exist on the server before they can access it. These keys are issued on a needs-only and time-limited basis.

Application administrative tasks are carried out using the administration screens provided in the software - as per all web application access, these screens are encrypted using a SSL/TLS certificate configured with strong ciphers.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
1 May 2018
What the ISO/IEC 27001 doesn’t cover
The scope of the certificate is "The design, deployment and support of software, platforms and hosted services."
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our approach to information security is governed by our ISO27001:2013 Information Security Management System (ISMS). This takes a goal-based and risk-centric approach to information security, where all identified risks are subject to evaluation and appropriate controls are applied to them.

To ensure compliance with ISMS policies, staff awareness is key, and we hold regular training and discussion sessions. Compliance auditing is built into the process and provides assurance that policies are being followed. The ISMS policy owner is the Aetopia Commercial Director.

Aetopia is also a Cyber Essentials certified company.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Aetopia's approach is governed by our ISO27001:2013 ISMS Change Management policy - brief summary:

Changes will be reviewed and approval given based upon the potential risks, benefits, effort required and urgency of the change.
The change will be scheduled, and if necessary communicated to anyone who may be affected.
Once the change is carried out, appropriate testing will be conducted (and documented) to ensure stability has not been impacted.
For urgent or critical changes, (for example, a security breach) the changes can be applied first and subsequently documented.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our ISMS puts great emphasis on staff training and awareness, and especially the adoption of secure coding practices using resources from InfoSec special interest groups such as OWASP, Krebs on Security, the Internet Storm Centre and the National Cyber Security Centre (NCSC). Bulletins and advisories from these sources are frequently distributed to all staff, who are encouraged to discuss and learn from them.

External security testing, such as vulnerability scans and penetration testing is part of our regular testing framework. Security patches are given top priority and are often deployed with 24 hours of a vulnerability being identified.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our ISO27001:2013 ISMS includes an audited monitoring process whereby server and application log files are regularly scanned to identify evidence of unauthorised access.

Any potential compromise or incident is subject to our ISMS Incident Management process which is given maximum priority in the company. Response to incidents tends to be immediate.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Aetopia manages information security incidents as per its ISMS Incident Management Policy - where an Information Security Incident has occurred (or is suspected) the following process MUST be followed.

Incidents are reported to a member of the Management Team as quickly as possible, and should provide as much information as possible. Customer-reported incidents can be reported using the support helpdesk.

Once investigations have been concluded, a customer report should be prepared detailing everything that happened, steps that were taken to mitigate the Incident at the time, and record any possible corrective actions which may be recommended to prevent a recurrence.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
Police National Network (PNN)


£25 per unit per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑