pam enables success in local, multi-agency, cross-county, regional and national work. It is trusted, secure, cloud based software ideal for agencies fighting serious organised crime, protecting vulnerable people, and solving other complex collaboration or sensitive information sharing issues.


  • Serious Organised Crime 4P's OCG management risk response result
  • Protecting vulnerable people, multi-agency safeguarding, MASH referral tracking
  • Evidence based results, audit trails, compliance, governance, information sharing
  • Collaboration, tasks, version control document management, discussions, notes, measurement
  • Change management, project management, case management, information security, partnering
  • Single agency, multi agency, cross county lines solutions
  • Configurable workspaces private areas with specialist decision support tools
  • Strategic and operational working for individuals, teams through to enterprise
  • Information Security Management System (ISMS) delivered securely by cloud
  • Performance reporting and analytics


  • Work across organisational boundaries easily and safely
  • Work from anywhere, home, office, mobile, partner agency
  • All your work in one place unlike other collaboration tools
  • Secure accredited cloud service you and your partners can trust
  • Fast to adopt and easy to use, flexible user management
  • Easy to add, remove and change services
  • Excellent service support with experienced adoption service
  • Proven solutions and features built with customers
  • Lower total cost and risk than alternatives and substitutes
  • High quality service delivered by employee owners without large overheads


£600 per instance per month

  • Free trial available

Service documents

G-Cloud 11



Public Service Team

01273 041 042

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Community cloud
Service constraints N/A
System requirements
  • Access to an appropriate government network (eg: PSN, PSN-P, CJX)
  • Modern Web browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We respond within 24 hours to tickets raised via email or online
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard SLA support is included within the subscription licence for the cloud service. That includes first line administrator support, second line telephone and email support as well as third line detailed technical support. We are not obliged to provide end user first line support but regularly do it as a goodwill gesture for clients if calls do come in. The service is very easy to use and requires little support but if required we can also provide onsite support and coaching by exception which is outlined in the SFIA rate card.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We have an easy start process that includes:
1 planning adoption call if required (for more sizeable procurements)
2 - automated services set up - ie preconfiguration to make the start almost frictionless
3 - customised online welcome messages for users
4 - online help and tours
5 - adoption guides and online training where required
6 - check in services by the customer account manager
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users do not need to wait until their contract ends, they can extract their data at any time. Extraction can be done in numerous ways:
- printing and downloading of information in recognised file form in line with any uploads made on the platform
- automated report/export by workspace area
- full export of customer information in one or more recognisable formats (subject to approval with the customer administrator to prevent unauthorised full data extraction)
End-of-contract process Customers can simply remove any information they want in line with our easy off processes, or we can do it for them if they have non standard needs. If we do it for them to meet specific exit requirements beyond our standard process then there may be a small cost which is always proportionate to the work requested and agreed with the customer in advance based on the SFIA rate table. There is a professional exit process well established in line with our UKAS accredited ISO 27001:2013 to ensure the customer has a good exit experience and all data is securely disposed of at the time agreed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface No
Customisation available Yes
Description of customisation The service can be customised at two levels:
1 Organisation - by a system administrator. This includes various aspects of the service including security settings, special categories of work for the whole organisation to follow e.g. account settings.
2 User - by the end user themselves to adapt everything from their home page work to very detailed customisation of work areas, categories, workflows etc


Independence of resources Our capacity monitoring has alerting for CPU, Memory and Disk Space. We have measures in place to scale the capacity of an individual server, or to add in additional load-balanced application servers within minutes to cope with changes in demand


Service usage metrics Yes
Metrics types Organisation usage, performance against goals, user activity, workspace activity, log ons, work history and updates, integrated and automated reporting within customer specific reporting environments as well as by separate specific requests the provision of metrics and information through API reporting
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach By clicking a button that says export.
Data export formats
  • CSV
  • Other
Other data export formats Microsoft Office formats
Data import formats
  • CSV
  • Other
Other data import formats Microsoft Office

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Pam is a web based business application generally available 24x7x365, with expected availability of 99.5% in any one month except for scheduled maintenance (scheduled outside of normal Business Hours) or for reasons beyond our control.

We do not contractually offer service credits in response to downtime.
Approach to resilience Pam is served via a resilient load balancing pair which distribute traffic across multiple application servers and backed by a primary/backup database system with real time synchronisation of data to allow for fail over within the primary DC in case of primary database server failure.
The data base is also synchronised to a standby instance of the application located in a geographically separated (100KM+) secondary DC, so that in the case of catastrophic failure of the primary DC, the secondary DC will take over serving of the application.
Outage reporting Email alerts, calls to key customer contacts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Access to management interfaces and support channels requires (depending on system)
- a separate user account
- additional password strength requirements
- 2FA
- IP address whitelisting
- Dedicated VPN link
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS
ISO/IEC 27001 accreditation date 24/09/2018
What the ISO/IEC 27001 doesn’t cover Nothing - the organisation and the applications being delivered are covered. Our infrastructure critical supply chain providers are also certified too,
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • PSN certification for delivery over the secure government networks
  • Cyber Essentials certification
  • Compliance with Cloud Security Principles
  • Compliance with ISO 27017
  • Compliance with ISO 27018
  • Held and still practice to the original pan govt accreditation

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Also working in line with ISO 27017 and towards ISO 27018.
We operate in line with EU GDPR and have Privacy Impact Assessments, Subject Access Requests and follow the 120 activities from 7 checklists endorsed by the Information Commissioner's Office.
Have PSN certification.
Have Cyber Essentials.
Information security policies and processes We have a fully UKAS certified ISO 27001:2013 that also includes complementary capabilities for our ISMS. We follow all the security policies and controls based on our Statement of Applicability.
The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also Operations Director and includes the CEO and CTO. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our secure development, change management, testing and asset management polices are available on request as part of our ISO 27001 accredited information security management system
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic.

We respond with; isolation of potentially affected servers, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences.

Real time monitoring takes place with immediate response for suspicious alerts, dashboards highlight abnormal patterns that may not trigger alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our incident management processes are accredited by UKAS certification and follow ISO 27001: 2013 Annex A 16. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes follow EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)


Price £600 per instance per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Trials can be granted based on a qualified need, clear success criteria and understanding that a budget exists in the event that a trial proves successful.

Some trials may be chargeable with a credit being applied to the account in the event of ongoing use through a longer term contract.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑