pam enables success in local, multi-agency, cross-county, regional and national work. It is trusted, secure, cloud based software ideal for agencies fighting serious organised crime, protecting vulnerable people, and solving other complex collaboration or sensitive information sharing issues.


  • Serious Organised Crime 4P's OCG management risk response result
  • Protecting vulnerable people, multi-agency safeguarding, MASH referral tracking
  • Evidence based results, audit trails, compliance, governance, information sharing
  • Collaboration, tasks, version control document management, discussions, notes, measurement
  • Change management, project management, case management, information security, partnering
  • Single agency, multi agency, cross county lines solutions
  • Configurable workspaces private areas with specialist decision support tools
  • Strategic and operational working for individuals, teams through to enterprise
  • Information Security Management System (ISMS) delivered securely by cloud
  • Performance reporting and analytics


  • Work across organisational boundaries easily and safely
  • Work from anywhere, home, office, mobile, partner agency
  • All your work in one place unlike other collaboration tools
  • Secure accredited cloud service you and your partners can trust
  • Fast to adopt and easy to use, flexible user management
  • Easy to add, remove and change services
  • Excellent service support with experienced adoption service
  • Proven solutions and features built with customers
  • Lower total cost and risk than alternatives and substitutes
  • High quality service delivered by employee owners without large overheads


£600 per instance per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

3 4 0 9 8 6 4 1 5 4 8 0 8 0 7



Public Service Team

01273 041 042

Service scope

Software add-on or extension
Cloud deployment model
Community cloud
Service constraints
System requirements
  • Access to an appropriate government network (eg: PSN, PSN-P, CJX)
  • Modern Web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
We respond within 24 hours to tickets raised via email or online
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard SLA support is included within the subscription licence for the cloud service. That includes first line administrator support, second line telephone and email support as well as third line detailed technical support. We are not obliged to provide end user first line support but regularly do it as a goodwill gesture for clients if calls do come in. The service is very easy to use and requires little support but if required we can also provide onsite support and coaching by exception which is outlined in the SFIA rate card.
Support available to third parties

Onboarding and offboarding

Getting started
We have an easy start process that includes:
1 planning adoption call if required (for more sizeable procurements)
2 - automated services set up - ie preconfiguration to make the start almost frictionless
3 - customised online welcome messages for users
4 - online help and tours
5 - adoption guides and online training where required
6 - check in services by the customer account manager
Service documentation
Documentation formats
End-of-contract data extraction
Users do not need to wait until their contract ends, they can extract their data at any time. Extraction can be done in numerous ways:
- printing and downloading of information in recognised file form in line with any uploads made on the platform
- automated report/export by workspace area
- full export of customer information in one or more recognisable formats (subject to approval with the customer administrator to prevent unauthorised full data extraction)
End-of-contract process
Customers can simply remove any information they want in line with our easy off processes, or we can do it for them if they have non standard needs. If we do it for them to meet specific exit requirements beyond our standard process then there may be a small cost which is always proportionate to the work requested and agreed with the customer in advance based on the SFIA rate table. There is a professional exit process well established in line with our UKAS accredited ISO 27001:2013 to ensure the customer has a good exit experience and all data is securely disposed of at the time agreed.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
Customisation available
Description of customisation
The service can be customised at two levels:
1 Organisation - by a system administrator. This includes various aspects of the service including security settings, special categories of work for the whole organisation to follow e.g. account settings.
2 User - by the end user themselves to adapt everything from their home page work to very detailed customisation of work areas, categories, workflows etc


Independence of resources
Our capacity monitoring has alerting for CPU, Memory and Disk Space. We have measures in place to scale the capacity of an individual server, or to add in additional load-balanced application servers within minutes to cope with changes in demand


Service usage metrics
Metrics types
Organisation usage, performance against goals, user activity, workspace activity, log ons, work history and updates, integrated and automated reporting within customer specific reporting environments as well as by separate specific requests the provision of metrics and information through API reporting
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
By clicking a button that says export.
Data export formats
  • CSV
  • Other
Other data export formats
Microsoft Office formats
Data import formats
  • CSV
  • Other
Other data import formats
Microsoft Office

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Pam is a web based business application generally available 24x7x365, with expected availability of 99.5% in any one month except for scheduled maintenance (scheduled outside of normal Business Hours) or for reasons beyond our control.

We do not contractually offer service credits in response to downtime.
Approach to resilience
Pam is served via a resilient load balancing pair which distribute traffic across multiple application servers and backed by a primary/backup database system with real time synchronisation of data to allow for fail over within the primary DC in case of primary database server failure.
The data base is also synchronised to a standby instance of the application located in a geographically separated (100KM+) secondary DC, so that in the case of catastrophic failure of the primary DC, the secondary DC will take over serving of the application.
Outage reporting
Email alerts, calls to key customer contacts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces and support channels requires (depending on system)
- a separate user account
- additional password strength requirements
- 2FA
- IP address whitelisting
- Dedicated VPN link
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Nothing - the organisation and the applications being delivered are covered. Our infrastructure critical supply chain providers are also certified too,
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • PSN certification for delivery over the secure government networks
  • Cyber Essentials certification
  • Compliance with Cloud Security Principles
  • Compliance with ISO 27017
  • Compliance with ISO 27018
  • Held and still practice to the original pan govt accreditation

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Also working in line with ISO 27017 and towards ISO 27018.
We operate in line with EU GDPR and have Privacy Impact Assessments, Subject Access Requests and follow the 120 activities from 7 checklists endorsed by the Information Commissioner's Office.
Have PSN certification.
Have Cyber Essentials.
Information security policies and processes
We have a fully UKAS certified ISO 27001:2013 that also includes complementary capabilities for our ISMS. We follow all the security policies and controls based on our Statement of Applicability.
The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also Operations Director and includes the CEO and CTO. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our secure development, change management, testing and asset management polices are available on request as part of our ISO 27001 accredited information security management system
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic.

We respond with; isolation of potentially affected servers, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences.

Real time monitoring takes place with immediate response for suspicious alerts, dashboards highlight abnormal patterns that may not trigger alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident management processes are accredited by UKAS certification and follow ISO 27001: 2013 Annex A 16. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes follow EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)


£600 per instance per month
Discount for educational organisations
Free trial available
Description of free trial
Trials can be granted based on a qualified need, clear success criteria and understanding that a budget exists in the event that a trial proves successful.

Some trials may be chargeable with a credit being applied to the account in the event of ongoing use through a longer term contract.

Service documents

Return to top ↑