pam enables success in local, multi-agency, cross-county, regional and national work. It is trusted, secure, cloud based software ideal for agencies fighting serious organised crime, protecting vulnerable people, and solving other complex collaboration or sensitive information sharing issues.
- Serious Organised Crime 4P's OCG management risk response result
- Protecting vulnerable people, multi-agency safeguarding, MASH referral tracking
- Evidence based results, audit trails, compliance, governance, information sharing
- Collaboration, tasks, version control document management, discussions, notes, measurement
- Change management, project management, case management, information security, partnering
- Single agency, multi agency, cross county lines solutions
- Configurable workspaces private areas with specialist decision support tools
- Strategic and operational working for individuals, teams through to enterprise
- Information Security Management System (ISMS) delivered securely by cloud
- Performance reporting and analytics
- Work across organisational boundaries easily and safely
- Work from anywhere, home, office, mobile, partner agency
- All your work in one place unlike other collaboration tools
- Secure accredited cloud service you and your partners can trust
- Fast to adopt and easy to use, flexible user management
- Easy to add, remove and change services
- Excellent service support with experienced adoption service
- Proven solutions and features built with customers
- Lower total cost and risk than alternatives and substitutes
- High quality service delivered by employee owners without large overheads
£600 per instance per month
- Free trial available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
Public Service Team
01273 041 042
|Software add-on or extension||No|
|Cloud deployment model||Community cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||We respond within 24 hours to tickets raised via email or online|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Standard SLA support is included within the subscription licence for the cloud service. That includes first line administrator support, second line telephone and email support as well as third line detailed technical support. We are not obliged to provide end user first line support but regularly do it as a goodwill gesture for clients if calls do come in. The service is very easy to use and requires little support but if required we can also provide onsite support and coaching by exception which is outlined in the SFIA rate card.|
|Support available to third parties||Yes|
Onboarding and offboarding
We have an easy start process that includes:
1 planning adoption call if required (for more sizeable procurements)
2 - automated services set up - ie preconfiguration to make the start almost frictionless
3 - customised online welcome messages for users
4 - online help and tours
5 - adoption guides and online training where required
6 - check in services by the customer account manager
|End-of-contract data extraction||
Users do not need to wait until their contract ends, they can extract their data at any time. Extraction can be done in numerous ways:
- printing and downloading of information in recognised file form in line with any uploads made on the platform
- automated report/export by workspace area
- full export of customer information in one or more recognisable formats (subject to approval with the customer administrator to prevent unauthorised full data extraction)
|End-of-contract process||Customers can simply remove any information they want in line with our easy off processes, or we can do it for them if they have non standard needs. If we do it for them to meet specific exit requirements beyond our standard process then there may be a small cost which is always proportionate to the work requested and agreed with the customer in advance based on the SFIA rate table. There is a professional exit process well established in line with our UKAS accredited ISO 27001:2013 to ensure the customer has a good exit experience and all data is securely disposed of at the time agreed.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None|
|Description of customisation||
The service can be customised at two levels:
1 Organisation - by a system administrator. This includes various aspects of the service including security settings, special categories of work for the whole organisation to follow e.g. account settings.
2 User - by the end user themselves to adapt everything from their home page work to very detailed customisation of work areas, categories, workflows etc
|Independence of resources||Our capacity monitoring has alerting for CPU, Memory and Disk Space. We have measures in place to scale the capacity of an individual server, or to add in additional load-balanced application servers within minutes to cope with changes in demand|
|Service usage metrics||Yes|
|Metrics types||Organisation usage, performance against goals, user activity, workspace activity, log ons, work history and updates, integrated and automated reporting within customer specific reporting environments as well as by separate specific requests the provision of metrics and information through API reporting|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||By clicking a button that says export.|
|Data export formats||
|Other data export formats||Microsoft Office formats|
|Data import formats||
|Other data import formats||Microsoft Office|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
Availability and resilience
Pam is a web based business application generally available 24x7x365, with expected availability of 99.5% in any one month except for scheduled maintenance (scheduled outside of normal Business Hours) or for reasons beyond our control.
We do not contractually offer service credits in response to downtime.
|Approach to resilience||
Pam is served via a resilient load balancing pair which distribute traffic across multiple application servers and backed by a primary/backup database system with real time synchronisation of data to allow for fail over within the primary DC in case of primary database server failure.
The data base is also synchronised to a standby instance of the application located in a geographically separated (100KM+) secondary DC, so that in the case of catastrophic failure of the primary DC, the secondary DC will take over serving of the application.
|Outage reporting||Email alerts, calls to key customer contacts|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Access to management interfaces and support channels requires (depending on system)
- a separate user account
- additional password strength requirements
- IP address whitelisting
- Dedicated VPN link
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||UKAS|
|ISO/IEC 27001 accreditation date||24/09/2018|
|What the ISO/IEC 27001 doesn’t cover||Nothing - the organisation and the applications being delivered are covered. Our infrastructure critical supply chain providers are also certified too,|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Also working in line with ISO 27017 and towards ISO 27018.
We operate in line with EU GDPR and have Privacy Impact Assessments, Subject Access Requests and follow the 120 activities from 7 checklists endorsed by the Information Commissioner's Office.
Have PSN certification.
Have Cyber Essentials.
|Information security policies and processes||
We have a fully UKAS certified ISO 27001:2013 that also includes complementary capabilities for our ISMS. We follow all the security policies and controls based on our Statement of Applicability.
The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also Operations Director and includes the CEO and CTO. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Our secure development, change management, testing and asset management polices are available on request as part of our ISO 27001 accredited information security management system|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic.
We respond with; isolation of potentially affected servers, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences.
Real time monitoring takes place with immediate response for suspicious alerts, dashboards highlight abnormal patterns that may not trigger alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Our incident management processes are accredited by UKAS certification and follow ISO 27001: 2013 Annex A 16. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes follow EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£600 per instance per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||
Trials can be granted based on a qualified need, clear success criteria and understanding that a budget exists in the event that a trial proves successful.
Some trials may be chargeable with a credit being applied to the account in the event of ongoing use through a longer term contract.