Safe4 Information Management

Safe4 secure information delivery and storage

Safe4 provides a very secure facility for sharing structured and unstructured information with parties who are external to the Safe4 customer. Information can be uploaded as files or held in column and row format similar to a database. Automatic notification and full audit trails are standard.


  • UK hosting for all services, ISO 27001 compliant
  • All contracts under English Law
  • Management of information in structured and unstructured formats
  • Very secure, among 0.8% most secure websites
  • Comprehensive and mature API allowing seamless integration
  • Automated notification of document upload or data change
  • Comprehensive audit trail with full reporting facilities
  • White-labeled allowing services provider's branding and messaging
  • Familiar Windows-like user interface, with folders and files display
  • Responsive user interface on mobile devices


  • Very simple to set up and configure, no capital cost
  • Supports full GDPR compliance for service provider
  • Totally secure transfer of confidential information
  • Removes dependence on email for confidential information sharing
  • Competitively priced
  • UK-based development team with rapid access to technical management
  • UK-based support services
  • Architecture is based on a secure vault for each subject
  • Tried and tested, in operation for 8 years
  • Powerful system management and admin functions


£3.00 per user per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Safe4 Information Management

Ben Martin

+44 7765 880864

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No constraints, other than requiring the use of up-to-date browsers. Old browser versions are not supported due to the security risks that they carry.
System requirements
  • Modern browser access
  • Safe4 is fully web-based, therefore there are no local requirements.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard SLA applies, next business day at the latest for email response.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Safe4 support is based on next business day response for normal support requests, and four levels for dealing with system defects. This depends on severity of the issue, and varies from 2-hours response to resolution within 1 business day. Generally Safe4 does not make a separate charge for support, unless the request requires on-site attendance for an issue that is not a system defect.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Safe4 provide onsite training for system administrators. Full system documentation is provided online.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Each vault is equipped with an "Archive" function that will download all folders and files into a ZIP file that replicates the structure within Safe4.
End-of-contract process There are no additional costs at the end of the contract, unless the customer requests Safe4 to provide data extraction services. This can be done by the customers themselves, however.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The system is responsive on mobile devices, and the screen will thus reconfigure depending on orientation.
Accessibility standards None or don’t know
Description of accessibility The system is accessible using standard browsers but has no specific accessibility features for impaired users.
Accessibility testing None to date.
What users can and can't do using the API The Safe4 API provides programmatic access to all of the functions of the system. It is a restful API.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customisation includes branding (addition of logos), welcome text on login page, messaging on email invitations, personal and corporate email signatures. These changes can be made through standard interfaces by users with appropriate permissions


Independence of resources The architecture of Safe4 permits very high levels of system resilience. Scaling at web server level is done horizontally, with additional server capacity being provisioned very quickly. Load balancing ensures that server loading is managed to provide optimum performance.


Service usage metrics Yes
Metrics types Safe4 data can be queried to provide metrics showing activity by provider, vault, user and function.
Reporting types
  • API access
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach All system reports can be exported in either MS Excel or CSV format. Data can also be exported using the "Archive" function, which recreates the Safe4 folder and file structure in a ZIP file. Bulk download of files is supported. Listed data can be exported to Excel or CSV files.
Data export formats CSV
Data import formats Other
Other data import formats
  • Safe4 supports the WebDAV protocol.
  • Data can be bulk-imported using the Safe4 API.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Safe4 aims to provide 100% availability. This is monitored independently, and reported on monthly. Actual availability as reported is in excess of 99.99%, but 100% is achieved regularly. Safe4 SLAs do not specifically relate to availability, but deal with response times in the event of support requests.
Approach to resilience This is available on request, but Safe4 utilises a multi-server architecture with data being stored in multiple locations at all times.
Outage reporting Outages are very infrequent, and are notified to customers by email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication By means of a 6-digit PIN. Access of granted when 4 of the 6 digits are entered using a screen keypad. The physical keyboard is disabled at this point.
Access restrictions in management interfaces and support channels Access to management interfaces is controlled by means of a granular permissions capability. Permission must be granted explicitly before certain management and support functions are available.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • Working towards the Cyber Primed standard

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Safe4 data is stored with Rackspace, a service provider with ISO 27001 accreditation. Safe4 are accredited with Cyber Essentials, and have annual penetration tests carried out by UK Government accredited agencies. Additionally, Safe4 are pursuing accreditation to the Cyber Primed standard.
Information security policies and processes Safe4 is implementing the Cyber Primed standard, which adopts a highly structured compliance framework. A board-level director is appointed to be responsible for designated elements within the framework, with reviews being undertaken at least every 6 months. This includes a structured risk register, as well as an information asset register to assist compliance with GDPR.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Safe4 services are delivered through the provision of a web application. Control of changes to software code is maintained through a rigid configuration process, with board-level sign-off of changes. These are rigorously tested on a development server and a staging server before being pushed to the live production environment.
Vulnerability management type Undisclosed
Vulnerability management approach Responsibility for assessment of vulnerability is at board-level. Reaction to perceived threats is reviewed at board level and patches or fixes are deployed immediately, after testing. Information about potential threats is obtained from multiple sources, primarily through some media outlets and discussion groups.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are identified by close monitoring of multiple sources of information about threats. Potential compromises are reviewed immediately and a risk assessment is undertaken. If the Safe4 system is felt to be vulnerable then immediate action will be taken.
Incident management type Supplier-defined controls
Incident management approach Safe4 is adopting the Cyber Primed standard, which incorporates specific methods of handling incidents. These include a record of all mitigation actions undertaken, as well as reports outlining how service availability might have been affected.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3.00 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Safe4 will create a branded provider account and invite a user from a prospective customer with full admin rights for a period of 1 month without charge. This will be done following a brief introductory workshop.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑