Knowledge Management

Freeing information from knowledge silos and sharing it with others is a vital activity in organisations where specialist knowledge, expertise and insight are critical factors in the success of core business activities.


  • Quick and Secure - Share instantly, with full auditing
  • Intuitive Interface - Easily view, download or comment
  • Manage content in wikis, post updates in the blog
  • Discover, connect with and follow people
  • Manage group tasks, share group calendars
  • Have discussions and much more in one unified team space
  • MS Office collaboration
  • Send large files - That are too large or sensitive
  • Data visualisation
  • Send large files - That are too large or sensitive


  • Security - Ensure control over information
  • Audit trail - What's been sent, when and by who
  • Overcome mailbox sizes - Send a link to a download
  • Private Cloud - So you know where the data sits
  • Business Intelligence


£20 to £400 per user per year

  • Free trial available

Service documents

G-Cloud 10



Adam Koscinski / Alex Zervos

020 7220 5340


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements
  • Modern Web Browser
  • TLS v1.2 + AES Encryption

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 30 minutes Monday to Friday, 8am to 6pm.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels 8am - 6pm Service desk on business days
24/7 Emergency
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Training can be delivering remotely or onsite
There is a comprehensive online knowledge base
Service documentation Yes
Documentation formats
  • HTML
  • Other
Other documentation formats Online Client Community Forum
End-of-contract data extraction All data can be extracted by users with the appropriate permission via the user interface,
End-of-contract process All client data is deleted as part of the contract. HighQ will decommission the instance in full as part of the base contract. It is the client's responsibility to extract any data they wish to keep prior to the decommissioning process. Secure overwrite is available for an additional charge.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service All features are available on mobile using a responsive design
Files can be accessed via the HighQ Drive app for mobile on iOS and Android
Accessibility standards None or don’t know
Description of accessibility Collaborate is accessible using any of the standard web browsers in conjunction with existing assistive software that supports the user's chosen web browser. The product has alt-text fields for all non-text content and supports the creation of alt-text metadata for non-text data uploaded into the system.
Accessibility testing We will investigate any usability issue should it be raised as necessary.
What users can and can't do using the API All the main features are accessible via the API, with a vibrant developer community to share and learn.
API documentation Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Custom branding can be applied at system and site level including the URL, visual appearance of the whole user interface and system generated emails.


Independence of resources HighQ's solutions are single tenancy, ring fencing each client from the others. All systems are also load balanced, with duplication of resources in the data centres to ensure continued service.


Service usage metrics Yes
Metrics types All logins, configuration changes and content accessed is audited by user, date and IP address.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All files can be exported via the main user interface, and all other content can be exported to Excel and/or PDF.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • PDF
  • HTML
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • Zip

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks Legacy SSL is in sunset phase and is only available to current clients.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% Uptime which would be remunerated via service credits.
Approach to resilience Each client is hosted on two geographically separate datacentres within the same legal jurisdiction. All UK hosting centres are ISO 22301, and ISO 27031 compliant.
Outage reporting Email alerts are sent to client organisations upon detecting an outage.
Any maintenance works are undertaken during pre-agreed maintenance windows and upgrades take place on a date/time pre-agreed with the client.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication SAML 2.0
2-step authentication
Access restrictions in management interfaces and support channels Application access management is controlled by the client who can grant or revoke administrative privileges within the application to or from users in line with their own organisational policies and procedures.
Infrastructure management is performed via secure management servers which are accessible only by VPN using two-factor authentication. Administrators cannot view client data where it is encrypted at rest.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DAS
ISO/IEC 27001 accreditation date 04/02/2016
What the ISO/IEC 27001 doesn’t cover Our ISO 27001 certification covers all 114 controls.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • CyberEssentials Plus
  • CSA Star Level One

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The CISO function is performed by the CTO. A dedicated head of information security reports to the CTO. A dedicated GRC team undertakes GRC tasks and a dedicated Security Operations team implements the policies as set by the CTO.
All staff must adhere to a defined IT security policy and sign a confidentiality agreement. An ISMS is in place adhering to ISO27001
All staff receive security awareness training upon commencement of employment and on-going cybersecurity training.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All configuration management and change management is performed using the Agile methodology. Changes are developed and a product iteration is released. Each release is subject to penetration testing.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We regularly perform penetration testing, undertake monthly vulnerability scans, and daily change scans. Patches are normally deployed within 2 weeks, and we receive threat intelligence from third party security vendors, e.g. CiSP, Mitre, and other publicly available sources. We also employ a source code vulnerability tracking system and use automated security assessment tools.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach HighQ employ enterprise logging and SIEM for all systems and perform regular checks upon those logs and events. Incidents are reviewed and classified in terms of impact and criticality. There is a defined security incident management practice (NIST 800-61r2). Depending upon the nature of the incident, the issue is either remediated immediately or mitigations designed into the next release.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents are managed using NIST 800-61r2 methodology and are recorded through an issue tracking system. Each incident is prioritised according to its impact and severity and will be remediated either as a bug fix in the next release or as an immediate hotfix should the incident be highly pervasive in nature.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £20 to £400 per user per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Access can be given a site for an agreed period, in order to prototype the solution as part of the sales cycle once the requirements have been identified.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑