Brainloop Limited

Brainloop BoardRoom

Brainloop BoardRoom is a portal for efficient and secure board and committee communications. It streamlines and simplifies how board and meeting packs are created, distributed, reviewed and updated, while end users are able to access and collaborate on the packs via any device, online and offline.


  • Predefined customisable templates with agenda, cover and contents pages
  • Drag and drop into meeting pack from MS Outlook
  • 100% faithful PDF conversion of any file format
  • Full resolution and decision making support
  • Flexible task and workflow support for collation and minute approval
  • Agenda driven navigation (agenda always available)
  • Full text search and document versioning
  • Annotations preserved throughout update process and synched across devices
  • Reading Rooms and document libraries for policies and filings
  • Automatic page numbering, tabs and sections


  • Reduce time and cost to produce and distribute meeting packs
  • Native working experience with Brainloop's Microsoft Office integration
  • Strong security and protection for board materials - online/offline
  • Control and visibility over the entire meeting management process
  • Only authorised users can access the data
  • Local data hosting in secure Government certified UK/EU data centres
  • 24/7/365 multi-language support for boards, committees and administrators
  • Support for contract and policy management
  • Support for any device including Windows, Apple and Android


£444 per user per year

Service documents


G-Cloud 11

Service ID

4 3 9 0 9 0 7 3 8 8 8 1 4 7 2


Brainloop Limited

Hedwig Ehling

0207 183 8285

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints Scheduled maintenance windows are arranged during the late hours of a Saturday.
System requirements
  • Windows 7 or above
  • OSX 10.10 or newer
  • IOS 8.2 or newer
  • Android 4.3 or newer
  • Internet Explorer 9 or above
  • Safari latest two versions
  • Mozilla Firefox - latest two versions
  • Google Chrome - latest two versions
  • Microsoft Office 2007 or above for Office Connector (add-in)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depends on the contract, standard 4 hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Technical Support (24/7 helpdesk), Customer Care (named technical and commercial account manager) at no extra cost. Professional Services (on site) at a daily / fixed price rate.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Onboarding - onsite or online. Admin and end user training. Bespoke documentation on setup and user documentation.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data extraction can be done by creating an archive and burning to a disk/external drive or downloading the content to another repository. This can be done by the customer or Brainloop.
End-of-contract process All information stored by the customer on a Brainloop platform will be automatically destroyed 30 days after the termination of a contract. All encryption keys will be securely destroyed. Documents stored on secure apps (mobile devices) will be automatically purged.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Please refer to the service definition document.
Service interface Yes
Description of service interface The service is accessed either from a browser on desktop or laptop devices or from a secure client app on tablet or phone devices.
Accessibility standards None or don’t know
Description of accessibility Our service is WCAG 2.0 compliant.
Accessibility testing We have an accessibility mode that is based on WCAG 2.0, but we are not certified. The accessibility mode enables users with a visual impairment or difficulty operating a keyboard or mouse to use the most important functions of the software, and is designed to work with the help of screen reader programs such as JAWS, and keyboard navigation.
What users can and can't do using the API Please refer to the service definition document.
API documentation No
API sandbox or test environment No
Customisation available Yes
Description of customisation Users can customise their login page with corporate colours and a logo. This can be done by a customer or Brainloop. Please refer to the service definition document for more detail.


Independence of resources The system is architected to provide a robust and scalable service to our customers. Our system can handle thousands of active users.


Service usage metrics Yes
Metrics types Please refer to the service definition document.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach Encryption of all data using AES 256bit encryption. Data center is also PCI accredited.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Download via Web interface or use an API tool for large volumes.
Data export formats Other
Other data export formats
  • Download via Web interface or
  • Use an API tool for large volumes.
Data import formats Other
Other data import formats
  • No restriction on file type.
  • Executables and
  • Batch files are zipped to protect potential malicious files.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks HSTS : TLS 1.2, SSL Certificate (SHA256withRSA)
Data protection within supplier network Other
Other protection within supplier network HSTS : TLS 1.2, SSL Certificate (SHA256withRSA) and VPN Gateway

Availability and resilience

Availability and resilience
Guaranteed availability Average monthly availability is 99.5%. We will provide the service to a customer for a day without charge for each half of a percentage point that the service was not available.
Approach to resilience Clustered Data Center (Active-Active). Each and every component is redundant and load balanced.
Outage reporting Through the info portal on the Web GUI and email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Permission based system, users have defined permissions and therefore only authorised users can access administrator functions.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication SAML

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 TÜV SÜD Management Service GmbH
ISO/IEC 27001 accreditation date 16/08/2017
What the ISO/IEC 27001 doesn’t cover Please refer to the service definition document.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Yes, ISO270018

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Defined in ISMS manual as part of ISO27001

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have a change management category matrix which defines responsibilities by department. E.g. All security related changes need approval from CTO and Information Security Manager.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a “Security Incident Management” policy and process in place. Within this, responsibilities and scope is defined and implemented. Vulnerabilities are evaluated monthly. Monitoring of special interest pages with regards to vulnerabilities, like CERT-BSI. Risks for usage of third parties are reviewed annually and when significant changes are planned, e.g. during the selection process of new hosting providers.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach As part of the process above, our operations team regularly researches and monitors new known threats and vulnerabilities. This is also a major part of our Security Incident Management process.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach An Incident Management process is part of our Escalation management. A Support engineer will start the escalation to the Escalation team which will then identify the relevant Escalation Manager. The Escalation Manager then sets up a meeting with all relevant stakeholders, VPs or Board level members to solve the incident in a timely manner.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)


Price £444 per user per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑