BAE Systems Applied Intelligence Limited

Secure Collaboration as a Service (VTC)

Secure Collaboration as a Service (VTC) enables voice secure collaboration between users located on segregated networks, using industry standard protocol (SIP). Integrated with multiple 3rd party products (eg Skype), products are built in line with NCSC guidance with security-enforcing functions in hardware. BAE Systems is a Secure Chorus partner member


  • Protects Tier1, Tier 2 and Tier 3networks and communications
  • Provides secure hardware based Cross-Domain Gateway functionality for secure VTC
  • Aligned to NCSCs architectural patterns for voice
  • Service helpdesk support


  • Collaborate with customers, suppliers and partners without compromising your networks
  • Conforms to the NCSCs architectural patterns
  • Simple commonly used interfaces, reducing integration complexities
  • Designed and developed in conjunction with UK HMG, reducing accreditation
  • Simple integration with protective monitoring and audit systems
  • Improves efficiently and increases operational agility


£3000 per instance per month

  • Education pricing available

Service documents

G-Cloud 10


BAE Systems Applied Intelligence Limited

Hannah Johnson


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints There may be times when maintenance will need to be carried out in the infrastructure. We will communicate the date and time of any maintenance that we intend to make the Services un-available through a an email sent to the Administrator.
System requirements
  • Customers have VTC endpoint licences
  • Customers have edge services and management licences

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times are differentiated by a defined priority level. We aim to respond to all queries within 1 hour of receipt of a query or incident.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels The service support desk is available: Monday-Friday, 08.30-17.30, local UK time, excluding bank & public holidays.
The Supplier will provide access to a technical support service desk. The service desk will record all incidents, input them into the Supplier service management toolset and allocate them to the relevant support engineer.

Service Elements SLA
Mon - Fri 0900-1700
Priority 1 Incident Response - 30 minutes
Priority 2 Incident Response - 1 Business Hours
Priority 3 Incident Response - 1 Business Hours
Priority 4 Incident Response - 1 Business Hours

Priority 1 - Incident Resolution - 4 Hours
Priority 2 - Incident Resolution - 8 Hours
Priority 3 - Incident Resolution - 5 Business Days
Priority 4 Incident Resolution - 10 Business Days
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started User documentation and onsite training provided on request.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Administrators have access to logs and configuration files and can remove them if required.
End-of-contract process Decommissioning is expected to take one day and the cost of this is included in the service price. Anything above this would be charged on a day rate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing N/A
Customisation available Yes
Description of customisation Administrators can apply a configuration file to the service.


Independence of resources The service has been designed to be highly resilient and scalable so as usage increases, so does the size of the infrastructure.


Service usage metrics Yes
Metrics types System resources
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach N/A
Data export formats
  • ODF
  • Other
Other data export formats XML
Data import formats Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Uptime 99.99% for a dual instance
Approach to resilience BAE Systems designs its solutions to be completely resilient with no single-point of failure. The services can be mirrored across two resilient data centres and the services are completely resilient within each datacentre. With this architecture BAE can lose multiple components within each data centre without any user impact. Additionally, in the event of a complete data centre failure the infrastructure in the alternate data centre is designed to handle to full customer load without any negative impact to customers. Additionally and more details can be provided on request.
Outage reporting BAE leverages an SMS notification solution to notify customers of any customer impacting issue or outage. Following any major customer impacting issues BAE issues an Incident Response Report which provides details on the specific issue, what was done to correct the issue and what is being done to prevent the issue from reoccurring.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels Role based access control.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance Ltd
ISO/IEC 27001 accreditation date 10/02/2014
What the ISO/IEC 27001 doesn’t cover Only the data centre is covered by ISO 27001.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 09/11/2012
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover Only the data centre is covered by STAR.
PCI certification No
Other security certifications Yes
Any other security certifications
  • SSAE16 SOC2 Type 2
  • MDSP (Multiregion Data Processing Service Provider)
  • FFIEC (Financial Institutions Examination Council)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes BAE Systems facilities and processes undergo continuous third party attestations including annual AICPA SOC 2 Type 2 and Verizon Cybertrust security audits. Additionally the data centres delivering these services are ISO 27001 certified.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach BAE Change Management System Overview Collection of System Information: Information collected concerning the maintenance task and all hardware or software that may be affected. Creation of a Change Request Document: Changes are detailed in a controlled document. Approval of the Change Request: The Change Review is the approving mechanism for all maintenance. Coordination of the Maintenance Schedule: Using information from the test lab, SLAs, backup schedule and networking group, the Change Coordinator prepares a schedule of the maintenance tasks to be performed. Implementation steps: Review of vendor information/procedures, Preparation of tools, Acquisition of materials and Notification/updates to parties at completion/progress.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Quarterly third-party external vulnerability scans Monthly web application, external and Internal vulnerability scans Rotation of penetration testing on service offerings
Protective monitoring type Supplier-defined controls
Protective monitoring approach 24x7 SOC monitoring network activity. Formalized incident response policy and process to address any compromise including analysis, documentation, communication, containment, eradication, and recovery. All incidents will be reviewed with legal to determine notification requirements.
Incident management type Supplier-defined controls
Incident management approach Incident Response Process 1. Preparation 2. Detection/Reporting 3. Response (Analysis, Containment, Eradication, Recovery) 4. Post-Incident Activity Computing Incident Response Team (CIRT) The team will be assembled upon notification of a Computing Incident by the Information Security Department and will either convene onsite of by way of a conference call. Once the team has been notified the members will remain active until the incident is resolved or is dismissed. 1. Reporting an Incident 2. Determining Severity Level of Computing Incident 3. Responding to an Incident Additional details can be provided upon request.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3000 per instance per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑