Nettitude Limited

STREAM PCI DSS Application

Users of STREAM are able to plan and coordinate their PCI-DSS compliance programmes, record compliance and schedule checks for maintaining compliance. The ROC can be populated automatically from data held in the STREAM database and STREAM’s extensive reporting capability provides compliance views against the PCI-DSS clauses and milestones with analysis.


  • Measure and report on compliance for specific payment channels
  • Collate PCI DSS evidential checks and documentation
  • Automatically schedule future checks with email reminders
  • Raise, assign and track actions for remediation with reminders
  • Automatically generate the Report on Compliance (RoC)
  • Single-user or multi-user Enterprise deployment
  • Status information on risks, controls, vulnerabilities, incidents and events
  • Track overdue actions, assessments and approvals
  • Assign responsibilities


  • Improve staff productivity
  • Reducing time required to gather, collate and report on compliance
  • Avoid the risk of lapsed compliance from missed assessments
  • Reduce the risk of incidents resulting from non-compliances
  • Saving costs associated with incident response
  • Direct losses and reputational damage
  • Reduce the cost of compliance audits
  • Having up-to-date PCI DSS compliance status infromation
  • Compliance status information available on demand


£35 per user per month

  • Free trial available

Service documents

G-Cloud 11


Nettitude Limited

Jazz Bhambra

0345 5200085

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The STREAM service consists of a rich client running on the application server and distributed over the network via one of two virtualisation platforms: Ericom Connect ('Ericom') or Microsoft Remote Desktop Web Access ('RemoteApp'). Ericom offers best performance and compatibility with all client networks but does not allow direct linking to client-side resources. RemoteApp permits direct linking to client-side resources but often requires explicit authorisation through client network firewalls.
System requirements
  • Ericom: HTML5-capable browser
  • RemoteApp: Windows OS with HTML5-capable browser
  • RemoteApp: Android, iOS, Mac OS with Remote Desktop Client app

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels All STREAM service subscriptions include the same support level.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial setup with power user accounts for designated customer contacts >> Handover email to designated contacts with instructions for first login and further user creation >> Optional run-through of the system over the phone >> Further resources available self-service (online training videos, user manual and other written references
Service documentation No
End-of-contract data extraction The customer should request a backup of their SQL Server database from our support desk. The database backup (a BAK file) will be made available to the customer via a secure file transfer method.
End-of-contract process Provided 60 days' notice is given prior to contract termination, no additional costs are incurred at the end of the contract. Failure to provide 60 days' notice prior to termination commits the buyer to another year's subscription.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Ericom option: No difference -mobile access through web browser ; RemoteApp option: Mobile access through Remote Desktop Client app.
Customisation available Yes
Description of customisation The following can be customised as standard: - User accounts, user roles and permissions on organisation tree - Tree structure for organisation risk registers and assets - Additional tree views ('virtual trees') - Assets and linking of assets to relevant part(s) of the tree - Risk and control frameworks - Risk and control assessment schemes - Relationships between risk, controls and assets - Configurable fields and settings for Risks, Controls, Assets, Events, Actions and Documents objects - Automations for risk and control identification, risk and control assessment, activity scheduling and object referencing - Custom Reports (tabular report based on Risks, Controls, Assets, Events or Actions object and data from linked objects). All of the above is configurable in the STREAM user interface. Access to the relevant configuration screens is subject to user permissions.


Independence of resources Acuity Cloud base infrastructure consists of a multi-tenanted virtual Microsoft Active Directory (AD) domain using AD Organisational Units (OU) to isolate tenants. A multi-tenanted virtual SQL Server farm back-end provides hosting for the STREAM databases. Applications servers are dedicated to individual clients and provide access to the STREAM application, related applications and file-sharing. Group Policy and other techniques are used to harden application server security and prevent access to administrative functions.


Service usage metrics No


Supplier type Reseller providing extra support
Organisation whose services are being resold Consultancy expertise

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users may export the data in the CSV format using the "Export" button available in the STREAM user interface as standard or in the XLS format using special STREAM utilities which may be setup on request.
Data export formats
  • CSV
  • Other
Other data export formats XLS
Data import formats
  • CSV
  • Other
Other data import formats XLS

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Hosting portal availability: 99.9%; STREAM application faults classified into priority Level as follows: Critical (severe business impact): Initial Response - 30 minutes, Target Resolution- 4 hours ; High (high business impact): Initial Response - 1 hour, Target Resolution- 8 hours ; Medium (moderate business impact affecting only non-business critical applications or business processes): Initial Response - 1 hour, Target Resolution- 72 hours ; Low (limited business impact affecting only non-business critical applications or business processes): Initial Response - 2 hours, Target Resolution- 240 hours ; Response times apply during UK Business Hours Mon-Fri 09:00-17:30. No refunds provided on failure to meet SLA but service subscription time may be extended as appropriate, after review with customer.
Approach to resilience The Private Cloud is hosted on multiple hardware clusters with automatic failover. The Base Infrastructure is distributed across independent hardware clusters to provide continuity in the event of a single entire cluster failure. All individual hardware components used to build clusters and other infrastructure are completely fault-tolerant including servers, storage, switches and other devices. Fault-tolerant features include but not limited to hardware RAID, dual PSU, dual CPU and multiple RAM. Bench stock is retained for hardware back up. All hardware clusters have multiple independent paths of connectivity and power.
Outage reporting We send Reason For Outage (RFO) reports by email as part of our incident management process.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels Self-service User Management interface provided for management of user accounts on service. Access to User Management restricted to designated users and managed through dedicated Active Directory groups. Configuration of STREAM application contents and logic managed from within the application and subject to user permissions. Support channels: email, phone.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Hosting Supplier Handstand: Accredited by BMTRADA; 4D-Datacentre: Accredited by NQA
ISO/IEC 27001 accreditation date 24/06/15; 14/05/16
What the ISO/IEC 27001 doesn’t cover STREAM back office administration
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications PCI DSS security comliant data centre

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We follow ISO27001 principles
Information security policies and processes We follow ISO27001 principles

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes managed as service requests on internal ticketing system. Service request tickets are linked to the appropriate asset(s) in the configuration management database (CMDB) and tracked until implementation and documentation
Vulnerability management type Supplier-defined controls
Vulnerability management approach Physical host and virtual machine operating system critical and security patches will be applied within 30 days of release. Other patches will be applied within 90 days of release. We subscribe to all the well-known vulnerability feeds and Microsoft update alerts.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Intrusion detection system (IDS) is in place on our firewall clusters and server-based IDS on the host machines. Email or SMS alerts are sent when suspicious activity is detected on monitored systems. We also take into account incident reports from end-users or staff members when they suggest any unusual activity. As soon as suspicious activity is detected, we login to investigate the affected systems as a matter of priority and take action where required.
Incident management type Supplier-defined controls
Incident management approach Incidents are defined as occurrences of events with potential to compromise information security on the host infrastructure. Information security incidents are logged as soon as detected and tracked until adequate resolution and closure. Incident management workflow: detection > logging > containment > remediation > root-cause analysis > security review > planning of improvements and preventive actions to protect against recurrence > incident closure. When appropriate, a Reason for Outage report (RFO) is generated and sent to users by email.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £35 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A one month full trial period is offered with access for 2 concurrent users, if software is not purchased the database will be wiped.

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑