Nettitude Limited

STREAM PCI DSS Application

Users of STREAM are able to plan and coordinate their PCI-DSS compliance programmes, record compliance and schedule checks for maintaining compliance. The ROC can be populated automatically from data held in the STREAM database and STREAM’s extensive reporting capability provides compliance views against the PCI-DSS clauses and milestones with analysis.


  • Measure and report on compliance for specific payment channels
  • Collate PCI DSS evidential checks and documentation
  • Automatically schedule future checks with email reminders
  • Raise, assign and track actions for remediation with reminders
  • Automatically generate the Report on Compliance (RoC)
  • Single-user or multi-user Enterprise deployment
  • Status information on risks, controls, vulnerabilities, incidents and events
  • Track overdue actions, assessments and approvals
  • Assign responsibilities


  • Improve staff productivity
  • Reducing time required to gather, collate and report on compliance
  • Avoid the risk of lapsed compliance from missed assessments
  • Reduce the risk of incidents resulting from non-compliances
  • Saving costs associated with incident response
  • Direct losses and reputational damage
  • Reduce the cost of compliance audits
  • Having up-to-date PCI DSS compliance status infromation
  • Compliance status information available on demand


£35 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

5 7 4 3 4 2 8 2 2 6 1 6 8 8 8


Nettitude Limited

Jazz Bhambra

0345 5200085

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
The STREAM service consists of a rich client running on the application server and distributed over the network via one of two virtualisation platforms: Ericom Connect ('Ericom') or Microsoft Remote Desktop Web Access ('RemoteApp'). Ericom offers best performance and compatibility with all client networks but does not allow direct linking to client-side resources. RemoteApp permits direct linking to client-side resources but often requires explicit authorisation through client network firewalls.
System requirements
  • Ericom: HTML5-capable browser
  • RemoteApp: Windows OS with HTML5-capable browser
  • RemoteApp: Android, iOS, Mac OS with Remote Desktop Client app

User support

Email or online ticketing support
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
All STREAM service subscriptions include the same support level.
Support available to third parties

Onboarding and offboarding

Getting started
Initial setup with power user accounts for designated customer contacts >> Handover email to designated contacts with instructions for first login and further user creation >> Optional run-through of the system over the phone >> Further resources available self-service (online training videos, user manual and other written references
Service documentation
End-of-contract data extraction
The customer should request a backup of their SQL Server database from our support desk. The database backup (a BAK file) will be made available to the customer via a secure file transfer method.
End-of-contract process
Provided 60 days' notice is given prior to contract termination, no additional costs are incurred at the end of the contract. Failure to provide 60 days' notice prior to termination commits the buyer to another year's subscription.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Ericom option: No difference -mobile access through web browser ; RemoteApp option: Mobile access through Remote Desktop Client app.
Service interface
Customisation available
Description of customisation
The following can be customised as standard: - User accounts, user roles and permissions on organisation tree - Tree structure for organisation risk registers and assets - Additional tree views ('virtual trees') - Assets and linking of assets to relevant part(s) of the tree - Risk and control frameworks - Risk and control assessment schemes - Relationships between risk, controls and assets - Configurable fields and settings for Risks, Controls, Assets, Events, Actions and Documents objects - Automations for risk and control identification, risk and control assessment, activity scheduling and object referencing - Custom Reports (tabular report based on Risks, Controls, Assets, Events or Actions object and data from linked objects). All of the above is configurable in the STREAM user interface. Access to the relevant configuration screens is subject to user permissions.


Independence of resources
Acuity Cloud base infrastructure consists of a multi-tenanted virtual Microsoft Active Directory (AD) domain using AD Organisational Units (OU) to isolate tenants. A multi-tenanted virtual SQL Server farm back-end provides hosting for the STREAM databases. Applications servers are dedicated to individual clients and provide access to the STREAM application, related applications and file-sharing. Group Policy and other techniques are used to harden application server security and prevent access to administrative functions.


Service usage metrics


Supplier type
Reseller providing extra support
Organisation whose services are being resold
Consultancy expertise

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users may export the data in the CSV format using the "Export" button available in the STREAM user interface as standard or in the XLS format using special STREAM utilities which may be setup on request.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Hosting portal availability: 99.9%; STREAM application faults classified into priority Level as follows: Critical (severe business impact): Initial Response - 30 minutes, Target Resolution- 4 hours ; High (high business impact): Initial Response - 1 hour, Target Resolution- 8 hours ; Medium (moderate business impact affecting only non-business critical applications or business processes): Initial Response - 1 hour, Target Resolution- 72 hours ; Low (limited business impact affecting only non-business critical applications or business processes): Initial Response - 2 hours, Target Resolution- 240 hours ; Response times apply during UK Business Hours Mon-Fri 09:00-17:30. No refunds provided on failure to meet SLA but service subscription time may be extended as appropriate, after review with customer.
Approach to resilience
The Private Cloud is hosted on multiple hardware clusters with automatic failover. The Base Infrastructure is distributed across independent hardware clusters to provide continuity in the event of a single entire cluster failure. All individual hardware components used to build clusters and other infrastructure are completely fault-tolerant including servers, storage, switches and other devices. Fault-tolerant features include but not limited to hardware RAID, dual PSU, dual CPU and multiple RAM. Bench stock is retained for hardware back up. All hardware clusters have multiple independent paths of connectivity and power.
Outage reporting
We send Reason For Outage (RFO) reports by email as part of our incident management process.

Identity and authentication

User authentication needed
User authentication
Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels
Self-service User Management interface provided for management of user accounts on service. Access to User Management restricted to designated users and managed through dedicated Active Directory groups. Configuration of STREAM application contents and logic managed from within the application and subject to user permissions. Support channels: email, phone.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Hosting Supplier Handstand: Accredited by BMTRADA; 4D-Datacentre: Accredited by NQA
ISO/IEC 27001 accreditation date
24/06/15; 14/05/16
What the ISO/IEC 27001 doesn’t cover
STREAM back office administration
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
PCI DSS security comliant data centre

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We follow ISO27001 principles
Information security policies and processes
We follow ISO27001 principles

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes managed as service requests on internal ticketing system. Service request tickets are linked to the appropriate asset(s) in the configuration management database (CMDB) and tracked until implementation and documentation
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Physical host and virtual machine operating system critical and security patches will be applied within 30 days of release. Other patches will be applied within 90 days of release. We subscribe to all the well-known vulnerability feeds and Microsoft update alerts.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Intrusion detection system (IDS) is in place on our firewall clusters and server-based IDS on the host machines. Email or SMS alerts are sent when suspicious activity is detected on monitored systems. We also take into account incident reports from end-users or staff members when they suggest any unusual activity. As soon as suspicious activity is detected, we login to investigate the affected systems as a matter of priority and take action where required.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are defined as occurrences of events with potential to compromise information security on the host infrastructure. Information security incidents are logged as soon as detected and tracked until adequate resolution and closure. Incident management workflow: detection > logging > containment > remediation > root-cause analysis > security review > planning of improvements and preventive actions to protect against recurrence > incident closure. When appropriate, a Reason for Outage report (RFO) is generated and sent to users by email.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£35 per user per month
Discount for educational organisations
Free trial available
Description of free trial
A one month full trial period is offered with access for 2 concurrent users, if software is not purchased the database will be wiped.

Service documents

Return to top ↑