Cimar Ltd

Vendor Neutral Archive (VNA) and Disaster Recovery (DR) in the Cloud

Cimar’s cloud VNA DRaaS for your existing PACS gives the ability to retrieve imaging data in the event of local hardware, software or network failure.

• Auto-sync'd low-cost cloud elastic storage cost.
• Zero-cost image-sharing to anywhere direct from Sync'd cloud
• Zero-cost API for image enabling EMR apps etc...


  • Customisable VNA Cloud for medical imaging and multi-media format storage
  • Cloud Disaster Recovery storage for business continuity assurance
  • PHI Normalisation. Standardise patient identifiers across all data
  • Zero-footprint diagnostic viewer. Access from any PC, Mac, tablet
  • Frictionless 3rd Party Integrations. Integrate with EMR, RIS & Portals
  • Connects directly to PACS, RIS, PAS, + APPs via HL7/DICOM
  • Secure real-time image sharing to anyone, anywhere even patients
  • Cross Document Sharing (XDS compliant) “THIN” searchable cloud
  • Built-in customisable Second Opinion Portal with online patient payment
  • Easy to white-label and brand as your own service


  • One Cloud VNA spans all Vendor Modalities and Health systems
  • Significant savings on management of DICOM and Non-DICOM media
  • Highly scalable and secure T3 elastic Cloud storage
  • Built-in FDA approved Zero-Footprint viewer free to all users
  • Easy to build-your-own Workflows, custom fields and smart cloud rules.
  • Extend Operational Life of Legacy systems
  • DR Usage Adds free frictionless image sharing and API integration
  • Zero cost RESTful API for image-enabled integration with other APPS
  • Easy to build-your-own Workflows, custom fields and smart cloud rules.
  • Eliminate CD handling and production with automated web importing


£0.2 per gigabyte per month

Service documents

G-Cloud 9


Cimar Ltd

Mr Howard Jenkinson

07958 776809

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to RIS - Cimar is fully compatible with all RIS and HL7 message exchange.
PACS - Reduces local storage costs dramatically, provides low-cost triple-redundancy disaster recovery, enables image sharing directly between any vendor systems.
EHR / PATIENT PORTAL - API embeddable imaging layer inside 3rd party applications.
Cloud deployment model Private cloud
Service constraints Service is provided on a 99.8% uptime.
Maintence windows are rarely required but are advised well in advance if ever needed.
System requirements
  • Internet Connection
  • User devices maintained with AV and local security policies

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support is available by sending an email to
Support hours of operation are Monday through Friday, 6 am to 6 pm (GMT) excluding national UK holidays. After-hours escalations to Level 2 and Level 3 support are available as needed.
Cimar will acknowledge all requests for support within two (2) hours of receipt.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Cimar’s approach to support is to do whatever it takes to get medical images to the right physician as quickly as possible, so patients receive optimal treatment and care. When issues arise we are here to support you 24x7x365.

First Level Support

1. Verifying entitlement to receive support.
2. Taking the initial call from the Subscriber, and tracking the problem until its resolution.
3. Assigning an initial severity level to the problem.
4. Checking list of known problems and workarounds.
5. Implementing resolution to known problems or assisting Subscriber with workaround where feasible.
6. Isolating, identifying, and reproducing unknown problems reported by Subscriber.
7. Researching a workaround or other solution to an unknown problem.
8. Escalating the issue to Second Level Support if unresolved at this level.
9. Advising Subscriber of status changes related to reported problems.

Second Level Support

1. Confirming the severity level of the problem.
2. Investigating and analysing the problem.
3. Providing resolution of problems with known corrections or workarounds.
4. Escalating an unknown problem to Third Level Support (Engineering).
5. Delivering hot fixes to Subscriber.
6. Providing assistance with more complex installation/configuration problems.
7. Advising Subscriber of status changes related to their reported problem.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Cimar provides an extensive library of on-line user support material, and provide 'train-the-trainer' knowledge transfer as required. Additional training services can be provided upon request, including online web-event tutorials by arrangement.

Cimar also assists in providing custom support material for our clients that can be accessed by all users via our clients intranet, or login to Cimar's service.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data can be extracted or migrated at any time from Cimar via Cimar's Gateway - directly to any DICOM node or suitable receiving system.
Large volumes (TB) are best migrated by arrangement with Cimar, where a cost for such migration will be quoted, dependant on volumes and our clients requirement complexity. e.g. to physical drive/NAS/SAN, or if we are required to transcode data to specific syntaxes for import into other systems. Numerous variables can apply, and Cimar is always committed to making migration as painless as possible for our clients.
End-of-contract process Since Cimar is entirely Vendor Neutral, we are able to export/migrate data we host - in formats our clients require - that match other DICOM 3.0 compliant systems.
Depending on the workflow Cimar has been used for, we agree with our clients what data migration needs should be accommodated.
In some workflow scenarios, Cimar holds only copy images, and their retention may not be required. In other workflows, we are the core archive - in which case all images will most likely require migration to another system.
Users continue to use Cimar as normal throughout the termination period, whilst planning and execution of the transitional process between systems of their choice occurs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • MacOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Cimar platform runs on smart mobile devices (phone and tablet) with suitably constrained diagnostic functionality.
Accessibility standards WCAG 2.0 AAA
Accessibility testing Cimar has been suitably designed with user disability in mind and has been tested to meet the required standards.
What users can and can't do using the API Cimar provides a complete RESTful API, featuring all functionality as embeddable components. This ranges from a raft of image harvesting, manipulation, transcoding and viewing functionality, to web diagnostic reporting, VR support, and RESTful cloud archiving and recall.

All API integration is via JSON and web-hooks. Integration can either via synchronised encrypted hyperlink exchange, or as native JSON calls between platforms. we support AD and SSO via Ping identity services.

Embedded imaging functionality can be achieved in as little as a few hours, or complete integration at a granular level typically takes a few weeks coding.

Cimar can also be embedded using simple hyperlinks to Cimar hosted image harvesting and dynamic viewing services - including a complete, customisable Second Opinion Portal. All User Interface presentation can be customised and honed to match applications into which Cimar is embedded.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Cimar's Service interface can be extensively customised.
The User Interface can be adapted to include custom terminology, CSS colour schemes, white labelled branding and URL access.
Unlimited custom fields can be added, and if required, auto-mapped to DICOM tags.
Smart rule-logic can be customised to accommodate IF/ELSE logic within workflows and such rules can be content-aware using Cimar’s Machine Learning features to automate and transcode study, PHI or custom field content.
The platform is designed to enable clients to design and create their own bespoke workflows, to the extent that user roles, functionality permissions, rules based logic and automated tasks can all be configured to match existing or new operational practices as required.


Independence of resources Our host platform is hosted with UK Cloud and is built on a dynamically expandable architecture where load balancing manages system performance and on-demand resource availability. Storage is elastically expandable, as is application and Database layer infrastructure running as a virtual environment.


Service usage metrics Yes
Metrics types Dashboard usage graphs are available as permissable role functionality. Detailed study reports can be downloaded including custom field content and study metrics. Audit trails at study and user activity levels can be viewed where role profiles permit, and similarly exported as structured data reports.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Ambra Health inc.

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported any time via Cimar's Gateway - directly to any DICOM or VNA node or suitable receiving system.
Large volumes (TB) are best migrated by arrangement with Cimar, where a cost for migration will be quoted, dependant on volumes and requirement complexity. e.g. to physical drive/NAS/SAN, or if we are required to transcode data to specific syntaxes for import into other systems. We can script to match/de-dupe/morph studies during export enabling easy synchronisation between our platforms connected to our Service.
Numerous variables can apply, and Cimar is committed to making migration a painless excercise for our clients.
Data export formats
  • CSV
  • Other
Other data export formats
  • Bulk data migration of all formats is possible
Data import formats Other
Other data import formats
  • JPEG - Viewable in Cimar's Zero-footprint DICOM Viewer
  • BMP - Viewable in Cimar's Zero-footprint DICOM Viewer
  • TIFF - Viewable in Cimar's Zero-footprint DICOM Viewer
  • AVI - Viewable in Cimar's Zero-footprint DICOM Viewer
  • MPG - Viewable in Cimar's Zero-footprint DICOM Viewer
  • PDF - Viewable in Cimar's Zero-footprint DICOM Viewer
  • Any other format can be DICOM wrapped

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network We provide patented Split/Merge protection for all data within our network. Images at rest are stored without any identifyable PHI, which is held separately in an encrypted database. United Image and PHI data only occurs in system memory, either at the time of reciept or request. In addition all data carried to and from our service is either over N3 exlusively, or over HTTPS (256 bit AES or DES encrypted).

Cimar is also accessible as an Internet service, but only as an HTTPS protected connection. this can be through N3's internet Gateway or externally - e.g. by patients.

Availability and resilience

Availability and resilience
Guaranteed availability Service Level (System Level Uptime) is determined as a percentage of time in a month that the system is available and functioning properly as defined below. Cimar will provide the uptimes listed in the chart below. Recurring maintenance windows, scheduled downtime, and emergency updates are excluded from the system level uptime percentage calculation. Additionally, any downtime caused by the Subscriber environment is not considered downtime for any component of the Cimar application. (i.e. Subscriber internet connection is down, power outage at Subscriber site, etc.)

System Component/Function Service Level (System Uptime): Application Suite 99.9 % Gateway 98%

Regular maintenance windows are agreed as needed with our clients.
Approach to resilience Available on request. This would be co-provided with UK Cloud.
Outage reporting All of these can be configured if required.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Customers have the option to raise a support request via telephone or email. Cimar authenticates the enquirers identity by validating known phone numbers and asking them for specific characters within their pre-agreed memorable word. Application administrative access is only available to those users, that our clients permit. this is only application level admin, and no deeper system access is possible. Such access is used to configure the clients own account settings, which is entirely separate from all system and infrastructural configuration settings.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Cyber Essentials PLUS
  • SOC 2-compliant
  • The Health Insurance Portability and Accountability Act (“HIPAA”)
  • IG-soc
  • FDA 21CFRPart11

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We adhere to a formal, monitored and reported information and system security program. This is comprised of our own policy library as is reflected in our ISO 9001 accreditation. Policy documents include; hazard analysis, information security program, 3rd party integration policy, breach policy, incidence response policy, system access policy, disaster recovery and business continuity policy, privacy policy, encryption policies and additional systems specific monitoring and reporting policies. Our policies provide the structure for periodic and continued monitoring and reporting. Exceptions are reported upstream through managment, with ultimate responsibility sitting with the CTO.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Cimar uses the Github System for configuration management of source code. All application change development is managed on a siloed principle, before deployment to a complete UAT environment with full roll-back capability. A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP test principles. Once a new releases resilience and performance is validated, security and stress tested, deployment to live cloud is implemented.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Cimar has a documented vulnerability management policy and process with Ambra Health, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3. Where technically possible, real-time updates and status reports are identified and sourced from credible sources. For other systems and software, assigned Ambra personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require technical attention or preventative action.
Protective monitoring type Supplier-defined controls
Protective monitoring approach In accordance with best practice from the National Cyber Security Centre, and Cyber Essentials PLUS, Cimar thoroughly protects its applications and systems at the hypervisor level and below. Our approach to protective monitoring includes realtime checks on malicious threats, Portscan attacks, evidence of unauthorized access to privileged accounts and anomalous occurrences that are not related to specific applications on the host, suspicious activities at a boundary, network connections and the status of backups, amongst others. All alerts are immediately notified to us for prompt investigation.
Incident management type Supplier-defined controls
Incident management approach Incident Management is managed through our own/Ambra policies which conform to the requirements of 21CFRPart11 and as detailed in our ISO9001 procedures. Our Incident and security monitoring policies define the chronological processes and remedial activities in the event of a detected threat that requires action above our systems automated threshold of control. Such action is reported through a predefined command/responsibility structure, and all such reports are recorded.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • New NHS Network (N3)


Price £0.2 per gigabyte per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Full access to a trial account including all available functionality.
By negotiation, inter-system (PACS, RIS, EMR) Gateway communications can be provided.
Trials are limited to PoC principles for our clients
Link to free trial


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑