CiT Digital Limited

iMediaflow Digital Asset Management (DAM) Solution & Managed Services

CiT Digital is the specialist solution provider of DAM software, iMediaflow®. As highly experienced experts in the industry, we are able to give advice on collating archives, keywording/taxonomy. We also provide managed services for outsourced collections for organisations that don’t have the in-house expertise or resources.


  • Storage/Retrieval and Indexing of digital assets
  • Shareable Central Repository across staff/partners/agents/suppliers/clients
  • Roles/Permissions based access to digital assets
  • GDPR Compliant
  • Multi-faceted search facility
  • Domain specific Controlled Vocabulary (Taxonomy)
  • All major digital file types including Photos,Videos,Audio,Graphics,Artworks etc
  • Secure E-commerce enabled
  • Video trimming - combine clips to create a new asset
  • Brand Guidelines Module


  • Publish content from anywhere using multiple devices
  • Control access to your digital assets based on user roles/permissions
  • Avoid costly copyright infringements & reputational damage
  • Fastestest tagging of your assets enabling quick-access to your content
  • SafeSend – GDPR compliant encrypted/audited filesharing
  • Automatic Keywording
  • Collaborate more easily and quickly delivering better results
  • Controlled-Vocabulary-Builder enabling you to create your own domain specific language
  • Have instant access to your permissions/restrictions for each asset
  • Monetize your digital assets using our e-commerce facility


£9500 per licence per year

  • Education pricing available

Service documents

G-Cloud 11


CiT Digital Limited

Richard Cruz

0114 258 2400

Service scope

Service scope
Service constraints N/A
System requirements
  • Requires internet access for cloud solution
  • Requires a standard browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depends on your SLA. Ranges from 4 - 24 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AAA
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AAA
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels Standard SLAs are as below:
Critical Fault - resolution within maximum 3 working days
Major Fault - resolution within maximum 5 working days
Important Fault - resolution within maximum 8 working days
Other SLAs can be negotiated at an additional premium
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We follow an on-line onboarding service that includes online training, that includes user documentation as well as the option of migrating their existing collection from a legacy solution.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction There is a one-off cost based on the specific requirements of the customer
End-of-contract process At the end of the contract, there is an option for the customer to purchase an off-boarding service. Alternatively, the customer pays a nominal fee for a certificate confirming secure destroyal of all data belonging to the customer.

Using the service

Using the service
Web browser interface Yes
Using the web interface All features are available to the users simply by logging on to the service using their user credentials. The administrators can modify access privileges/features/functions etc at their convenience. There are no limitations.
Web interface accessibility standard WCAG 2.1 AAA
Web interface accessibility testing Full testing is done as per the list below:
• Screen reader: JAWS (person with a severe vision impairment)
• Screen reader: NVDA (person with a severe vision impairment)
• Magnifier: ZoomText (person with a moderate vision impairment)
• Speech recognition: Dragon Naturally Speaking (person with a physical impairment)
• Speech recognition: Windows Speech Recognition (person with a cognitive impairment)
What users can and can't do using the API Users can set up the API service through a REST protocol architecture, to perform functionality such as Search/Download.
Users can upload new versions of a digital asset.
No real limitations other than ensuring they do not exceed their agreed quota for a given period.
API automation tools
  • OpenStack
  • Other
Other API automation tools Postman
API documentation Yes
API documentation formats PDF
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources We constantly monitor the service and manage the services so that we avoid scenarios where customers can seriously affect the performance of other customers.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up All data/assets and websites
Backup controls This service is controlled and managed by us and is not accessible to the user.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The SLAs are laid out clearly in our contract terms, where they will be able to claim a refund in the instance of a failure to meet guaranteed levels of liability.
Approach to resilience Details regarding our datacentre set up and resilience are available upon written request.
Outage reporting Any instance of service outage is alerted by an email. However, we are happy to report that thus far we've never had an instance of any outages.

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels The management elements are controlled by a separate URL dedicated to the back-office part of the system. It is also controlled by User Profiles ensuring that there is clear separation between management and normal users. Similarly, there is also a separate URL dedicated to the Support channel that is also controlled by User Profiles.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through Dedicated device on a segregated network (providers own provision)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Security Metrics
PCI DSS accreditation date 13/07/18
What the PCI DSS doesn’t cover N/A
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a comprehensive Information Security Policy that covers all aspects of information handled by the company. It also covers the processes/procedures to follow. The ultimate responsibility for the compliance/resolution is held by the board member assigned with the role of Chief Security Officer.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have a documented Change Control Process (CCP). All formal changes are managed and executed according to the CCP. The control process will ensure that changes proposed are assessed/reviewed, authorised, tested, implemented, and released in a controlled manner for potential security impact; and that the status of each proposed change is monitored. Any software change and/or update shall be controlled with version control. Older versions shall be retained in accordance with corporate retention and storage management policies.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We use both our own tests as well as those services provided by a recognised thirdparty security provider to perform regular vulnerability tests, at minimum intervals of 3 months. We are PCI DSS compliant. Patches are deployed usually within 24 hours of being notified. Our contracted service provider informs us of new and potential threats in a timely manner.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use a number of thirdparty solution providers to monitor our services and should they come across anything untoward, we are notified immediately. The responses are determined by our Information Security Policy. We normally respond to these threats within a 24 hour period.
Incident management type Supplier-defined controls
Incident management approach We have a predefined set of processes, based on our Information Security Policy, that we follow to manage incidents. Users are advised to inform the security officer of in the event of a security related incident. Incident reports are raised as laid out in our Information Security Policy.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used Hyper-V
How shared infrastructure is kept separate Each customer is optionally given their own VM such that all their data is kept separate from all other customers.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres We can provide full details upon written request


Price £9500 per licence per year
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑