CiT Digital Limited

iMediaflow Digital Asset Management (DAM) Solution & Managed Services

CiT Digital is the specialist solution provider of DAM software, iMediaflow®. As highly experienced experts in the industry, we are able to give advice on collating archives, keywording/taxonomy. We also provide managed services for outsourced collections for organisations that don’t have the in-house expertise or resources.


  • Storage/Retrieval and Indexing of digital assets
  • Shareable Central Repository across staff/partners/agents/suppliers/clients
  • Roles/Permissions based access to digital assets
  • GDPR Compliant
  • Multi-faceted search facility
  • Domain specific Controlled Vocabulary (Taxonomy)
  • All major digital file types including Photos,Videos,Audio,Graphics,Artworks etc
  • Secure E-commerce enabled
  • Video trimming - combine clips to create a new asset
  • Brand Guidelines Module


  • Publish content from anywhere using multiple devices
  • Control access to your digital assets based on user roles/permissions
  • Avoid costly copyright infringements & reputational damage
  • Fastestest tagging of your assets enabling quick-access to your content
  • SafeSend – GDPR compliant encrypted/audited filesharing
  • Automatic Keywording
  • Collaborate more easily and quickly delivering better results
  • Controlled-Vocabulary-Builder enabling you to create your own domain specific language
  • Have instant access to your permissions/restrictions for each asset
  • Monetize your digital assets using our e-commerce facility


£9500 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 3 6 8 1 6 0 6 5 7 7 8 9 3 2


CiT Digital Limited

Richard Cruz

0114 258 2400

Service scope

Service constraints
System requirements
  • Requires internet access for cloud solution
  • Requires a standard browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Depends on your SLA. Ranges from 4 - 24 hours
User can manage status and priority of support tickets
Online ticketing support accessibility
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
Web chat accessibility testing
Onsite support
Yes, at extra cost
Support levels
Standard SLAs are as below:
Critical Fault - resolution within maximum 3 working days
Major Fault - resolution within maximum 5 working days
Important Fault - resolution within maximum 8 working days
Other SLAs can be negotiated at an additional premium
Support available to third parties

Onboarding and offboarding

Getting started
We follow an on-line onboarding service that includes online training, that includes user documentation as well as the option of migrating their existing collection from a legacy solution.
Service documentation
Documentation formats
End-of-contract data extraction
There is a one-off cost based on the specific requirements of the customer
End-of-contract process
At the end of the contract, there is an option for the customer to purchase an off-boarding service. Alternatively, the customer pays a nominal fee for a certificate confirming secure destroyal of all data belonging to the customer.

Using the service

Web browser interface
Using the web interface
All features are available to the users simply by logging on to the service using their user credentials. The administrators can modify access privileges/features/functions etc at their convenience. There are no limitations.
Web interface accessibility standard
Web interface accessibility testing
Full testing is done as per the list below:
• Screen reader: JAWS (person with a severe vision impairment)
• Screen reader: NVDA (person with a severe vision impairment)
• Magnifier: ZoomText (person with a moderate vision impairment)
• Speech recognition: Dragon Naturally Speaking (person with a physical impairment)
• Speech recognition: Windows Speech Recognition (person with a cognitive impairment)
What users can and can't do using the API
Users can set up the API service through a REST protocol architecture, to perform functionality such as Search/Download.
Users can upload new versions of a digital asset.
No real limitations other than ensuring they do not exceed their agreed quota for a given period.
API automation tools
  • OpenStack
  • Other
Other API automation tools
API documentation
API documentation formats
Command line interface


Scaling available
Scaling type
Independence of resources
We constantly monitor the service and manage the services so that we avoid scenarios where customers can seriously affect the performance of other customers.
Usage notifications
Usage reporting


Infrastructure or application metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
All data/assets and websites
Backup controls
This service is controlled and managed by us and is not accessible to the user.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The SLAs are laid out clearly in our contract terms, where they will be able to claim a refund in the instance of a failure to meet guaranteed levels of liability.
Approach to resilience
Details regarding our datacentre set up and resilience are available upon written request.
Outage reporting
Any instance of service outage is alerted by an email. However, we are happy to report that thus far we've never had an instance of any outages.

Identity and authentication

User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels
The management elements are controlled by a separate URL dedicated to the back-office part of the system. It is also controlled by User Profiles ensuring that there is clear separation between management and normal users. Similarly, there is also a separate URL dedicated to the Support channel that is also controlled by User Profiles.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
Security Metrics
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a comprehensive Information Security Policy that covers all aspects of information handled by the company. It also covers the processes/procedures to follow. The ultimate responsibility for the compliance/resolution is held by the board member assigned with the role of Chief Security Officer.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have a documented Change Control Process (CCP). All formal changes are managed and executed according to the CCP. The control process will ensure that changes proposed are assessed/reviewed, authorised, tested, implemented, and released in a controlled manner for potential security impact; and that the status of each proposed change is monitored. Any software change and/or update shall be controlled with version control. Older versions shall be retained in accordance with corporate retention and storage management policies.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We use both our own tests as well as those services provided by a recognised thirdparty security provider to perform regular vulnerability tests, at minimum intervals of 3 months. We are PCI DSS compliant. Patches are deployed usually within 24 hours of being notified. Our contracted service provider informs us of new and potential threats in a timely manner.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use a number of thirdparty solution providers to monitor our services and should they come across anything untoward, we are notified immediately. The responses are determined by our Information Security Policy. We normally respond to these threats within a 24 hour period.
Incident management type
Supplier-defined controls
Incident management approach
We have a predefined set of processes, based on our Information Security Policy, that we follow to manage incidents. Users are advised to inform the security officer of in the event of a security related incident. Incident reports are raised as laid out in our Information Security Policy.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
Each customer is optionally given their own VM such that all their data is kept separate from all other customers.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
We can provide full details upon written request


£9500 per licence per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑