Bit Zesty

Vigilion: AntiVirus & Malware File Scanner API

Vigilion is an easy to integrate cloud scanning API service for systems that have user file-upload functionality. Our realtime anti-malware security solution stops viruses from reaching your users, helping you meet security requirements of IT Health Checks (ITHC) for your cloud services. Used by BEIS & National Archives.


  • Scans user uploaded files for viruses and malware
  • Leverage award-winning virus scanner for optimal virus detection
  • Multiple database update per day to respond to ever-changing threats
  • Easy plug-and-play integration into any programming language (REST API)
  • All data transfer is secure and encrypted
  • Insightful real-time analytics display available
  • Reporting and settings delivered via a web based management console
  • On-site installation available


  • Not having to code and maintain your own antivirus solution
  • Protect your system against malware infection
  • Track the security of your file-uploading system in real-time
  • Meet your security requirements


£2000 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Bit Zesty

Matthew Ford

+44 (0) 2071250160

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints 2GB file size limits
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 business day
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Basic email/chat support during business hours is included in the the service price.

Priority support (24x7) is available for £4000 per month.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Documentation and onboarding support online or via phone
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction We do not store the user's data files
End-of-contract process Termination of API service.

Using the service

Using the service
Web browser interface No
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Via an API
Accessibility testing N/A
What users can and can't do using the API The file scanning service is an API
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources We have autoscaling in place to scale up to cope with any level of demand. The files are scanned in sandboxed containers so not affected by other users.


Service usage metrics Yes
Metrics types Files scanned per month
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Via the API
Data export formats Other
Other data export formats JSON
Data import formats Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.0%
Approach to resilience We use Amazon AWS in a high availability setup, more information is available upon request.
Outage reporting API & Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Other
Other user authentication API Keys
Access restrictions in management interfaces and support channels N/A
Access restriction testing frequency At least once a year
Management access authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We are currently undergoing ISO 27001 accreditation and CSA CCM v3.0 self assessment.
Information security policies and processes Policies and processes are reviewed annually and issues reported to the chief information security officer (CISO).

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow TDD, CI, and CD. All changes are peer reviewed and must pass CI before deployed into staging. In staging we perform a full system test (smoke test) before changes are pushed into production.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We patch critical security issues as soon as possible (typically within an hour). For other lower priority updates we follow a 8 week patching cycle.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We collect audit log information of all actions. Our system is based on docker images, if a potential compromise was found we would rollback to the last known safe image. We would respond to issues as soon as possible.
Incident management type Supplier-defined controls
Incident management approach We have a incident reporting process, we provide the reports to users via email. Users report incidents to us via the helpdesk.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial 1 month, max file size 2MBs and 100 files per month


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑