Damibu Ltd

CATCH - Common Approach to Children's Health

CATCH is a health information service which supports CCGs or LAs to easily customise and publish hyper-local health information. Designed for parents of young children, content is delivered through personalised notifications when it is most relevant, maximising the opportunity for engagement and behaviour change, reducing inappropriate service usage.


  • Hyper-local customisation of content
  • Integration of existing local services
  • Notification through mobile app
  • Analytics dashboard
  • Content Management Dashboard
  • Social Media Marketing
  • Health promoters available to attend briefing sessions
  • Information Governance compliant, no personally identifiable data
  • Monitoring and updating of content
  • Content available offline


  • Reduce inappropriate service use
  • Increase confidence to deliver care at home
  • Personalised content delivery to reduce 'information overload' for parents
  • Customise regional content to align with current campaigns
  • Reduced workload for teams, support provided by CATCH content managers
  • Review anonymised analytics by postcode or LSOA
  • Increased reach of local services by linking to relevant content
  • A unified information source delivered across services


£10000 to £40000 per licence per year

Service documents


G-Cloud 11

Service ID

6 7 2 8 9 5 5 2 6 0 8 9 9 7 5


Damibu Ltd

David Burrows



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Dashboard requires an up to date web browser
  • CATCH app requires Android 7 or higher
  • CATCH app requires iOS 9 or later

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email responses within 24 hours on weekdays. Only Level 1 High Priority support available at weekends.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels Telephone and email helpdesk 09.00 to 17.00 Monday to Friday.

Technical Support Priorities and Timescales
1 (High) : Full system outage – no users at all can use the system. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Partial system outage – a significant number of users are affected. Response 10 mins. Resolve: 1 business day
3 (Low) : Minor – a handful of users or a part of the system is not working to Specification. Response: 1 hour. Resolve 5 business day
4 (Query) : Minimal impact. Response; 3 business days. Resolve 20 business days

Content Management
All content requires approval by the client, the following assumes that approval has been given...
1 (High) : Incorrect Clinical Information. Response: 10 mins. Resolve 4 hours.
2 (Medium) : Incorrect non-Clinical Information. Response 10 mins. Resolve: 1 business day
3 (Low) : Additional Information. Response: 1 hour. Resolve 5 business day

Health Promotion
Health promoters are available to attend briefing sessions (for example GP practice forums, health visitor briefings or PLT events) and a limited number of public engagement events.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started For users of the CATCH app, no training or documentation is required. The app was designed to be intuitive with all the information required to use the app available as part of it's design.

Onsite training is available for buyers using the management portal.
Service documentation No
End-of-contract data extraction No user data is stored as part of the service, all content is available in the public domain.

Analytical data is shared with buyers regularly in open format (PDF) and can be exported at any time.
End-of-contract process Users of the app will be notified that their area is no longer being supported and asked to select their nearest supported region.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The mobile app is designed for parents, the desktop service is the management dashboard that focuses on customising content and viewing analytical data.
Service interface No
What users can and can't do using the API There is a private API for communication between the content delivery network and the mobile app. We do have plans to make this API available to clients and client selected 3rd parties.
API documentation No
API sandbox or test environment No
Customisation available Yes
Description of customisation All information delivered via the Content Delivery Network to the app can be customised by clients. This includes removal of any of the default health articles; adding any locally required health articles; adding and linking national and local support groups to health articles;


Independence of resources The information streams are delivered via AWS's Cloud Front Content Delivery Network (CDN). Amazon CloudFront content delivery network is optimised for low latency and high data transfer speeds. A CloudFront "miss" is passed back to an auto-scalable server-less architecture.


Service usage metrics Yes
Metrics types Analytics is built in to many features of the app and can be accessed through the management dashboard.

Metrics are visible as a data table, visualisation or heat map for each geographic region.

Metrics can be viewed as a whole (e.g. top 10 articles), or per article (e.g. Number of views per post-code for this content).

User Surveys are delivered through the app, responses are checked to ensure there is no risk to confidentiality and are shared with buyers to provide additional usage data.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Health Information articles are stored in a SQL database and Analytics is stored in a noSQL database. Both datasets can be exported to CSV format.
Data export formats CSV
Data import formats Other
Other data import formats
  • Online health/support webpage URL import via web form
  • DOC, Pages and PDF import via our content managers

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks TLS (Version 1.2 or above) and availability controlling access by IP subnet
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Service Availability : 99.99% during work days, 99.9% for nights/weekends.
Unplanned Outages : Refunded at a pro-rata percentage
Approach to resilience Our platform is highly resilient with 2 cacheing layers and a server-less architecture.
Firstly, Health Information is cached within the app so that if the mobile device is offline or our cloud services go down the app users can still access the information.
Secondly, the app receives Health Information updates via a Content Delivery Network that caches data from our server-less architecture. So if the server-less architecture fails then the CDN will still have a region's latest information to deliver to the mobile app.
Thirdly, the server-less architecture is very resilient in itself, as it uses an on-demand hardware resource allocation. A server is only allocated to a task as and when a data request is made.
Outage reporting EMail alerts have been set up to notify of any unexpected behaviour.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels Access to the content management dashboard is via username and password with the ability to limit access by network IP range
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications NHS Information Governance Toolkit Version 14.1 (2017-2018)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards NHS England Information Governance Data Protection Registration Number - ZA276533
Information security policies and processes Adhere to the NHS Information Governance Toolkit Version 14.1 (2017-2018). Moving to the Data Security and Protection Toolkit after 31st March 2019 when it replaces the above IG Toolkit.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All tasks are tracked through a Jira project management system, before being thoroughly assessed for Information Governance compliance. Once the task is completed, its progress is tracked through a cloud-based version control system.

An IG template table, according to section 14.1 - 210 (Implementation of new processes and information assets) is used for monitoring changes.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Risk assessments to identify and mitigate issues are carried out as part of a process that is compliant with the relevant aspects of NHS Information Governance Toolk

An annual review is be conducted of all active accounts to ascertain whether access controls are being governed appropriately and access will be restricted if necessary to prevent vulnerabilities in data security (IG Section 14.1 - 305, Access Control Functionality).
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our Content Delivery Network accepts only well-formed connections to prevent many common DDoS attacks, like SYN floods and UDP reflection attacks. It can also automatically close connections that are unusually slow, which can indicate a potential DDoS attack.

Automatic "Watchers" are assigned to all delivery systems that notify upon specific trigger values being exceeded. Any threats to our service are identified and resolved within 1 business hour.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach As specified in the Information Governance documentation, section 14.1 - 320 (Incident management and reporting), all incidents and near-misses which arise must be reported. This is done via the Incident Report Form sent to the IG lead, followed by a management meeting, from which appropriate action is taken. All staff have received training on how to find, fill out and submit the Form. Incidents must subsequently be submitted through the Incident Reporting Tool by the IG lead.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 to £40000 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑