Control Risks

Legal Technologies

Control Risks creates tailored preparation and response services to organisations facing legal matters in complex markets globally. Our Legal Technologies teams assist clients involved in internal investigation or litigation by offering litigation discovery, investigation, arbitration and regulatory review. We manage this using Relativity and Nuix.


  • Data processing
  • Early data assessment
  • Duplicate and near-duplicate analysis
  • End-to-end project management
  • Data collection
  • Data processing
  • Forensic accounting review and computer forensic analysis
  • Email threading
  • Language recognition and machine translation services
  • Defensible data processing


  • Quickly find relevant information through our software capabilities
  • Global footprint with 37 locations and 8 global data centres
  • Fast, collaborative response to ensure client costs are predictable
  • Simple pricing model to forecast costs and manage budgets
  • Manage high volumes of electronically stored information (ESI)
  • Independent in-house eDiscovery technology
  • End-to-end capabilities to manage client projects
  • Industry recognised methodology
  • Robust analytical tools to understand facts in advance of cases


£25 to £130 per gigabyte

Service documents

G-Cloud 9


Control Risks

Charli Whitlock

+44 20 79702374

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints No constraints to the service.
System requirements
  • N/A
  • N/A

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 24/7 support availability and responded within 30 minutes.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Each matter has a lead project manager assigned that would be the main point of contact. The project manager is then supported by the project management team. The costs are consistent regardless of the level of the project manager. Costs for project management are charged on a time and material basis.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started A combination of Onsite Training, Online Training and user documentation is all offered when on-boarding for new projects.
There are no limitations to the support provided, on-going support is offered whenever needed or required.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction There are three options;
1) Deletion of database and we will provide a certificate of destruction
2)Data Export: We can provide you with an export/production of all the documents from the database, this would include a native file production, text, metadata and work product tagging.
3)Cold case hosting - we can still continue with hosting data, at a lower rate and restrict user access.
End-of-contract process 1) No cost to delete database
2) To export the data, the charges would depend on the size of the database.
3) To cold case the database - £8.00/GB/month

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility None
Accessibility testing None
Customisation available No


Independence of resources We have a robust infrastructure that adheres to industry best practice.


Service usage metrics Yes
Metrics types Our reporting capabilities are wide ranging. Such reports can include review statistics on a daily or weekly basis, user log-ins audits and general utilisation reports.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Concordance file format.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Assured by contractual commitment.
Approach to resilience Available on request.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Project Management team would restrict access with the instructions of the client. This can be actioned immediately.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 10/02/2017
What the ISO/IEC 27001 doesn’t cover This certification covers the protection of corporate and client information required to provide and support political, integrity and security risk consultancy and training services, in the UK.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The Chief Executive and Board are responsible for the overall direction and commitment to information security. The Board is responsible for approving the Information Security Policy. The Policy Committee is responsible for reviewing and approving new versions of the Information Security Policy, escalating substantive changes to the Board. The Regional Directors are responsible for providing adequate resources, and monitoring / improving the effectiveness of the ISMS. The CISO is responsible for maintaining this policy, the ISMS, and its associated policies/procedures/standards, as well as providing advice and guidance on their implementation. The CISO is also responsible for auditing compliance with the policy, raising any non-compliances, and tracking remediations to completion. All managers are directly responsible for implementing the policy within their business areas, as relevant to their business and for adherence by their staff. It is the responsibility of all employees to adhere to the Policy as relevant to their roles, and to report any non-compliance they observe

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach TBC
Vulnerability management type Supplier-defined controls
Vulnerability management approach Details available on request, under non-disclosure agreement.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Details available on request, under non-disclosure agreement.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We have defined and documented processes for managing incidents. These are used in response to security incidents. There are detailed processes for dealing with common types of incident (including, but not limited to, ransomware infection, other malware infection, phishing)
External provider, partner and client organisations have defined routes in place for reporting of security incidents. We also have a defined route for dealing with individuals, e.g., for data access requests.
Security incidents of relevance to you will be reported as soon as possible.
Further information on our processes is available on request, under a non-disclosure agreement.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25 to £130 per gigabyte
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑