CACI Software Application UK Hosting [H6]

CACI's service provides secure, highly available and scalable Saas like platform for software database applications. This includes rapid onboarding of local authority hosted databases and configuration of extended functions and services e.g. Data matching Hub, Data warehouse, 3rd party reporting tools, VPN connectivity, systems integration and automated data exchange.


  • Database onboarding
  • Platform Security and Resilience
  • PSN and NHSC Compliant
  • Systems Integration
  • Data Exchange
  • SaaS


  • OPEX vs CPEX
  • High Availability
  • Seamless Support
  • Continuous Application and Software Updates
  • Flexibile Systems Integration Options


£2,999 a virtual machine a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 2 4 9 0 8 6 0 1 7 6 5 6 6 2


CACI UK Ltd CACI Digital Marketplace Sales Team
Telephone: 0207 602 6000

Service scope

Service constraints
This service is for UK only hosting.
System requirements
Common browser access.

User support

Email or online ticketing support
Email or online ticketing
Support response times
We provide a web support and helpdesk portal to process customer issues, requests for support and software changes. We aim to deliver minimal downtime. When a serious fault (Severity 1 & 2) is reported, and an application is not available or unusable, we will immediately respond and diagnose the issue using our technical consultants. In our experience, this is typically within a couple of hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
CACI have reviewed inclusive features in Skype for Business / Microsoft Teams:

- Users with vision impairments can get shared content on their own devices. This lets them use their favourite assistive technologies, such as a screen reader or magnifier.
- Users with hearing impairments can get transcription services in real time, through Communication Access Realtime Translation (CART).
Onsite support
Yes, at extra cost
Support levels
All CACI’s customers receive a comprehensive support package as standard. This is included in the annual support and maintenance charge. Support is an area CACI is confident it over performs in; it’s constantly cited as one of the reasons why our customers partner with us, and why they stay with CACI. lation to our services and product development.
Support available to third parties

Onboarding and offboarding

Getting started
As applicable to the CACI application, we provide on-site training and user documentation.
Service documentation
Documentation formats
End-of-contract data extraction
We provide a Secure Data Transfer of customer data to enable customer extracting from the database
End-of-contract process
We provide a secure transfer of any database containing client information to the customer. On confirmation of receipt we will destroy the data on all hosting media and provide the customer confirmation of this.

Other services such as diassembling or extracting data on behalf of the customer will be at extra cost.

Using the service

Web browser interface
Using the web interface
Securely access database application functions according to user role.
Web interface accessibility standard
WCAG 2.1 AA or EN 301 549
Web interface accessibility testing
We provide user interface prompts that can be accessed exclusively by the keyboard including keystroke combinations. This approach typically sufficiently supports assistive technologies such as JAWS and Dragon software
What users can and can't do using the API
APIs for import, export are accessible via the application. API's for data exchange and configured on request
API automation tools
Other API automation tools
API documentation
Command line interface


Scaling available
Independence of resources
Configuration of VMs and contingency components suited to customer environment.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
Back-up virtualised environments, firewall configurations, complete virtual machines, databases
Backup controls
Back up retention is 3 months on offsite encrypted tapes.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Single datacentre with multiple copies
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
HTTPS ( TLS ) for webserver
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Data segregation through VLANs and strict AD NTFS permissions.

Availability and resilience

Guaranteed availability
Service availability is 99% between a 0800 1800 , Monday to Friday as standard.
Approach to resilience
Available on request.
Outage reporting
In the unlikely event of service outage an email alert would be sent to the user(s).

Identity and authentication

User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Administrative access is via VPN 2-factor glass screen access only and restricted to a small number of administrators.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Other
Description of management access authentication
2-factor VPN.
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Not applicable.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
CACI have implemented an Information Security Management System (ISMS) containing a set of policies and procedures for systematically managing sensitive data, systems and processes. Our ISMS uses the 27001 standard as a baseline.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are subject to our Change Control Policy, which forms part of our ISMS. All major and significant changes are peer reviewed and approved by the change advisory board (CAB) which delivers support to a change management team by approving requested changes and assisting in the assessment and prioritisation of changes.

Appropriate impacted stakeholders are notified before changes are applied.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Deployment of serves packs/updates is in accordance with our ISO27001 Patching Policy.

Patches are first deployed to a test group and only upon a successfully testing period are they deployed to the remained of the enterprise

All patches are deployed within 30 days. This is done automatically utilising windows WSUS. Critical patches are applied immediately.
Patches are first tested by Alpha and Beta testing groups before being rolled out to the organisation.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
IPS is used to identify potential threats and respond to them swiftly. It is configured to monitors network traffic, and take immediate action, based on a set of rules established by our network team. The Nessus vulnerability scanning product is used to detect vulnerabilities on systems and applications.
Incident management type
Supplier-defined controls
Incident management approach
All Security Incidents are recorded and documented in-line with our security incident policy and response procedure. For each incident, a root cause analysis is conducted and a corrective and preventative action is implemented to prevent or reduce the probability of the incident reoccurring in the future. If any incident involves data or systems belonging to a client, the account manager must inform the client within 2 working days of the incident occurring.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Oracle VM
How shared infrastructure is kept separate

Energy efficiency

Energy-efficient datacentres


£2,999 a virtual machine a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.