Castlepoint Manage Information Everywhere

Castlepoint reads, registers and regulates all information in a network, in any format and any system. It uses Natural Language Processing to determine what each record is about, and so what regulations apply, and it then automates the process of compliance, disposition, security, privacy, audit, ediscovery, strategic, and operational management.


  • eDiscovery across all systems in a network without connectors
  • Regulatory compliance across all data using manage in place model
  • Identification, tracking, control of privacy information across systems
  • Identification, tracking, control of security and risk information, events
  • Artificial Intelligence for automated compliance, security without complex rules
  • Natural Language Processing including linguistic analysis and named entities
  • Records management including fully compliant sentencing and disposition
  • Information Asset Register with full regulation as code mapping
  • Visualisation, graphs, dashboards, reports for BI, audit and strategy
  • Ontologies and taxonomies to dynamically show risk, value and classification


  • Read/register all information in a network regardless of format/system
  • Apply rules from records authorities, Acts and Regulations automatically
  • Use true AI and automation, avoiding complex rules engines/models
  • Manage information in-place, without moving/copying to another system
  • Manage cloud or on-premises systems from the web portal
  • Avoid any user impact with a completely transparent compliance engine
  • Reduce costs of eDiscovery searches/reporting by up to 98.5%
  • Relate information together across systems through single pane of glass
  • Track, alert and report on breaches (e.g. deletions/data spills)
  • Manage all your systems without additional apps or connectors


£4,250 to £9,950 an instance a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 4 5 9 1 7 7 8 6 8 3 6 4 8 6


Telephone: 61488114767

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
There are no constraints to use of Castlepoint SaaS. Where customers wish to deploy Castlepoint on their own cloud environments, Linux-type servers must be used.
System requirements
Operating System licences when running within your own environment

User support

Email or online ticketing support
Email or online ticketing
Support response times
4-6 hours response within business hours M-F
4-8 hours response within business hours S-S
User can manage status and priority of support tickets
Online ticketing support accessibility
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
Web chat accessibility testing
Our chat service uses the Zendesk portal, which is fully tested against WCAG accessibility requirements.
Onsite support
Yes, at extra cost
Support levels
We provide two support levels: Business support for office hours, Monday to Friday, and Premium support, for on-premise assistance and after-hours support.

Business support is included in the software subscription cost. Premium support is billed at our standard time and materials rates per hour.

A Technical Account Manager is assigned to each client.

Our support portal provides multiple channels for support, including:
• Dedicated support email account
• Support Request portal
• Business hours phone support
• Live Chat Support.

The support portal also provides a Help Centre accessible online for your Level 1 staff. The Help Centre provides a comprehensive suite of knowledge articles for all capabilities Castlepoint provides to your organisation. The support portal is a key resource for first, second and third level support.

Support is available by phone, email, and our online support portal from 9AM to 5PM Monday to Friday, excluding public/bank holidays in your region. Out of hours support can be provided by agreement.

Responses are provided:
a. Under 4 hours (during business hours) for High priority.
b. Within 48 hours for Medium priority
c. Within 5 working days for Low priority
Support available to third parties

Onboarding and offboarding

Getting started
Online training and user documentation is available online to customers.

Implementation of Castlepoint in our SaaS environment follows the Castlepoint implementation plan as follows:
1. Castlepoint creates an Administrator user account automatically for the “owner” of the Castlepoint SaaS tenancy
2. The Owner/Administrator adds one or more Office 365 / cloud-based systems to Castlepoint for management
3. The Owner/Administrator approves Castlepoint SaaS Azure Active Directory account to access Office 365; OR Owner/Administrator provides an account to access an alternative cloud-based system
4. The business owner of the Castlepoint system configures the application by uploading their disposal schedules, taxonomies, and other desired rules; and setting their preferences for alerts, reports, and auditing.

Configuration is simple, and involves:
• Providing Castlepoint with access to your data to commence registration and indexing
• Adding your Records Authorities and other regulatory retention requirements to the system
• Adding your ontologies as required, to identify your high-value and/or high-risk data
• Setting any alerts you want to receive.

Castlepoint is a turn-key system and all steps are supported with wizards and forms. If required, our staff are available to assist you with any of these steps on a time and cost basis per our rates.
Service documentation
Documentation formats
End-of-contract data extraction
Users request download of their data via a service desk ticket, and it is provided via a secure download location. There are no impediments to clients extracting data from Castlepoint.
End-of-contract process
Data can be extracted on behalf of the client at the end of the contract.

The system is decommissioned 30 days after the contract ends (unless requested earlier).

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Form-factor of the mobile device changes the display and order of elements on the device
Service interface
Description of service interface
Castlepoint includes a HTML5 web portal for all interactions with the service, including dashboards, visualisations, and (fully exportable) reports.

The interface includes the following sections:
• Records Management (automatic registration, classification, sentencing and disposition)
• Security and Privacy Management, automatically identifying high-risk information
• Audit and monitoring with events captured on all records, by all users, and across all systems
• Alerts and Reporting when high-risk or high-value content is created, modified or moved
• eDiscovery with powerful and defensible search, ontology, and relating records across systems

All Castlepoint user interface components and capabilities are included in the standard license.
Accessibility standards
Accessibility testing
WCAG AA controls are part of our base test plans for the application
What users can and can't do using the API
Castlepoint provides a REST-based interface for all interactions with the system. All commands available through the user interface are available via the REST API.

No configuration is required to setup the API service, it is available by default.

The API can be used to connect Castlepoint to source systems in order to manage them in place. It can also be used to export information created by Castlepoint, such as classifications, disposal rules and regulatory requirements mapping, for consumption by other systems (such as RPA or BI tools).
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available


Independence of resources
Services are automatically scaled via serverless infrastructure design. Services are automatically constrained to ensure systems aren't impacted by demand or denial of service events.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export data directly from the user interface. All Castlepoint reports are exportable into .XLSX format by normal users at any time.

Users can also request export of full or partial contents of the Castlepoint database at any time, and this will be downloaded to a secure location.

Castlepoint also supports REST-based APIs to automatically export or ingest data from the Castlepoint system into any other supported system.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The Castlepoint service is available to users 24 hours a day, 365 days a year.

From time to time the availability of the service may be impacted by planned outages for support and sustainment purposes. Planned outages are not SLA impacting.

Service updates, including enhancements, updates, and patches are made continually, in an evergreen model, without downtime or user impact.
Availability is measured as Monthly Uptime Percentage (MUP), in which uptime is service availability, and downtime is periods where the system is not available, outside of a planned outage window. The MUP is the percentage of total minutes in the month where the system experienced unplanned downtime. The Castlepoint MUP target is 99.9%.

We provide a rebate to clients in the event that our MUP SLAs are not achieved. The standard conditions are a rebate of 5% of the monthly fee per incident of SLA breach, to a maximum of 50% of the monthly subscription fee for that month.

The rebate is applied as a service credit for a subsequent billing period, and is not redeemable for cash or other services. We will apply the credit to your billing automatically.
Approach to resilience
This information is available on request.
Outage reporting
Outages are reported to nominated client contacts by email.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Access is restricted using Role Based Access Control in management and support channels. Access to services requires MFA.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Castlepoint is built in conformance with the Australian Cyber Security Centre Information Security Manual, the Protective Security Policy Framework, and ISO 27001. The solution is Cyber Essentials certified.
Information security policies and processes
Castlepoint complies with the Australian Cyber Security Centre Information Security Manual and the Protective Security policy Framework, as well as the ISO27001 (security management) and the Cabinet Office Security Policy Framework. Castlepoint is Cyber Essentials certified.

 Our team are certified in data privacy (CDPSE), information management (CIP), information systems audit (CISA), security management (CISM), and ethical hacking (CEH). We have extensive experience developing and implementing security controls at all layers, from governance to infrastructure. We are a trusted provider of security services to Federal governments, and have active Secret-level (SC) security clearances.

We ensure the safety and quality of our products and services by following and documenting strict quality management and information security management procedures. We formalize this governance by complying with the international standards ISO9001 (quality management) standard. We also have a strong corporate responsibility culture. We maintain detailed security documentation and controls.

We have multiple policies and programs in place to minimise the risk of fraud, malpractice and corruption, including:
• Alcohol and drugs policy
• Code of conduct
• Data Breach and Incident Response Policy
• Enterprise Risk Management Plan
• Information Security Staff Policies
• Remote and home-based work policy
• Telephone, mobile and internet policy.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All solution components are individually change tracked. All changes are assessed for security impact via assessment against Information Security Manual Statement of Applicability controls.

We use our certified change managers oversee the design, transition and operation of our projects into sustainment mode with our clients according to proven best practices. We are able to apply a formal and repeatable methodology, and to interface effectively with not only project SMEs, but with the systems owners and administrators who will have long term responsibility for the solutions that we implement.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We are enrolled in several security threat notification services, including vendor-managed and 3rd-party services. We deploy critical security patches within 48hrs of notification.

Our Certified Ethical Hacker (CEH) in-house resource provides manages vulnerability assessment, testing and secure development. We are an Australian Government Joint Cyber Security Centre Partner.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are identified via our management logging system, data exception monitoring, and managed service notifications.

We respond within 4-8 hours of notification. We maintain a detailed Data Breach and Incident Response Plan which is regularly updated.
Incident management type
Supplier-defined controls
Incident management approach
We have pre-defined processes for common incidents. Users report incidents via our service desk system, email, or direct contact. Incident reports are provided using a standard template.

Our Incident Response Team includes our CISO, CTO, Business Manager, Program Manager, Client Manager, and key resources in our IT Team. The dedicated Response Team may also involve external stakeholders in the response:

•ACSC via ReportCyber and the Partnership Program
•Department of Defence via ASD Assist (for advice on incidents)
•AusCert (for third party incident management).

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£4,250 to £9,950 an instance a month
Discount for educational organisations
Free trial available
Description of free trial
Access to the Castlepoint online trial environment in a read-only format. Users have full browse, review and discovery access to the environment but cannot change the configuration. Configuration is read-only and can be viewed.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.