CASTLEPOINT SYSTEMS LIMITED

Castlepoint Manage Information Everywhere

Castlepoint reads, registers and regulates all information in a network, in any format and any system. It uses Natural Language Processing to determine what each record is about, and so what regulations apply, and it then automates the process of compliance, disposition, security, privacy, audit, ediscovery, strategic, and operational management.

Features

• eDiscovery across all systems in a network without connectors
• Regulatory compliance across all data using manage in place model
• Identification, tracking, control of privacy information across systems
• Identification, tracking, control of security and risk information, events
• Artificial Intelligence for automated compliance, security without complex rules
• Natural Language Processing including linguistic analysis and named entities
• Records management including fully compliant sentencing and disposition
• Information Asset Register with full regulation as code mapping
• Visualisation, graphs, dashboards, reports for BI, audit and strategy
• Ontologies and taxonomies to dynamically show risk, value and classification

Benefits

• Read/register all information in a network regardless of format/system
• Apply rules from records authorities, Acts and Regulations automatically
• Use true AI and automation, avoiding complex rules engines/models
• Manage information in-place, without moving/copying to another system
• Manage cloud or on-premises systems from the web portal
• Avoid any user impact with a completely transparent compliance engine
• Reduce costs of eDiscovery searches/reporting by up to 98.5%
• Relate information together across systems through single pane of glass
• Track, alert and report on breaches (e.g. deletions/data spills)
• Manage all your systems without additional apps or connectors

£4,250 to £9,950 an instance a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Framework

G-Cloud 12

Service ID

745917786836486

Contact

Rachael Greaves
61488114767
rachaelg@castlepoint.systems

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: There are no constraints to use of Castlepoint SaaS. Where customers wish to deploy Castlepoint on their own cloud environments, Linux-type servers must be used.
• System requirements: Operating System licences when running within your own environment

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 4-6 hours response within business hours M-F; 4-8 hours response within business hours S-S
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: Our chat service uses the Zendesk portal, which is fully tested against WCAG accessibility requirements.
• Onsite support: Yes, at extra cost
• Support levels: We provide two support levels: Business support for office hours, Monday to Friday, and Premium support, for on-premise assistance and after-hours support.; ; Business support is included in the software subscription cost. Premium support is billed at our standard time and materials rates per hour.; ; A Technical Account Manager is assigned to each client.; ; Our support portal provides multiple channels for support, including:; • Dedicated support email account; • Support Request portal ; • Business hours phone support ; • Live Chat Support.; ; The support portal also provides a Help Centre accessible online for your Level 1 staff. The Help Centre provides a comprehensive suite of knowledge articles for all capabilities Castlepoint provides to your organisation. The support portal is a key resource for first, second and third level support. ; ; Support is available by phone, email, and our online support portal from 9AM to 5PM Monday to Friday, excluding public/bank holidays in your region. Out of hours support can be provided by agreement.; ; Responses are provided:; a. Under 4 hours (during business hours) for High priority. ; b. Within 48 hours for Medium priority; c. Within 5 working days for Low priority
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training and user documentation is available online to customers.; ; Implementation of Castlepoint in our SaaS environment follows the Castlepoint implementation plan as follows:; 1. Castlepoint creates an Administrator user account automatically for the “owner” of the Castlepoint SaaS tenancy; 2. The Owner/Administrator adds one or more Office 365 / cloud-based systems to Castlepoint for management ; 3. The Owner/Administrator approves Castlepoint SaaS Azure Active Directory account to access Office 365; OR Owner/Administrator provides an account to access an alternative cloud-based system; 4. The business owner of the Castlepoint system configures the application by uploading their disposal schedules, taxonomies, and other desired rules; and setting their preferences for alerts, reports, and auditing. ; ; Configuration is simple, and involves:; • Providing Castlepoint with access to your data to commence registration and indexing; • Adding your Records Authorities and other regulatory retention requirements to the system; • Adding your ontologies as required, to identify your high-value and/or high-risk data; • Setting any alerts you want to receive. ; ; Castlepoint is a turn-key system and all steps are supported with wizards and forms. If required, our staff are available to assist you with any of these steps on a time and cost basis per our rates.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Users request download of their data via a service desk ticket, and it is provided via a secure download location. There are no impediments to clients extracting data from Castlepoint.
• End-of-contract process: Data can be extracted on behalf of the client at the end of the contract. ; ; The system is decommissioned 30 days after the contract ends (unless requested earlier).

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Form-factor of the mobile device changes the display and order of elements on the device
• Service interface: Yes
• Description of service interface: Castlepoint includes a HTML5 web portal for all interactions with the service, including dashboards, visualisations, and (fully exportable) reports.; ; The interface includes the following sections:; • Records Management (automatic registration, classification, sentencing and disposition); • Security and Privacy Management, automatically identifying high-risk information; • Audit and monitoring with events captured on all records, by all users, and across all systems; • Alerts and Reporting when high-risk or high-value content is created, modified or moved; • eDiscovery with powerful and defensible search, ontology, and relating records across systems; ; All Castlepoint user interface components and capabilities are included in the standard license.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: WCAG AA controls are part of our base test plans for the application
• API: Yes
• What users can and can't do using the API: Castlepoint provides a REST-based interface for all interactions with the system. All commands available through the user interface are available via the REST API.; ; No configuration is required to setup the API service, it is available by default.; ; The API can be used to connect Castlepoint to source systems in order to manage them in place. It can also be used to export information created by Castlepoint, such as classifications, disposal rules and regulatory requirements mapping, for consumption by other systems (such as RPA or BI tools).
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Services are automatically scaled via serverless infrastructure design. Services are automatically constrained to ensure systems aren't impacted by demand or denial of service events.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export data directly from the user interface. All Castlepoint reports are exportable into .XLSX format by normal users at any time.; ; Users can also request export of full or partial contents of the Castlepoint database at any time, and this will be downloaded to a secure location.; ; Castlepoint also supports REST-based APIs to automatically export or ingest data from the Castlepoint system into any other supported system.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The Castlepoint service is available to users 24 hours a day, 365 days a year. ; ; From time to time the availability of the service may be impacted by planned outages for support and sustainment purposes. Planned outages are not SLA impacting. ; ; Service updates, including enhancements, updates, and patches are made continually, in an evergreen model, without downtime or user impact. ; Availability is measured as Monthly Uptime Percentage (MUP), in which uptime is service availability, and downtime is periods where the system is not available, outside of a planned outage window. The MUP is the percentage of total minutes in the month where the system experienced unplanned downtime. The Castlepoint MUP target is 99.9%.; ; We provide a rebate to clients in the event that our MUP SLAs are not achieved. The standard conditions are a rebate of 5% of the monthly fee per incident of SLA breach, to a maximum of 50% of the monthly subscription fee for that month.; ; The rebate is applied as a service credit for a subsequent billing period, and is not redeemable for cash or other services. We will apply the credit to your billing automatically.
• Approach to resilience: This information is available on request.
• Outage reporting: Outages are reported to nominated client contacts by email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is restricted using Role Based Access Control in management and support channels. Access to services requires MFA.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Castlepoint is built in conformance with the Australian Cyber Security Centre Information Security Manual, the Protective Security Policy Framework, and ISO 27001. The solution is Cyber Essentials certified.
• Information security policies and processes: Castlepoint complies with the Australian Cyber Security Centre Information Security Manual and the Protective Security policy Framework, as well as the ISO27001 (security management) and the Cabinet Office Security Policy Framework. Castlepoint is Cyber Essentials certified.; ; Our team are certified in data privacy (CDPSE), information management (CIP), information systems audit (CISA), security management (CISM), and ethical hacking (CEH). We have extensive experience developing and implementing security controls at all layers, from governance to infrastructure. We are a trusted provider of security services to Federal governments, and have active Secret-level (SC) security clearances.; ; We ensure the safety and quality of our products and services by following and documenting strict quality management and information security management procedures. We formalize this governance by complying with the international standards ISO9001 (quality management) standard. We also have a strong corporate responsibility culture. We maintain detailed security documentation and controls.; ; We have multiple policies and programs in place to minimise the risk of fraud, malpractice and corruption, including:; • Alcohol and drugs policy; • Code of conduct; • Data Breach and Incident Response Policy ; • Enterprise Risk Management Plan; • Information Security Staff Policies ; • Remote and home-based work policy; • Telephone, mobile and internet policy.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All solution components are individually change tracked. All changes are assessed for security impact via assessment against Information Security Manual Statement of Applicability controls.; ; We use our certified change managers oversee the design, transition and operation of our projects into sustainment mode with our clients according to proven best practices. We are able to apply a formal and repeatable methodology, and to interface effectively with not only project SMEs, but with the systems owners and administrators who will have long term responsibility for the solutions that we implement.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We are enrolled in several security threat notification services, including vendor-managed and 3rd-party services. We deploy critical security patches within 48hrs of notification.; ; Our Certified Ethical Hacker (CEH) in-house resource provides manages vulnerability assessment, testing and secure development. We are an Australian Government Joint Cyber Security Centre Partner.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are identified via our management logging system, data exception monitoring, and managed service notifications. ; ; We respond within 4-8 hours of notification. We maintain a detailed Data Breach and Incident Response Plan which is regularly updated.
• Incident management type: Supplier-defined controls
• Incident management approach: We have pre-defined processes for common incidents. Users report incidents via our service desk system, email, or direct contact. Incident reports are provided using a standard template.; ; Our Incident Response Team includes our CISO, CTO, Business Manager, Program Manager, Client Manager, and key resources in our IT Team. The dedicated Response Team may also involve external stakeholders in the response:; ; •ACSC via ReportCyber and the Partnership Program; •Department of Defence via ASD Assist (for advice on incidents); •AusCert (for third party incident management).

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £4,250 to £9,950 an instance a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Access to the Castlepoint online trial environment in a read-only format. Users have full browse, review and discovery access to the environment but cannot change the configuration. Configuration is read-only and can be viewed.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF