Net Service Information Technology Ltd.

Astrea Case Management System

Astrea is a configurable Web based application for enabling a variety of organisations to manage their cases with the aid of task lists and calendar reminders. It acquires and processes information on a case, manages document filing, generates new documents based on customisable templates and allows public inquiries.


  • Role Based Security Model
  • RESTful Data Access Interface and System generated Web forms
  • Digital signatures for legal validity of documents
  • Management dashboard for KPI's and alerting
  • Cryptography and web authentication using PKCS standards
  • Remote access from multiple devices
  • Open data standards (XML, ODT, RESTFul) providing data extraction processes
  • Hosted SaaS solution offers a system availability of 99.98%
  • Scalable architecture allowing system to grow with the organisation
  • Platform is fully compliant to GDPR


  • Full-text document search
  • Intuitive and self-explanatory user interface
  • Built in Localisation for User Interface
  • Personal agenda integrated with events generated by the system
  • Users can adopt new procedures and workflows through open BPMN
  • View and manage documents according to specific confidentiality rules
  • Perform daily tasks by replacing manual processes with automated workflows
  • Automated reminders for tasks approaching their deadline
  • Full audit data in an exportable format (XML, CSV)
  • User management of document templates and workflows


£7 to £55 per unit

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Net Service Information Technology Ltd.

Cristiano Morganti

+44 (0)20 7631 9037

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements Anti-virus technology for virtual machines

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All requests for support will be answered within 1 working business day.
Support is available Monday to Friday from 9am to 5pm GMT. This can be extended by negotiation.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Tier 0 - Self-help (wikis, FAQs, training handbooks, ...)

Tier 1 - Intended to deal with basic customer issues
Tier 1 staff handle straightforward and simple problems, adopting basic troubleshooting methods such as verifying physical layer issues,
resolving username and password problems, uninstalling/reinstalling basic software applications, verifying proper hardware and software set up and helping users navigate application menus
Tier 1 staff are responsible for
- collecting and recording information (computer name, screen/report name, error/warning messages, ...)
- determining the customer’s issue
- sorting through the possible solutions available

Tier 2 - More in-depth technical support level delivered by staff who are more experienced on a particular product or service
Tier 2 staff are responsible for
- investigating more complicated issues
- assisting Tier I staff
Tier 2 staff perform onsite installations/replacements of various hardware components, software repair, diagnostic testing.

Tier 3 - Highest level of support
Tier 3 staff are responsible for
- searching and developing solutions to new issues
- designing and developing one or more solutions
- evaluating them in a test environment
- implementing and delivering the best solution
- assisting Tier I/Tier II staff
Tier 3 staff comprise original or current developers of the product.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide
- onsite training
- online training (video clips)
- user documentation
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction At any moment, users can export their data into an open standard XML file that can be easily imported in every relational database management system.
This is in particular true when users want to change the service package they are using.
End-of-contract process No standard activity is considered at the end of the contract. Specific activities can be taken into account upon request. These activities can be included in the contract since its going into effect.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The differences lie just in the user interface. On mobile user interface, to enhance user experience, large forms are split into a sequence of multiple forms with a limited number of graphical components.
Accessibility standards WCAG 2.0 A
Accessibility testing Users with visual and aural impairments were recruited and requested to access our GUI (Graphical User Interface) standard modules, in order to improve and validate them, on the basis of their feedback.
What users can and can't do using the API Through the API's, users can
- update service settings (only administrative users)
- upload documents
- start/stop workflows, complete specific tasks
- search and retrieve stored information, according to their confidentiality privileges.
Various standards are available (e.g. JSON, JSONP, Rest)
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Authorised users can customise
- workflow diagrams by using Business Process Models & Notations (BPMN) language
- document templates by using an open standard word processor


Independence of resources System resources are scalable.


Service usage metrics Yes
Metrics types Number of page accesses per unit time (page access frequency).
Average time spent on a page.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach At any moment, authorised users can export their data into an open standard XML file by invoking the related menu items.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.98 %, assured by contractual commitment.
Users are refunded by a primary insurance company.
Approach to resilience Redundancy involves any kind of vital device: communication lines, power sources, network devices, servers, storage devices, ...

All devices are provided with two independent power supplies connected to two independent sources.
Servers supporting production services are arranged in a cluster of 8 nodes with automatic balancing and fault tolerance mechanisms.

All servers and network devices are powered by an uninterruptible power source (UPS) ensuring a 20 minute range.
If an outage lasts more than 5 minutes, a generator automatically starts. The latter has a range of 25 hours under an absorption equalling 3/4 of its full powering capacity.
UPS batteries are periodically checked by letting them discharge completely and measuring their range.
Outage reporting Outages leading to the generator activation (the ones lasting more than 5 minutes) send email and SMS alert messages to clearly identified staff members who are responsible for monitoring business continuity.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels No restrictions.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 TÜV Italy
ISO/IEC 27001 accreditation date 10/01/2014
What the ISO/IEC 27001 doesn’t cover Nothing
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We ensure both physical and logical security on software and data in our datacenter.

Physical access is monitored for all rooms containing servers, network devices, power plant branches, HVAC plant nodes and branches, communication lines, backup physical supports. Only authorised staff are allowed in. The others (both employees and visitors) can access those rooms only under the supervision of authorised staff. Every access is automatically logged.

Whoever wants to access a logical resource must authenticate by providing a couple of credentials (user identifier and password). Every access is automatically logged. Users are granted the access privileges of the user class they belong to.

Accesses outside company premises (e.g. remote working) are allowed via Virtual Private Network (VPN) only for a limited number of users. The privileges are limited to what is strictly required by the user's role.

Users must modify their password upon the first access. The latter must be complex enough and must be changed at least every three months. User accounts are blocked after three consecutive unsuccessful attempts of accessing the system. User accounts that remain unused for more than a given amount of time are blocked too.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach System Management team keep themselves constantly updated about the vulnerabilities detected in the software we run to deliver our services.
As a consequence, policies of change management and security improvement are constantly maintained.
Vulnerability management type Supplier-defined controls
Vulnerability management approach System Management team keep themselves constantly updated about the vulnerabilities detected in the software we run to deliver our services. According to their criticality, the corresponding patches are applied immediately, weekly or monthly.

Information about software vulnerability is retrieved directly at its producer or at specialised Web sites.

Periodically, we ask some suppliers to carry out penetration tests to assess our network vulnerability (open ports, insecure configurations, ...) and act accordingly, on the basis of the test oucome.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We consider the following types of incidents:
- development and test software environments stop being available
- servers and network devices stop being available
- stored information loses its integrity

Software environments are implicitly checked by the staff who uninterruptedly operate on them. They are requested to promptly signal any potential problem.
Servers and network devices periodically undergo automatic checks to detect any drop in responsiveness.
Automatic data integrity checks are periodically performed to ensure information has not got corrupted.

Every kind of incident is assigned a detailed procedure intended to resolve it.

Our Recovery Point Objective is 1 hour.
Incident management type Supplier-defined controls
Incident management approach We have predefined procedures in place to tackle
- loss or theft of mobile devices and equipment
- server room blaze
- server room equipment breakdown
- data loss
- software environment integrity loss
Users inform the Security Manager who activates the right human resources within the Security Team.
Security Team maintain an incident log where they report every incident and the actions undertaken to work it out, in order to analyse them and improve the current procedures. It is disclosed only upon explicit request.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Other


Price £7 to £55 per unit
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The free trial version is fully operational and is provided for 6 months.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑