ImageVault is everything you need to securely and easily store, find and use all your digital media assets. Plug it with your current media sources and let it be the central hub for all your digital media regardless of where they are stored.


  • Maintenance of all of your media assets
  • Categorize and tag all assets
  • Embedded media data available
  • Multiple file management facilities available
  • Asset filtering based upon tags or free text search
  • Permissions model available for user groups
  • Security encryption available
  • API, authentication and add-on integrations available


  • Reducing time and costs associated with using digital media
  • Enabling multiple views of the same asset base
  • Views of assets by categories for different purposes
  • Single point of maintenance for your asset base
  • Reduces demands on the editors/users for digital media management
  • Better control of how your brand is communicated and exposed
  • Greater flexibility, shorter "Time to Market" and for re-purposing
  • Work faster, consistent and coherent with media on your website


£400 to £2000 per instance per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

8 0 0 5 4 2 9 9 0 3 1 7 5 5 7



Glenn Stewart



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Can be used with a variety of content management systems
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints Microsoft technology stack for add ons
System requirements
  • Can be used with a variety of browsers
  • PC's, MAC, smartphone and tablets

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times 08:00 to 18:00 Monday to Friday (excluding weekends and UK Bank Holidays) response is 1.Critical - Response 1 hour, Restoration 4 hours 2.Urgent - Response 1 hour, Resolution 5 days 3.Non-Urgent - Response 4 hours, Resolution 20 days. Extended and 24x7 is also available with similar response times at extra cost
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Merriworks provides 24x7x365 monitoring and operations support for all of our Cloud customers through a dedicated global managed services team. If there is an incident our managed services team will work within our customer’s environment to resolve the issue and provide a resolution without our customer’s involvement. Cloud customers additionally receive Developer Support as part of their cloud subscription.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Training is available for technical and user access to the service and full documentation sets are provided both HTML and PDF
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction Downloads can be arranged from SQL Server databases
End-of-contract process End of contract, the user will receive an extension offer and if that is not taken up the service will be terminated.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Only differences are in presentation. All data is repurposed.
Service interface No
What users can and can't do using the API Using the API Merriworks provide API access through .NET libraries, RESTful services and JavaScript (for UI extensibility). No particular limitations exists through the API
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation All aspect of the service can be customized through the use of the API


Independence of resources Extra virtual machines can be switched in without affecting the user service


Service usage metrics Yes
Metrics types Infrastructure or application metrics
- Disk
- HTTP request and response status
- Memory
- Network
- Number of active instances
Reporting types
- Through an API
- Real-time dashboards
Reporting types
  • API access
  • Real-time dashboards


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Merriworks

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Other
Other data at rest protection approach Data-at-rest protection
Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Through the use of the API programmatically to a CSV.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Group and Corporate level provide 99.7% availability. Enterprise level provides 99.9% availability
Approach to resilience Microsoft Azure SDKs for BLOBs, Service Bus, and Entity Framework have built-in support for transient faults handling and retry policies.
Outage reporting Merriworks provide a public dashboard service, together with email alerts of any outages

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels User access within management interfaces is restricted by authentication and service design. Administrator permissions are allocated to companies accordingly. Management interface protection is in place.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Approach to secure software development best practice

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change management tracking is performed and impact assessments of changes are produced and acted upon
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability assessments are regularly produced in conjunction with Episerver regular vulnerability monitoring. Mitigation strategies are produced, implemented and mitigation timescales determined.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Events are continually monitored and reported upon to identify potential compromises, strategies devised and implemented within a mitigation timescale.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Pre-defined processes are in place for common incident management events. Users report incidents via a ticketing system and timescales determined for mitigation and resolution.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £400 to £2000 per instance per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Fully functional for a limited period.

Service documents

Return to top ↑