Structured Software Systems Ltd


Team collaboration for phased and agile projects supports the capture, analysis and engineering of needs, goals, requirements, enterprise, architecture and design models, traceability to test and acceptance, and publishing into contract ready documents. Risk, compliance, governance and contract management across project lifecycle with configuration management, baselines and formal change control.


  • User-defined goals, needs, objectives, requirements, models, verifications and acceptance
  • Bi-directional many-many traceability across entire project lifecycle
  • Applicable to all agile, phase, application and business processes
  • Integrated UML, SysML, BPMN, process, architecture modelling
  • Integrated risk management, test management, compliance, governance and configuration management
  • Change history, baselines, review, formal change control and workflows
  • Collaboration through discussions, alerts, mail, comments and automated notifications
  • Data analysis from pivot tables, metrics, dashboards, KPIs
  • Automated data load from documents, spreadsheets, XML, ReqIF
  • Publishes user-defined, production-quality, documentation


  • Single point of truth for all project information and stakeholders
  • Can replace multiple tools, improves efficiency and reduces cost
  • Gives stakeholders controlled access to project infromation
  • Eliminates quality problems using automated, user-defined, conformance consistency checks
  • Eliminate omissions, duplications, contradictions with bi-directional indirect traceability
  • Automatically generate consistent, production-quality, documentation in any format
  • Reuse and share information between projects and teams
  • Unlimited volumes of information of any types and traceability links
  • Automatically generate management information, metrics, KPIs and dashboards
  • Automate release management from sprints, iterations, phases and quality reviews


£73.50 to £127.50 a unit a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 4 9 6 4 2 3 8 5 6 0 9 8 8 1


Structured Software Systems Ltd Mark Walker
Telephone: 01229 838867

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Technical support is available between 9am and 5pm UK time weekdays excluding UK national and public holidays. We acknowledge questions within 1 hour, respond within 2 hours and aim to resolve within 4 hours. All questions are categorised and prioritised. An escalation mechanism is available.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We provide one level of support for all users. A technical account manager will be provided at the start of on-boarding. All 3SL support engineers are equally able to support Cradle systems deployed as SaaS or in-house. Cloud support is included in the per user per month SaaS charges. On site support is charged at the rates in our SFIA labour categories.
Support available to third parties

Onboarding and offboarding

Getting started
"On-boarding services are discussed and agreed with each customer and include some or all of:
- A ConOps to define an overall scope
- Configure Cradle to create an appropriate schema, information lifecycles and workflows, review, CM, formal change, baseline, and QA/QC requirements
- Appropriate user environment of queries, views, forms, hierarchies, navigations, capture formats, document and report templates
- Documentation of the schema and environment in a Project Handbook
- Training of lead users
- Creation and delivery of end user training
- Data pre-processing, validation, loading and post-load confirmation
- Ongoing project involvement, as project engineers, team leaders and/or IV&V"
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
End-of-contract data extraction
Either export the data into user's preferred tool-independent data format or publish reports and documents in user-defined formats, or both.
End-of-contract process
Support services continue to contract end, which includes guidance to export data. Any other services required can be provided as Cloud Support services.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No differences for Windows and Linux mobile devices. For Android and iOS mobile devices, service is only available through a web browser.
Service interface
Description of service interface
A RESTful Web Services Interface (WSI) is available as a separately-licensed and costed option. The WSI provides a full range of data and control capabilities, all subject to the same authentication and access control model used in all other access vectors to information stored in Cradle.
Accessibility standards
WCAG 2.1 A
Accessibility testing
Behaviour has been verified with people of limited vision using standard Windows assistive technology and third party tools such as Chrome Speak and FoxVox.
What users can and can't do using the API
An application programming interface (API) and web services interface (WSI) are available. Both are separately-licensed options. The API and WSI both provide a full range of data and control capabilities, all subject to the same authentication and access control model used in all other access vectors to information stored in Cradle.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Database (items, attributes, links, properties), queries, views, forms, graphs, reports, documents, metrics, KPIs/dashboards, process, CM system, workflows, UI layout and content, authentication and access control. In essence, everything can be customised. Who can customise and what they can customise is defined by you, the users.


Independence of resources
"Each user community is in a separate virtual private cloud (VPC) or equivalent.
Adequate host hardware is provided for this user community as it expands.
Dynamic balancing of load across servers (transparent to users) as necessary and determined by appropriate KPIs in an agreed SLA."


Service usage metrics
Metrics types
Numerical and/or graphical, daily, weekly or monthly reports. Reports contain details of logins, users, source hosts/Ips, failed logins disabled logins, licence grants, licence denials, concurrent licence use.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
Other data at rest protection approach
3SL uses whichever PaaS / hosting provider is appropriate to, or required by, the customer. 3SL will only use UK resident providers. This includes FCOS, UK Cloud, UK Fast, OVH, Microsoft. 3SL may use UK sovereign providers. All providers operate data centres with physical controls to SSAE-16 / ISAE 3402. Some providers operate to higher controls.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
"From the Export button in the tool's UI or from a command line. Note ""export formats"" can be defined with users' preferred options so exports are performed consistently.
Data can be exported as 'reports' and 'documents' with user-defined formats, layouts and contents."
Data export formats
  • CSV
  • Other
Other data export formats
  • TSV
  • Cradle
  • HTML
  • SVG
  • XML
  • ReqIF
  • RTF
  • Word .docx/.doc
  • Excel .xlsx/.xls
Data import formats
  • CSV
  • Other
Other data import formats
  • TSV
  • Cradle
  • HTML
  • SVG
  • XML
  • ReqIF
  • RTF
  • Word .docx/.doc
  • Excel .xlsx/.xls

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.9%. Refund available on request as a proportion of the time between 8am and 6pm Monday to Friday for all working days that the service is not available.
Approach to resilience
All SaaS services are implemented as a set of VMs, each an instance of one of 3SL's standard templates. Snapshots of these VMs are taken with a frequency agreed with the customer, typically daily. Additional data backups are taken and available with an agreed RPO and RTO. Server snapshots can be restored within 1 hour. Failure of host hardware causes an automated switch to alternative hardware transparently to the end user. Failure of a data centre causes a switch to an alternate data centre in 2-8 hours depending on the hosting/PaaS provider being used (noting that 3SL deals with many such providers, including FCOS, UK Cloud, UK Fast, AWS, OVH, Microsoft).
Outage reporting
As required by the service user. We can provide a telephone call, e-mail, tweet or any other preferred communication method. Public noticeboard is an option, but this would mean that we would be advertising the use of this service by the HMG group, department or agency.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
"Our service provides user-defined databases. Each database has a set of login accounts defined by the users. Each user has a set of rights. Only users with appropriate rights can perform admin functions, and only within that database. So all management and support access to each database is controlled by the users of that database and separate from all other service users.
3SL has no access inside Cradle databases. All login accounts for each Cradle database are the responsibility of the user."
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
We are assured by Trustwave that they cover ALL our PCI DSS needs. Everything that needs to be covered, is. Anything that is not covered falls into the category of not relevant
Other security certifications
Any other security certifications
  • Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
"Security vetting of all personnel. Partitioning of access rights by subject, by person, by role. Principle of ""need to know"" applies to all InfoSec decisions. Periodic IS1/IS2 analyses of threats and attack vectors. InfoSec policies for internal IT, including CIA analyses, password policies, AV, multi-level filtering of incoming and outgoing communications, multiple layer firewalls (DMZs).
Overall responsibility for all security policies and procdures rests with 3SL's Director - Mark Gerald Walker."

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
"All changes to SaaS services are planned with the customer. Each has agreed success and failure criteria and an agreed back-out/restoration plan. Each change is reviewed against the agreed criteria during implementation and on completion. Any failure triggers the agreed back-out/restoration plan.
All Cradle software components built in house. Source code is managed by a SCCS with full change tracking. All service component builds are automated from the SCCS with no opportunity for external interference. All built components are digitally signed. SHA512 checksums for all components. All components on the SaaS hosting are verified monthly to ensure they are unchanged."
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Quarterly threat reviews. Annual IT Health Check, threat analyses and RMADS for the OFFICIAL/IL3 services. 3SL receives security alert feeds from O/S vendors, PaaS providers, AV companies, security forums. Critical vulnerabilities affecting the SaaS implemented in 4-8 hours, high priority fixes applied within a week, others applied within a month of release - all subject to agreement from user community to outage. Otherwise deployed during a regular outage as agreed with user community.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Automated 3 hourly review of all service components' digital signatures and SHA512 checksums. Discrepancy automatically raises an alert and suspends users' access. Automated rectification by unpacking replacement, original, component from secure area, validating its checksum and installing it
Incident management type
Supplier-defined controls
Incident management approach
"Incidents / support calls are logged, characterised, prioritised and acknowledged. Calls are progressed to closure, or confirmed bug or accepted enhancement. Escalation process available. Customer can get report of their support calls from us or from our website. KPIs for P1-P5 calls are defined in an agreed SLA.
Security incidents are handled as P1 or P2 support calls.
3SL runs daily scans on all server and firewall logs to detect attacks.
Automated attack detection alerts generate e-mails - eg penetration attempts violating firewall rules or authentication failures. Inicident reports provided to customer with frequency defined in SLA."

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Public Services Network (PSN)


£73.50 to £127.50 a unit a month
Discount for educational organisations
Free trial available
Description of free trial
Full version of service available for one month
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.