Core Systems

Prisoner Education and Wellbeing Platform – Direct2inmate

The Prisoner Education Module offers prisoner’s access to a highly secure Learning Management System. Prisoners can study at their own pace or use the e-learning platform to augment classroom-based education. The Wellbeing Module additionally supports prisoner wellbeing in prison, giving access to self-help programs and apps.


  • Secure lockdown operating system
  • Prisoners can work online and offline
  • Deliver prisoner education and wellbeing content on tablets and laptops
  • Platform supports mixed media; including video, audio and PDF
  • Progress of courses displayed to prisoners
  • Full audit trail of all prisoner events
  • Rewards system available based on progress made on course
  • Allows secure biometric and other verification apps and hardware
  • Supports multiple languages to accommodate all nationalities of users
  • Platform designed to complement ”Through-the-Gate” continued learning style


  • Encourages spending locked-up time more productively bringing normalisation
  • Encourages prisoner’s digital literacy
  • Broadens prisoner’s qualification opportunities
  • Supports tutors giving the full visibility of student progress
  • Bridges the gap between tutor and student allowing sending messages
  • Supports more effective learning, allowing access outside of classroom
  • Allows prisoner to maintain good mental and physical wellbeing
  • Supports offenders in completing in-prison programs, e.g. fighting additions.
  • Supports prisoners in completing in-prison programs, e.g. fighting additions
  • Allows working with different types of content providers


£0.50 to £1.00 per person per day

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Core Systems

Diana Atchison

02890 722044

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • Windows Server 2012 R2 Standard
  • Microsoft SQL Server 2012 R2
  • SQL Server Reporting Services
  • IIS 8
  • SMTP Server

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Priority 1 - Major: 90 minutes for initial response.
Problems causing major disruption and prevent the user from providing a normal service.

Priority 2 - Intermediate: 90 minutes for initial response
Problems causing localised disruption and limit the ability of the user from providing a normal service.

Priority 3 - Minor: 2 hours for initial response
Problems which affect non-critical functions.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Core provide a technical account manager and a cloud support engineer. A typical support scenario with a customer will be as follows:

Once it has been determined that the fault is a software issue relating to Core, Core will provide first-level support. Core will provide a help desk service which will provide for the recording and escalation of issues.

Second-level support - Core will further investigate the issue following the steps outlined in the documentation. This may include resolutions or temporary workarounds for complex issues.

Third-level support – Core Systems shall provide resolutions for reported errors or issues. Core Systems shall make, and provide Customer with, revisions and enhancements to the code.

The cost of 1st, 2nd and 3rd level support is included in SaaS pricing document. This is based on remote software support, 9 am – 5 pm, Monday – Friday, excluding bank holidays. Any additional support required for customers specific SLAs will be negotiated and costed separately.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started To help users to get starting using software solutions Core Systems provide training and assistance with go live on site. We also provide training videos and manuals to support training sessions.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction All data will be managed to ensure availability at contract end. At end of contract we will make consumers archived data available. The consumer will provide instructions of where the data is to be transferred. Core confirm that we will purge and destroy consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer)
End-of-contract process All data is stored within a SQL database. Data may be archived off the database onto another storage device or exported from the database using a .csv file. In the same way data can be imported using a csv file. Note the import / export of data can be automated as a scheduled task. Core will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Core commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction.Data that will not be available for later extraction will also be published.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install Yes
Compatible operating systems
  • Android
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Inmate portal is designed for tablets and desktop.
Officer portal is designed for desktop only.
Friends & Family portal is designed for mobile, tablet and desktop.
Accessibility standards None or don’t know
Description of accessibility Users can:
• Enter in free text using a on screen or a physical keyboard
• Read static text (in plain English)
• View static images
• No flickering or flashing images or text
• Click buttons to carry out actions
• View headings and labels
• View and use simple navigation
• View validation of forms.

Users cannot:
• Access unauthorised materials/content
Accessibility testing None
What users can and can't do using the API There is an API for importing and updating end users into the system and setting up locations. Limitations based on validation of business rules are set up to protect the integrity of the data. Other functionality that is required to be exposed through an API can be created as a bespoke piece of work for a customer to meet their needs at an additional cost.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Branding on the officer and inmate login page can be customised to be the customer’s logo and product name – carried out by Core Systems.

Customisable permissions on the officer website so that functionality can be separated to authorised user groups – configurable on the officer website.

Access to modules on the inmate website can be switched on/off for different user groups – configurable on the officer website.

Timed access can be set up for the inmate website e.g. can only access the site for 15 minutes in a 2-hour period - configurable on the officer website.

Content can be added and updated easily e.g. documents, audio files, video files etc. – configurable on the officer website.

Settings are available to turn pieces of functionality on/off e.g. enable Two Factor Authentication.

Settings to set values for particular areas e.g. change password label text to pin.


Independence of resources Web hosted solution on IIS, so can have unlimited concurrent users, the only limiting factor is the amount of available resources on the machine. The software is hosted in a cloud based environment, so resources can be scaled up as required. Hosting environment provides a dedicated resource that is not shared with other customers. The software has been hosted in a single datacentre before and has scaled up to handle a total of 166,000 users and counting.


Service usage metrics Yes
Metrics types Officer dashboard displaying numeric information on the tasks to be carried out, with links to the appropriate page in order to take these actions, e.g. number of messages to be read. Reports available through the officer interface which displays usage metrics, access to these is configured through permissions in the officer website. e.g. number of logins in a time period, number of courses completed
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Standard reports which can be saved in multiple formats including Excel spreadsheet, Word document, XML file, PDF file, CSV file. These reports can also be set up to be scheduled and emailed to authorised users if required.
CSV files of the data from the database can be produced on request by Core Systems if required.
Core Systems could potentially create a bespoke API for required data if required at an additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel spreadsheet
  • Word document
  • XML
  • PDF
  • JSON from API
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Can implement whitelist of IPs on the TLS solution so that a VPN does not need to be set up but still restrict access to the URLS so that only users from authorised networks can access the service. Can also work with a full VPN solution if required.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Hosting environment 99.99% availability
Approach to resilience Available on request
Outage reporting Dashboard to monitor if all kiosks are up and running.
Email alerts if any of the websites are not accessible.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels IP whitelisting for officer website along with permission groups to limit access to only authorised users. Support website requires username and password to be setup in order to manage the support issues. Only authorised users have access to the cloud environment and each user has their own account. Login access to the database is restricted to only authorised support users.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SGS Ltd
ISO/IEC 27001 accreditation date 05/06/2014
What the ISO/IEC 27001 doesn’t cover Certification covers all business functions within the company
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a well established security information management system and related policies in place which adhere to ISO 27001 international standards. We have held ISO 27001 certification which is AKAS accredited since 2014. We have regular internal audits and review meetings to ensure that our processes and practices adhere to our information management policies and that these are in line with the ISO 27001 standard.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Core Systems have a dedicated change manager who will manage the paperwork and approvals. Changes required can be discussed and scoped out with the business team and they will be passed on to change manager.
Change Process:
• Changes agreed with business
• Change request completed
• Customer approver’s review and approve the change
• Core implement the change in development & QA environments and test thoroughly
• Core implement the change in production and test thoroughly. Changes can be rolled back if necessary
• Core notify customer of change completion
• Close the change – Post implementation report
Vulnerability management type Supplier-defined controls
Vulnerability management approach Monthly patches are carried out on the OS and other 3rd party software installed.
Current and newly emerging vulnerabilities are monitored by subscriptions to email distribution groups, publications and relevant websites are reviewed regularly.
A list of 3rd party libraries used to build the software is maintained along with the current version number used, this is periodically reviewed to identify whether there are any security vulnerabilities and if a newer version is available. If an action is deemed pertinent and prudent then it will be handled through the Change Management Process.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Antivirus, Malware, Intrusion Detection & Protection, threat detection, correlation analysis, stateful firewall, execution environment checks are all provided by a cloud based Protective Monitoring service. This provides real-time, contextual and predictive threat intelligence. This will identify potential software compromises.

The response process when we find a potential compromise is as follows:
• Ascertain the issue and impact
• Contingency plans put in place around potential risks e.g. snapshots and backups
• Resolution agreed with customer and implemented

A number of risk scenarios are automated and responded to immediately.
High impact incidents are escalated to high priority.
Incident management type Supplier-defined controls
Incident management approach When a support issue is received by Core Systems a ticketing system will operate and once an issue has been logged a unique support reference number will be assigned to it and should be quoted in all future communications relating to the issue. Users must report as much information as possible to ensure faster diagnosis of the issue, examples of the information required will be provided. A common issue responsibility matrix will be provided along with the corresponding SLA level.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.50 to £1.00 per person per day
Discount for educational organisations Yes
Free trial available Yes
Description of free trial What’s included: we offer a trial version of software license.
What isn’t included: hosting costs from 3rd party, support and installation.
Limited time period: 2 months.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑