SCYTALE Armour Comms

Armour Mobile is a CPA certified encryption application for secure (voice, video, IM, group chat and data) available on iOS and Android devices. Offering to customers a cost-effective, easy to use technology combined with advanced security techniques available in cloud-based and on premise architectures, available up to UK SECRET.


  • Runs on Scytale enterprise
  • Simple to use/deploy robust government grade end to end encryption
  • Runs on Android IOS Blackberry and Windows devices
  • Compatible with Samsung Knox, Trustzone and dual factor authentication
  • Advanced features for potential use up to UK SECRET
  • High connection quality with low latency
  • Secure connection to landlines and voice services
  • Secure voice, video, instant messaging, group chat and conferencing
  • Compatible with complementary technologies MDM/EMM
  • CPA accredited solutions to Official Sensitive


  • Accessible globally through Scytale Tactical Cloud
  • Manage governance, risk and compliance
  • Flexible accredited secure communications for mobile workers and hot desking
  • Enhance team output through secure group chat functionality
  • Reduce your team's travel costs
  • Shared ‘up to minute’ information flow
  • Maximise your communications investments by connecting through your mobile environment


£2 to £17 per unit per month

Service documents


G-Cloud 11

Service ID

8 7 2 5 6 8 9 4 2 2 6 0 1 1 5



steve slater

01432 373824

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Armour Mobile Application can be ran as a standalone instance or can be used with the Scytale Tactical Cloud
Cloud deployment model Private cloud
Service constraints Armour Comms is supported to run on various smart phones such as iOS and Android, and can be operated on Windows desktops. The application is regularly updated this focus as well as ensuring security is maintained is to streamline application on the most recent devices, development of the application for the older models is likely to cease as the older models hit their end of life from the manufactures.
System requirements
  • COTS Apple devices - iOS Version 8+
  • COTS Android devices - OS Version 4.3+
  • Windows 10 Desktop

User support

User support
Email or online ticketing support Email or online ticketing
Support response times GRC Ltd. has a Network Monitoring Centre (NMC) that operates 9-5 Mon to Fri. Out of hours and at weekends we have an engineer on immediate call via telephone. The NMC is contactable via a freephone number, email and mobile number. Calls are immediately answered and are ticketed via customer support software to enable an audit trail and to support Service Level Agreements. We have defined escalation and rectification processes that enable issues to be dealt with direct to service providers and the ticketing support can be merged with other ticketing systems and emailed to customer and service providers.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Webchat to end users available globally using Wickr application.
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels GRC Ltd shall provide Level 1 and Level 2 support from its NMC at its UK location and manage Level 3 support to/with the OEM as required. To support the relevant support levels, GRC has a number of formal process flow charts for initial triage of the issue, resolution and as appropriate, escalation. All flow charts are shared with the customer. The support offered also allows for Request for Change of Services which will be actioned in accordance with the contract terms and conditions. There is no difference in cost for the support at level 1 and 2. AWS Business Level Support will be included with the contract costs. Level 2 and 3 support will have more expertise assigned and made available, with level 1 providing end user advice for the initial fault finding. For contracts, we provide both Technical Account Manager and a Cloud Support Engineer and as necessary engagement with our Cloud Service Architect.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Web portal tutorials can be offered.
Training solutions can be tailored to the customer’s requirement and can be quoted on request.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The application should be removed from each device at the end of contract. Armour specific information Contact data can be exported, this file will be made available to the customer if required.
End-of-contract process A discussion will occur before the end of the contract about renewing. If the customer does not wish to renew the application will cease to communicate after the end of contract date. The application will remain on the device, unless uninstalled, and will retain all the information held within.

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Armour Mobile is designed to offer the same functionality with a similar look and feel on all platforms.
Service interface No
Customisation available No


Independence of resources Usage is monitored on a continual basis and scaled accordingly to meet demand.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Armour Comms

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Armour secure data at rest on mobile devices is encrypted. Data at rest on servers is protected by multiple security zone server architecture with database encrypted and physical access controls.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach For security reasons the only data that can be exported form the device is the contact data. A user can export their contacts to an encrypted file and store or email it off their device. (This functionality is platform dependant)
Data export formats Other
Other data export formats Encrypted file
Data import formats Other
Other data import formats Encrypted file

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Armour secure services are protected by at least AES-128 with PKI using MIKEY-SAKKE between end user devices and up to AES-256 with TLS1.2+ in client/server interactions.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network All inter-server communications within the Armour Secure service use at least TLS1.2+ with AES-256, multi-zone server security, firewalling, intruder detection and monitoring.

Availability and resilience

Availability and resilience
Guaranteed availability Armour service is dependent on the full availability of the data service over mobile bearers provided by third party cellular systems. The recommended use with Scytale Tactical Cloud will also help to mitigate the reliance on third party vendors.
SLAs are available to the customer on request.
Approach to resilience Resilience information is available on request.
Outage reporting Monthly Uptime Percentage data can be available to users through GRC's NMC. Scheduled maintenance outages will be conveyed to the user via e-mail. All bar essential maintenance will be conducted at a time acceptable to the user. Essential maintenance will be conducted by activating the BCP, to minimise impact on the user's information flow

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication End user clients are password protected, based on the unique end point identity used in the MIKEY-SAKKE cryptography, the client itself also authenticates to the servers. Additional user authentication such as two factor is available at additional cost although should be based on the user's requirements.
Access restrictions in management interfaces and support channels Access to the user management system is restricted to authorised administrators using passwords and certificates.
Support staff can have DV clearance.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Scheme

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards GRC is an SME and as such is accredited to Cyber Essentials Scheme (CES)
Information security policies and processes The GRC IT Security Policy is designed around the core principles of Confidentiality, Integrity and Availability, with the primary objective of asset protection, prevention of unauthorized access and ensuring the availability of systems and information for GRC and our customers. Within the GRC domain these principles are achieved via a range of mediums, including centrally monitored anti-virus and malware protection, network level hardware and client level software firewalls and Active Directory controlled user accounts, with senior management approved role-specific permissions. Due to our requirement to work with evolving technologies, we make clear distinction between the GRC domain and Engineering tasks, which can only be performed on specialist off-domain clients, further minimizing risks to our network. Familiarization of this IT Security Policy is part of all employee’s induction and its acceptance is mandatory

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Cloud configuration for both live and any development instances is administered from the NMC. Configurations are based on template documents to ensure implementations are standardized across the end-to-end solution. Configuration variables (eg. IP addressing) are managed to enable digital resources to be assigned efficiently without duplication. All documents and configurations are version controlled with changes approved, accounted for and audited by user/date/reason. Configurations are stored with separation between the configurations for each customer’s specific solutions. Change management includes but is not limited to: Change requests with corresponding impact assessments, implementation and corresponding change monitoring and Authorisation for change
Vulnerability management type Supplier-defined controls
Vulnerability management approach We operate continuous vulnerability management. We use both technical scans; with Microsoft Baseline Security Analyser and Panda Adaptive Defense 360, and prevention; with hardware and software firewalls, file access controls, limited administrator rights, staff training and physical security. All company activities are appraised for risks, with potential vulnerabilities assessed and categorized as either manageable risk or deemed unacceptable. Technical vulnerability management across the system will be conducted using Cloud applications such as AWS GuardDuty and AWS CloudTrail. These services alert our 24/7 NMC team who will immediately cease the vulnerability and highlight to the customer.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Technical protective monitoring will be designed in house by our architects to enable the managed service to use Cloud applications such as CloudWatch, AWS Shield plus and AWS WAF. These services alert our 24/7 NMC team who will immediately cease the vulnerability and highlight to the customer. In the event of an incident being identified or being notified of an IP address/instance compromise by the customer, cloud accounts or virtual private clouds shall be removed and reinstated within ~1hr utilizing existing configurations and saved AMI's. Close liaison with the customer will take place throughout the process.
Incident management type Supplier-defined controls
Incident management approach Incident Management for both common issues and ad hoc problems, whether identified proactively by the NMC or reported directly from an end user, utilizes GRC's existing ITIL compliant processes. Users are able to contact GRC support staff directly via freephone 24x7, whether in the NMC during business hours or on-call out of hours. Contact is regularly maintained through to incident resolution and user approved closure via phone, webchat and email. Service Review Meetings with the GRC Account Team, including consolidated incident reports, occur regularly, with a frequency as agreed with each customer.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2 to £17 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑