Document Management

Given the number of legal documents your in-house team handles every day, it’s critical that you have a legal document management system to securely store, share and collaborate on contracts and files—optimising team productivity and streamlining the delivery of legal services.


  • Securely store documents and easily find what you need.
  • Collaborate on documents and coauthor contracts seamlessly.
  • Create secure workspace to collaborate with all stakeholders
  • Manage content in wikis, post updates in the blog
  • Manage group tasks, share group calendars
  • Create custom workflows and automate documents
  • Modular for structured data sharing
  • Access your legal documents from anywhere, anytime.
  • MS Office, Office 365, Outlook and G-Suite integration
  • Made for Mobile and Desktop - Browser or App Based


  • Gain complete visibility and control over your documents.
  • Keep documents in sync across your department and team
  • Increase the value of your documents.
  • Private Cloud - Host your data in the UK
  • Business Intelligence - See how users are viewing your data
  • Overcome mailbox sizes - Send a link to a download
  • Security - Ensure control over information
  • Audit trail - What's been sent, when and by who


£25 to £400 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

9 1 1 9 5 7 7 2 4 6 9 4 1 3 7



Mark Reynolds

020 7220 5340


Service scope

Software add-on or extension
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
System requirements
  • Modern Web Browser
  • Windows
  • Mac OSX
  • Mac IOS
  • Android

User support

Email or online ticketing support
Email or online ticketing
Support response times
30 minutes Monday to Friday, 8am to 6pm.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
8am - 6pm Service desk on business days with 24/7 Emergency support.

24/5 Service desk support will be available from Q4 2019
Support available to third parties

Onboarding and offboarding

Getting started
Training can be delivering remotely or onsite
There is a comprehensive online knowledge base
Service documentation
Documentation formats
End-of-contract data extraction
All data can be extracted by users with the appropriate permission via the user interface,
End-of-contract process
All client data is deleted as part of the contract. HighQ will decommission the instance in full as part of the base contract. It is the client's responsibility to extract any data they wish to keep prior to the decommissioning process. Secure overwrite is available for an additional charge.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
All features are available on mobile using a responsive design
Files can be accessed via the HighQ Drive app for mobile on iOS and Android
Service interface
Description of service interface
HighQ includes access via browsers using secure HTTPS via desktop or mobile device, IOS and Android apps, REST API calls or HighQ Appliance that simplifies some of the more common API calls (e.g. SQL and AD synchronisation).
Accessibility standards
None or don’t know
Description of accessibility
Collaborate is accessible using any of the standard web browsers in conjunction with existing assistive software that supports the user's chosen web browser. The product has alt-text fields for all non-text content and supports the creation of alt-text metadata for non-text data uploaded into the system.
Accessibility testing
What users can and can't do using the API
All the main features are accessible via the API, including the addition and update of users. This is supported with a vibrant developer community to share and learn.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Custom branding can be applied at system and site level including the URL, visual appearance of the whole user interface and system generated emails.


Independence of resources
HighQ provide single tenancy solutions deployed in HighQ's private cloud. The high-performance network architecture is built to be resilient and
scalable. Bandwidth is provided across multiple diverse links, which do not
depend on any single backbone, ensuring that there is full network connectivity redundancy, even in the event of one of the providers failing.


Service usage metrics
Metrics types
All logins, configuration changes and content accessed is audited by user, date and IP address.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
All files can be exported via the main user interface, and all other content can be exported to Excel and/or PDF.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XML feed
  • Excel
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats
  • Excel
  • Automated schedule SQL connection via HighQ Appliance
  • API
  • ZIP file (for files)
  • Drag and drop from OSX / Windows
  • RSS Feed
  • HighQ AI Hub

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.9% Uptime which would be remunerated via service credits.

Approach to resilience
Each client is hosted on two geographically separate datacentres within the same legal jurisdiction. All UK hosting centres are ISO 22301, and ISO 27031 compliant.
Outage reporting
Email alerts are sent to client organisations upon detecting an outage.
Any maintenance works are undertaken during pre-agreed maintenance windows and upgrades take place on a date/time pre-agreed with the client.

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
Users require a username (their email address) and a password, with optional 2 stage verification. Full 2 factor authentication is due in 2019 Q2.

Access can also be given via SSO from inside the clients network, using the SAML 2.0 protocol.
Access restrictions in management interfaces and support channels
Application access management is controlled by the client who can grant or revoke administrative privileges within the application to or from users in line with their own organisational policies and procedures.
Infrastructure management is performed via secure management servers which are accessible only by VPN using two-factor authentication. Administrators cannot view client data where it is encrypted at rest.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
Last re-certification: 02/11/2018
What the ISO/IEC 27001 doesn’t cover
Outsourced development.
Protection of test data.
Technical review of applications after operating platform changes.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
Last update: 18/02/2019
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus aligned.
CSA STAR - level 1.
Information security policies and processes
Complete ISMS present which is built from ISO 27001 controls. Higher management involved in the process and sign off on policies/procedures. All employees undergo CRB/DBS and qualification checks as part of the recruitment process and sign an Information Security agreement and Acceptable Use Policy along with their employment contract before commencing their responsibilities at HighQ. In the event of a violation, disciplinary action may be taken.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All configuration management and change management is performed using the Agile methodology. Changes are developed and a product iteration is released. Each release is subject to penetration testing.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We regularly perform penetration testing, undertake monthly vulnerability scans, and daily change scans. Patches are normally deployed within 2 weeks, and we receive threat intelligence from third party security vendors, e.g. CiSP, Mitre, and other publicly available sources. We also employ a source code vulnerability tracking system and use automated security assessment tools.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
HighQ employ enterprise logging and SIEM for all systems and perform regular checks upon those logs and events. Incidents are reviewed and classified in terms of impact and criticality. There is a defined security incident management practice (NIST 800-61r2). Depending upon the nature of the incident, the issue is either remediated immediately or mitigations designed into the next release.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Security Incident Management Procedures are built from NIST 800-61r2.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£25 to £400 per user per month
Discount for educational organisations
Free trial available
Description of free trial
Access to a UAT environment is available for limited time, in order to prove the solution works and is fit for purpose.

Service documents

Return to top ↑