Symphonic Software

Symphonic IAM Platform

Symphonic provides a software solution to allow clients to manage their organisational policies for data and service access. This is effected through a combination of a user-friendly Policy Manager, and a rich integration capability for connecting data attributes and service definitions. Full audit capabilities provide strong access governance.


  • Fine grained policy based access control
  • Policies can be used to govern policy management (self-governance)
  • Ability to create and mange workflows and decisions
  • Dynamically retrieve and transform data from new or legacy services
  • A lightweight, scalable, elastic and easy run-time engine.
  • One unified platform for access management across the enterprise.
  • Ability to quickly build and adapt policies around business needs
  • Enterprise level information governance via performance and audit logs
  • Complete ability to decouple access control policy from the SDLC
  • Configuration can be stored, version controlled and collaborated on


  • Delivers compliance with privacy regulations such as GDPR
  • Reusable policies and rules reduce costs.
  • Enforces consistent governance standards among data-sharing partners.
  • Enables Business Users to share policy management with IT functions.
  • Enables data-sharing partners to build trusted integrated eco-systems.
  • Provides a single source of truth.
  • Provides a full audit of access decisions.
  • Enhances current “RBAC” approaches adding required context of any access.
  • Enables consent and data-sharing access decisions.


£95,000.00 to £140,000.00 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

9 3 8 2 2 6 3 6 5 9 7 6 9 1 2


Symphonic Software Derick James
Telephone: 01312902318

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
System requirements
  • Connectivity of enforcement points to PDP decision end-point
  • Connectivity from PDP to all information points

User support

Email or online ticketing support
Email or online ticketing
Support response times
We offer a 24/7/365 support model and we respond to questions or issues initially within 30 minutes, aiming to have a resolution in place for serious P1 issues within 2 hrs.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
We operate a 24/7/365 support model. We aim to be communication (either via conference call or by telephone) within 30 minutes of a call being raised. We triage calls on a Priority 1 to 4 scale with P1 and P2 calls having an SLA of 2 and 4 hrs respectively and a P3 incident by 8 hrs, P4 calls are dealt with within 40 hrs. We work with clients to agree the definitions of P1-4 based on the clients needs. This support level is included within our service cost model. We support clients with a named technical account manager who can be contacted directly and we encourage account management meetings at regular intervals.
Support available to third parties

Onboarding and offboarding

Getting started
We attempt to make on-boarding of the platform as simple as possible and we support a mixed approach to training, where working with the client we are able to tailor a training package to meet their needs. We also provide a comprehensive product manual.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
We have an open API through which the data can be extracted. We can also provide snapshots in JSON format that include all data.
End-of-contract process
All decommissioning of all software and hardware (virtual or real) is the responsibility of Symphonic and we will perform all tasks with the exception of data extraction to close down our service at the end of contract. There is no charge to the client for this service.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
We provide a single page web application for policy creation, management and deployment.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
We have been assessed independently as part of a major implementation into a large retail bank in the UK.
What users can and can't do using the API
All functionality of the platform is available through our API. Our web based service interface utilises our API for all operations. Our API is restful and specified using Swagger. The API can be used via an HTTP client. Authentication is usually via OIDC, however we support other forms of authentication e.g. LDAP.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
Our Trust Framework can be customised to suit the particular authorisation environment of our clients, (this includes specifying data sources for authorisation information).

Policies will also be customer specific, users make these customisation via our web based service interface . The ability to make changes can be controlled by our self-governance policies and we find clients usually adopt a hybrid approach of business users and IT professionals.


Independence of resources
We provision infrastructure separately for different clients. Within a client we provide automatic scaling to cope with increases in demand.


Service usage metrics
Metrics types
We provide a comprehensive set of metrics that captures the that includes:

- Usage levels (overall, by cohort e.g. dept\division etc)
- Performance and error metrics for the platform
- Performance and error metrics for other integrated services
- Availability and uptime metrics.
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be exported through our rest API or via a snapshot functionality that provides data in a JSON format.
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Approach to resilience
All of our resources are deployed across multiple AWS availability zones ensuring that an outage at a datacentre level will not cause an outage in our service. Databases are set to fail over across availability zones and our services have health checks to ensure that any unhealthy machines are detected and replaced.
Outage reporting
We can report on any outages through a real-time metrics dashboard or through our API dependent on client wishes.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
We have a self-governance feature that enables access to our administration interface to be governed using the same powerful access control policies that govern all other access to data.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All areas are covered
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Information Security Management System
Information Security Policy
Supplier Security Policy
Information Sharing Policy
Access Control Policy
Acceptable Use of Assets Policy
Secure Software Engineering Principles

The structure of our security management team is set out below:

Senior Information Risk Officer (SIRO) reports to the CEO and Board
Information Security Officer (ISO) reports on the day to day activities to the SIRO
All Staff - Monitor and report and issues or concerns regarding security to the ISO or SIRO

We have security objectives set each year and these are monitored throughout the year for compliance. We also have an internal Audit function that reviews all processes and standards on a yearly basis.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Info needed on how we track components *

We do a security impact assessment on all proposed changes. Changes are then triaged to our Change Advisory Board (CAB) for acceptance or rejection. The CAB are bound by the risk appetite process where the board direct the business on the acceptable level of risk we can carry in the software. Any additional security risk is calculated against this appetite and a decision regarding implementation made.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We use a risk based approach to managing vulnerabilities. We class our software as an asset and we then regularly review the threats to and vulnerabilities of the asset. All vulnerabilities are scored and treated with controls if the breach threshold.

We triage all issues and incidents and can issue (dependent on the complexity of the change) a patch between a few days and a few weeks of the change being green lighted.

We have a security team that are very experienced and monitor for threats using intelligence collated through experience, contacts and our large customer base.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
To be completed.
Incident management type
Supplier-defined controls
Incident management approach
We have pre-defined processes for common events and also provide product information that helps clients self-diagnose issues and correct them.

Users can report incidents by email or phone. Users provide enough information to enable our support team to understand the issue and feel comfortable to contact the client within 30 minutes.

Each incident is recorded and a postmortem report generated - we also have extensive analytics around incident management and these can be configured to suit the needs of the client.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)


£95,000.00 to £140,000.00 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
We provide a free licence to trial our product as a controlled Proof of Concept. A PoC should only last for a short 4-6 week period including all environmental set-up and testing. We also provide a PoC support team and these may be charged dependent on the complexity of PoC.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.