Orcuma Ltd

Multi agency CRM and Case management safer communities software

Provision of Orcuma's multi agency CRM and case management software. Implementation service includes project management, business analysis, software development, configuration, testing (including penetration testing), training, go live support. Post go-live services include support, maintenance, change management, incident management, hosting, data backups and disaster recovery service (IBM Cloud).


  • Self service configuration capability and workflow engine.
  • Inbuilt map screen for hotspot analysis.
  • Document storage and management.
  • Task management with inbuilt escalation management.
  • Ease and speed of access and setup.
  • Ease of data extraction and real time reporting capability.
  • Role based access security configuration.
  • Multi agency case access with manageable actions.
  • Configurable APIs and Web services.
  • Escalation management.


  • Facilitate multi-agency data sharing / collaboration approach.
  • Holistic view of the customer and their interactions.
  • Reduce travelling costs and resource hours.
  • Proactively monitor caseload and processing bottle necks.
  • Enables and supports a mobile, agile workforce.
  • GDPR complaint software.
  • Data looksups reduce key stokes/ duplication of data/effort.
  • Hold multi-partner datasets for analysis / trend spotting.
  • Manage / collaborate on cases effectively / efficiently 24/7.
  • Full support and maintenance, disaster recovery and data backups.


£300 to £300 per licence per year

  • Free trial available

Service documents


G-Cloud 11

Service ID

9 3 9 3 4 7 1 9 7 7 2 7 2 4 9


Orcuma Ltd

Paul Mitchell

07958 988930


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No constraints.
System requirements
  • Viewing external SSL-encrypted pages (https) is permitted.
  • No minimum required bandwidth, firewall, DNS or routing requirements.
  • Javascript must be enabled.
  • PDF viewer is required for the production of some reports.
  • MS Word 2003 upwards, Excel 2003 upwards.

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels The escalation of the incident will depend upon the priority/severity of an incident. We provide a standard Service Level Agreement.

Support provision is via a dedicated email address and telephone number.

1st Line support – Orcuma helpdesk staff receive the incident details. Resolution can be given here using resolutions to known faults from our Orcuma FIRsT application for recording incidents. If resolution cannot be given in the initial interaction, the incident will be routed to 2nd Line support.

2nd Line support is one of Orcuma implementation consultants for analysis and review. If resolution cannot be given to the incident, the incident will be routed to 3nd Line support, the technical team for investigation. It will remain with them until a fix is able to be provided to the incident.

All support levels are included in costings. All support provided by Orcuma Ltd staff.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Implementation workshops –Workshops held with key process owners. Orcuma configure a prototype FIRsT system from the output of these sessions.

Workshop 1 - Understanding “as is” and “to be” processes, interactions with DCC applications and aligning to how Orcuma’s FIRsT software will support processes eg reporting, workflows, security model and outputs e.g. Emails, Texts. Orcuma’s FIRsT software configured to meet “to be” processes.

Workshop 2 - Demonstration/discussion based on initial configuration of FIRsT (interfaces just to be discussed). Output - Agreed FIRsT application configuration documented. Agreed scope of functionality, data fields, data migration and reports/performance management.

Configuration of Orcuma’s FIRsT software – Software configured based on output from workshops. Released for review in Test environment for sandpit” user testing.

Training is from the “to be” processes view so that staff know how to use FIRsT from the agreed operational processes. This is onsite training.

Orcuma will provide a generic user guide as a template - allowing for the creation of bespoke training documentation that can be used for the “train the trainer” sessions.

Orcuma will provide a generic system administrator user guide outlining the key functionality.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At contract end, authorisation to pass back client data must be received from a nominated client contact. The client's data data entered in FIRsT would be extract (into comma separated value format) and transferred back to them (by Orcuma staff) via an agreed method (secure export via FTP would be free but if Orcuma are required to migrate to another system, this would be chargeable). We would then expect written authorisation from the client that we are permitted to permanently destroy their data on FIRsT.
End-of-contract process Authorisation must be received from a nominated client contact that the contract is ending.

Their data (residing in our software) would be extracted (to comma separated value format) and transferred back to them via an agreed method (secure export via FTP would be free but if Orcuma are required to migrate to another system, this would be chargeable).

We would then expect written authorisation from the client that we should permanently destroy all their data that is held by Orcuma.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface No
What users can and can't do using the API Orcuma enable integration to FIRsT using APIs and Web Services. These are developed as and when needed by customers, and currently include functionality to create case and client records, retrieve statuses and create notes for cases. Each user would be given a unique API token and username/password to authenticate against the API or Web Service.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customisation is in the form of different software configuration settings on our software or different reporting outputs/layouts, which may be required in order to support the client's specific operational processes. These will be discussed with the client prior to any implementation and will be tested in the Test environment to ensure appropriate to the requirements and have no impact across the software.

There may be a need to customise an element of the existing software code but this is controlled through our change control process and can only be requested and approved by the client's nominated key contact.

Only Orcuma staff or the client's system administrators can apply software configuration settings. Only applicable Orcuma staff can amend any coding / software forms / database elements.


Independence of resources We only use Orcuma staff. This means that we are in control of their annual leave, their work load and their work load scheduling.

Using project planning during an implementation, we can schedule work packages for staff so we know their availability for that work plus capacity for any unscheduled work in that time.

This allows us to be able to react and assign appropriate resources to any unscheduled events, incidents or change request received by clients. Work is not assigned to any staff without checking their existing work packages first and the expected completion date of these.


Service usage metrics Yes
Metrics types Uptime percentage over the previous calendar month and then over the previous 12 months.

Number of Incidents received (date received) and its category.
Number of Incidents closed (date closed) and its category.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Users are required to login with a username and a "strong" password.
“2 factor” authentication over an SSL secure connection can be employed.
Three unsuccessful login attempts and the user’s account will be locked.
No caching of any passwords. Passwords are "masked" and encrypted by a secure hashing algorithm which is unique to each user.
Auto “timeout” if inactive for 30 min.
Forced password reset every 60 calendar days.
Our servers are protected by Anti-Virus and malware software.
For day-to-day access by users, the user’s browser session is encrypted using an extended-validation Symantec SSL certificate.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can export data sets from our software into comma separated value files. This is standard functionality.

Alternatively, we can extract their data, specific to their requirements, by using an appropriate SQL script.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability In our Service Level Agreement, we endeavour to provide a 99.7% uptime. There is no refund provision if this is not met.
Approach to resilience This is information available on request.
Outage reporting Email alerts are sent to our Technical Services Director with the outage time, description and estimated restoration time.

Emails are sent during the outage to ensure that we are aware of all actions being taken to resolve the outage.

We will email notification to key client contacts/users where any unplanned outage occurs during normal business hours as soon as we are made aware of these.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication The user’s browser session is encrypted using an extended-validation Symantec SSL certificate.

Username and "strong" password required. Two factor authentication can be employed.

We can also lock down access to the software by defined IP address(es).
Access restrictions in management interfaces and support channels Users need to be properly authenticated before being allowed to perform management activities, report faults or request changes to the service.

We allow clients to manage their own user base.

Users can report faults directly to our support desk but they must include our nominated client super user.

All requests to Orcuma for any type of management activities or change request must come through email. We have a nominated client super user for every client. They are responsible for emailing the change request and approving them. All change request approvals must be via email.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials PLUS
  • Information Assurance for Small and Medium Enterprises (IASME)
  • IBM BlueMix ISO 27001
  • IASME - GDPR accredited

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials Plus and Information Assurance for Small and Medium Enterprises - GDPR accredited version.
Information security policies and processes We have a named company director who is responsible for our Information Security Management System as well as data protection. Information security is a standing agenda item at our board meetings as well as monthly director's meetings.

We have an up to date ISMS risk assessment (approved at board level along with all policies) and it has been reviewed in the last 6 months.

We also have policies for data protection, asset management register, access and physical management security, security incident management, disaster recovery and business continuity. These polices are distributed to all Orcuma employees on starting employment and again when updated. All staff are reminded of their information security responsibilities on a weekly basis verbally.

Our ISMS policies and data protection policy are all included in our employee's contracts and company disciplinary procedures.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Orcuma will provide a standard change request template for completion.

Review of the change request requirements and discuss potential configuration options with the client.

Change requests are logged and may have a system requirements document developed – outlining requirements, system areas affected, the procedure for backing out the change, development time and (potential) cost and penetration testing required. Goes back to client for approval or rejection.

One month before implementation, an upgrade document will be issued detailing changes included in any upgrade and potential impact in the software. Orcuma may need to provide training sessions to key users.
Vulnerability management type Supplier-defined controls
Vulnerability management approach IBM BlueMix (ISO27001 accredited) provide our hosting facilities. They provide automatic hardware upgrades and software patches to their anti malware, anti virus and firewall software packages. We are notified all our changes to our servers. They provide our vulnerability management process on our hosted environment.

Our Technical Director gets weekly regular electronic (email/Twitter) security briefings (and news articles) and will act accordingly and immediately (same calendar day) if a threat is perceived to our software. We perform regular (6 and 12 month) penetration testing using IBM's Appscan programme and will act the same calendar if a fix is required.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Anti malware and Anti virus software are installed on our servers. Our hosted environment resides in a “DMZ” and controlled by Firewalls to prevent intrusion.

Regular penetration testing also takes place.

There is a protective monitoring script that runs every 30 mins on the server identifying any changes to database structure or file system. We use NESSUS vulnerability scanner to identify any issues requiring attention on the server environment.

Three unsuccessful attempts to login to FIRsT and the user’s account will be locked. When users request a password, we are notified of this action to identify potential "brute-force" hacking attempts.
Incident management type Supplier-defined controls
Incident management approach We have a incident management SLA which stipulates response and resolution times and categorisation. We provide a support helpdesk via email, telephone or online medium to report incidents.

All incidents are logged and tracked. Incidents are routed to the relevant person(s). Once fixed, they record the process/change on our Orcuma FIRsT environment. The fix will then be applied and the user informed. The user will be asked to confirm that the incident is resolved. If yes, the incident is changed to reflect that the fix has been confirmed. If not, the case can be re-opened and updated.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £300 to £300 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Signing of our Non Disclosure Agreement for their organisation before accessing our software.

All functionality is included and the trial lasts 30 calendar days. Then the trial accounts are made inactive and locked.

Trial extensions can be granted by discussing with our support team.

Service documents

Return to top ↑