Sarax Limited

Sarax Digital Landscape and Evidence Warehouse

Evidence Warehouse gives the ability for sharing evidence with CPS through Upload Multimedia capability, gives CPS Review and onward sharing to defence capability, provides secure access, OIC/ CJU managed cases and is EDAMM compatible.


  • Hosted in the Cloud with storage options.
  • Share evidence digitally across networks, safely and securely
  • Interface with the CPS through its current tactical solution Egress
  • Consistent way to share digital evidence with CJS partners.
  • Provide a new capability to policing that’s cost effective
  • Digital evidence available at the earliest stages of criminal prosecution
  • Interface with the CJS Common Platform through EDAMM API
  • Eliminate force reliance on sharing evidence physically using disks


  • Officers and staff having more time for other priorities
  • Reducing the risk of finable data protection violations
  • Reputational benefits for policing
  • Reduced CJS process time
  • Reduced risk of lost or compromised evidence
  • Enhanced decision making
  • Real time review & request of evidence with CJS
  • Reduced risk of force systems being compromised
  • Evidence available at earliest stage of a prosecution


£5286 to £10686 per virtual machine per month

Service documents

G-Cloud 11


Sarax Limited

Mark Balaam

07775 930125

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Existing Computer Aided Dispatch systems can locate a caller through a database of telephone numbers for fixed lines, but are unable to take advantage of the GPS in a caller's smartphone. Additionally services for language translation, text messaging emergencies for the deaf can be supplemented.
Cloud deployment model Public cloud
Service constraints Live video streaming currently not supported in IOS browser.
System requirements
  • Data and GPS enabled smartphone.
  • Internet access / connection.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We operate a priority based approach based on the customer's requirements.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Tickets are responded to based on the SLA agreed with client. These SLAs reflect the priority of the service being supported. The faster guaranteed response times increase support costs. Some example of agreed support levels are:

• Monday to Friday 09:00 until 17:30 excluding Bank Holidays. Only trained & qualified engineer's assist with support issues either remotely or on site.

• 7 days, 24 hours support including all holidays. Only trained & qualified engineer's assist with support issues either remotely or on site.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Sarax engineers work with clients through a discovery and assessment process to create a software requirements list based on current and future user demand and loading. This includes detailed billing, monitoring, log access, security, load balancing, clustering, and storage resiliency: backup, replication and recovery. Identifying SLAs and high availability requirements. Application interdependencies, network configurations and security and compliance requirements are established. Subsequently a planning phase is executed to define the cloud infrastructure including services such as networking and security to ensure the right mix of storage. The pilot and testing phase validates the test data migration and synchronization, measures performance validates security controls.

Client teams are supported through the migration, typically using a phased approach, to allow ongoing progress review and plan adjustment if material diversions from the plan occur. Migration is monitored, reviewed and adjusted accordingly and then transitioned into IT to successfully manage ongoing operations. We will work in partnership with clients to determine the business needs that drive change and will help identify the optimum information and technology to best meet those needs.

Effective change management reduces the potential impact of any change upon the current service and ensures a faster response to implementing agreed changes
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction Data can either be stored in the cloud or regularly transferred to a customer on site facility. The customer's data is only temporarily hosted by us, as part of the business as usual process the data will be transferred to the customer's systems, so at the end of the contract no customer data will be stored by us.
End-of-contract process The end of the contract will have been either scheduled (with a cross over of services between the old and the new providers) or unscheduled due to a termination of the contract, which is provided for within the contract. Data belonging to the customer will be transferred as above within a maximum of 30 days after the end date of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The mobile user interface has been optomised for the mobile experience, keeping a simple large interface, minimising the number of buttons and choices for the mobile user.
What users can and can't do using the API Our API can be used to integrate our service into the buyers existing applications / systems.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The interface is customisable, using windows that can be moved, resized or minimised. The look and feel can also be modified to meet the customer's workflow and user experience requirements including co-branding.


Independence of resources The software uses Microsoft's Azure Cloud which provides automatic scaling.


Service usage metrics Yes
Metrics types Usage, reliability and uptime.
Reporting types Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Meta Cannect

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach We provide a reporting interface to allows users to export their data, the data will be exported into PDF and where video data is provided into an MP4 file.
Data export formats Other
Other data export formats
  • PDF
  • MP4 for video
Data import formats Other
Other data import formats There's no intention to upload data, other than through usage.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We offer a guarantee of 99% reliability, taking into account scheduled downtime for system updates and other essential maintenance agreed in advance.

Downtime is defined as when the user can't access our service and is measured in minutes. Downtime does not include the failure of the customer's ICT infrastructure or failure of 3rd party software, hardware or services not under Sarax's control.
Our monthly uptime percentage can be calculated using the following formula:
(User minutes - Downtime) / User minutes x 100.
If the uptime of the service falls below 99% in a month the following service credits will apply:
<99% 10% service credit
<95% 25% service credit
<90% 50% service credit
Service credit is defined as a discount on the next months cost of the service.
Approach to resilience Our service is hosted within Microsoft Azure data centres, this provides our core environment with a guaranteed availability of 99.5%.

We actively monitor the availability of the service and can respond to service disruption 24x7.

We are able to tailor the resilience architecture to match the requirements or our customers.
Outage reporting In the event of a service outage, we will notify the customer via an email to a nominated address.

Should a client require a different notification mechanism, we will work with them to find an appropriate solution.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Management interfaces are restricted to management user credentials.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Sarax implements formal, documented policies and procedures that provide guidance for operations and information security. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Line managers in association with our security team are responsible for familiarising employees with security policies.

We are working to establish governance processes and policies in line with the CSA CSM 3.0.1 cloud controls matrix. Our goal is the reach CSA STAR level 1 within the next 12 months.
Information security policies and processes Sarax implements formal, documented policies and procedures that provide guidance for operations and information security. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Line managers in association with our security team are responsible for familiarising employees with security policies.

The output of internal security reviews include any decisions or actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We maintain a register of service components, software libraries and APIs. This register is used in conjunction with our system architecture documentation to understand the security impact of each component.

Where the suppliers of these services issue updates, we review the release notes to understand the security implications of the changes.

Following any changes or updates the system will be subject to our test process in a non-live environment prior to the live environment being updated.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We run a monthly vulnerability scan against our service, using an automatic vulnerability scanner. This scanner assesses and categorises the potential vulnerabilities.

We prioritise the vulnerabilities in line with the guidelines published on the NCSC website.

Depending on the severity of the vulnerability we will aim to provide a patch as soon as a fix is available, and has been tested against our test process. This is integrated with our change control policy.

Our VAS scanner is regularly updated with the latest vulnerabilities. We also monitor technical news for information.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We maintain an audit log of all connections to our service. This log is regularly analysed to identify suspicious activity.

The frequency of the analysis will be agreed with the client, along with criteria to asses suspicious activity.

Once an incident has been identified, we will identify the severity and impact. This will then be managed via our incident management processes.
Incident management type Supplier-defined controls
Incident management approach We are in the process of developing our incident management processes to conform to the requirements in the CSA CCM 3.0.1.

Users can report incidents by email to our support team.

Where an incident has been reported, we will retrieve the relevant logs including from the service and OS to assist with the investigation.

We provide incident reports via email, including the outcome of our investigation and supporting evidence such as logs.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5286 to £10686 per virtual machine per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑