Sarax Limited

Sarax Digital Landscape and Evidence Warehouse

Evidence Warehouse gives the ability for sharing evidence with CPS through Upload Multimedia capability, gives CPS Review and onward sharing to defence capability, provides secure access, OIC/ CJU managed cases and is EDAMM compatible.

Features

  • Hosted in the Cloud with storage options.
  • Share evidence digitally across networks, safely and securely
  • Interface with the CPS through its current tactical solution Egress
  • Consistent way to share digital evidence with CJS partners.
  • Provide a new capability to policing that’s cost effective
  • Digital evidence available at the earliest stages of criminal prosecution
  • Interface with the CJS Common Platform through EDAMM API
  • Eliminate force reliance on sharing evidence physically using disks

Benefits

  • Officers and staff having more time for other priorities
  • Reducing the risk of finable data protection violations
  • Reputational benefits for policing
  • Reduced CJS process time
  • Reduced risk of lost or compromised evidence
  • Enhanced decision making
  • Real time review & request of evidence with CJS
  • Reduced risk of force systems being compromised
  • Evidence available at earliest stage of a prosecution

Pricing

£5286 to £10686 per virtual machine per month

Service documents

Framework

G-Cloud 11

Service ID

9 4 2 1 3 7 4 4 5 7 1 6 8 4 7

Contact

Sarax Limited

Mark Balaam

07775 930125

mark.balaam@sarax.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Existing Computer Aided Dispatch systems can locate a caller through a database of telephone numbers for fixed lines, but are unable to take advantage of the GPS in a caller's smartphone. Additionally services for language translation, text messaging emergencies for the deaf can be supplemented.
Cloud deployment model
Public cloud
Service constraints
Live video streaming currently not supported in IOS browser.
System requirements
  • Data and GPS enabled smartphone.
  • Internet access / connection.

User support

Email or online ticketing support
Email or online ticketing
Support response times
We operate a priority based approach based on the customer's requirements.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
No
Onsite support
Onsite support
Support levels
Tickets are responded to based on the SLA agreed with client. These SLAs reflect the priority of the service being supported. The faster guaranteed response times increase support costs. Some example of agreed support levels are:

• Monday to Friday 09:00 until 17:30 excluding Bank Holidays. Only trained & qualified engineer's assist with support issues either remotely or on site.

• 7 days, 24 hours support including all holidays. Only trained & qualified engineer's assist with support issues either remotely or on site.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Sarax engineers work with clients through a discovery and assessment process to create a software requirements list based on current and future user demand and loading. This includes detailed billing, monitoring, log access, security, load balancing, clustering, and storage resiliency: backup, replication and recovery. Identifying SLAs and high availability requirements. Application interdependencies, network configurations and security and compliance requirements are established. Subsequently a planning phase is executed to define the cloud infrastructure including services such as networking and security to ensure the right mix of storage. The pilot and testing phase validates the test data migration and synchronization, measures performance validates security controls.

Client teams are supported through the migration, typically using a phased approach, to allow ongoing progress review and plan adjustment if material diversions from the plan occur. Migration is monitored, reviewed and adjusted accordingly and then transitioned into IT to successfully manage ongoing operations. We will work in partnership with clients to determine the business needs that drive change and will help identify the optimum information and technology to best meet those needs.

Effective change management reduces the potential impact of any change upon the current service and ensures a faster response to implementing agreed changes
Service documentation
Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
Data can either be stored in the cloud or regularly transferred to a customer on site facility. The customer's data is only temporarily hosted by us, as part of the business as usual process the data will be transferred to the customer's systems, so at the end of the contract no customer data will be stored by us.
End-of-contract process
The end of the contract will have been either scheduled (with a cross over of services between the old and the new providers) or unscheduled due to a termination of the contract, which is provided for within the contract. Data belonging to the customer will be transferred as above within a maximum of 30 days after the end date of the contract.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile user interface has been optomised for the mobile experience, keeping a simple large interface, minimising the number of buttons and choices for the mobile user.
Service interface
No
API
Yes
What users can and can't do using the API
Our API can be used to integrate our service into the buyers existing applications / systems.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • ODF
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The interface is customisable, using windows that can be moved, resized or minimised. The look and feel can also be modified to meet the customer's workflow and user experience requirements including co-branding.

Scaling

Independence of resources
The software uses Microsoft's Azure Cloud which provides automatic scaling.

Analytics

Service usage metrics
Yes
Metrics types
Usage, reliability and uptime.
Reporting types
Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Meta Cannect

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
We provide a reporting interface to allows users to export their data, the data will be exported into PDF and where video data is provided into an MP4 file.
Data export formats
Other
Other data export formats
  • PDF
  • MP4 for video
Data import formats
Other
Other data import formats
There's no intention to upload data, other than through usage.

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We offer a guarantee of 99% reliability, taking into account scheduled downtime for system updates and other essential maintenance agreed in advance.

Downtime is defined as when the user can't access our service and is measured in minutes. Downtime does not include the failure of the customer's ICT infrastructure or failure of 3rd party software, hardware or services not under Sarax's control.
Our monthly uptime percentage can be calculated using the following formula:
(User minutes - Downtime) / User minutes x 100.
If the uptime of the service falls below 99% in a month the following service credits will apply:
<99% 10% service credit
<95% 25% service credit
<90% 50% service credit
Service credit is defined as a discount on the next months cost of the service.
Approach to resilience
Our service is hosted within Microsoft Azure data centres, this provides our core environment with a guaranteed availability of 99.5%.

We actively monitor the availability of the service and can respond to service disruption 24x7.

We are able to tailor the resilience architecture to match the requirements or our customers.
Outage reporting
In the event of a service outage, we will notify the customer via an email to a nominated address.

Should a client require a different notification mechanism, we will work with them to find an appropriate solution.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Management interfaces are restricted to management user credentials.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
Sarax implements formal, documented policies and procedures that provide guidance for operations and information security. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Line managers in association with our security team are responsible for familiarising employees with security policies.

We are working to establish governance processes and policies in line with the CSA CSM 3.0.1 cloud controls matrix. Our goal is the reach CSA STAR level 1 within the next 12 months.
Information security policies and processes
Sarax implements formal, documented policies and procedures that provide guidance for operations and information security. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Line managers in association with our security team are responsible for familiarising employees with security policies.

The output of internal security reviews include any decisions or actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We maintain a register of service components, software libraries and APIs. This register is used in conjunction with our system architecture documentation to understand the security impact of each component.

Where the suppliers of these services issue updates, we review the release notes to understand the security implications of the changes.

Following any changes or updates the system will be subject to our test process in a non-live environment prior to the live environment being updated.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We run a monthly vulnerability scan against our service, using an automatic vulnerability scanner. This scanner assesses and categorises the potential vulnerabilities.

We prioritise the vulnerabilities in line with the guidelines published on the NCSC website.

Depending on the severity of the vulnerability we will aim to provide a patch as soon as a fix is available, and has been tested against our test process. This is integrated with our change control policy.

Our VAS scanner is regularly updated with the latest vulnerabilities. We also monitor technical news for information.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We maintain an audit log of all connections to our service. This log is regularly analysed to identify suspicious activity.

The frequency of the analysis will be agreed with the client, along with criteria to asses suspicious activity.

Once an incident has been identified, we will identify the severity and impact. This will then be managed via our incident management processes.
Incident management type
Supplier-defined controls
Incident management approach
We are in the process of developing our incident management processes to conform to the requirements in the CSA CCM 3.0.1.

Users can report incidents by email to our support team.

Where an incident has been reported, we will retrieve the relevant logs including from the service and OS to assist with the investigation.

We provide incident reports via email, including the outcome of our investigation and supporting evidence such as logs.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5286 to £10686 per virtual machine per month
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑