TRL Limited

iMAAP Cloud: Crash Data Analysis & Road Safety Management Solution

iMAAP from TRL is the most widely used cloud solution for road crash data analysis, evaluation and road safety management system across the world. Designed for police forces, local authorities and highway authorities, iMAAP helps road safety professionals reduce the number and severity of crashes and casualties.


  • The most widely adopted off-the-shelf road safety management solution globally
  • Produced by UK’s Transport Research Laboratory (TRL) Road Safety Experts
  • Identify problems based on in-depth analyses of crash data
  • Establish measurable, realistic road safety goals based on identified problems
  • Established track record of global implementations for improving road safety
  • Flexible, user-configurable crash data forms compatible with CRASH/NICHE formats
  • Supports multiple, map providers to render Geospatial(GIS) data
  • Comprehensive, advanced road safety analysis capabilities based on road-safety research
  • High-performance, secure web-application fully supported by roadsafety/software team.
  • Responsive web application which works on all popular mobile devices/smartphones/tablets/browsers


  • Identify problems based on in-depth analyses of crash data
  • Establish safety goals to implement road safety countermeasures
  • Assist with the formulation of strategy, target setting/performance monitoring
  • Comprehensive spatial analysis and the identification of hazardous locations(blackspots/hotspots)
  • Designed/developed by road safety experts based on roadsafety research.
  • Helps clients to produce practical, real world, road safety benefits
  • Links to iRAP and road asset management systems
  • Provide stakeholders with reliable access to quality data/reporting
  • Simple, web-based solution accessible to browsers and mobile devices
  • Produce analysis, insights for economic benefits of remediation works


£10000 per instance per year

  • Education pricing available

Service documents

G-Cloud 11


TRL Limited

Subu Kamal

01344 379743

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints IMAAP is subject to planned maintenance schedules administered by TRL which will be informed in at least one week in advance.
System requirements
  • IE11+, Firefox, Chrome, Safari, or Opera web browser
  • Standard internet browsers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times As per the Service Level Agreement detailed in our Terms and conditions our Support Team's working hours will be from 0900 hours UK Time to 1600 hours UK Time from Monday to Friday. Saturday and Sunday will not be considered as working days, along with the annual public holidays.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels All support queries are routed through the support team and are dealt with at the appropriate escalation levels starting with First Line Support > Support Team > Product Managers > Director Level staff.

Support related costs are included in the price regardless of which level the issues are being handled at.

Each client is assigned a project manager for the implementation stage, up until user acceptance testing is completed.

Thereafter, the project is assigned to the services support team.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started A combination of on-site and online training is provided for iMAAP onboarding. Training documentation is provided and a dynamic searchable user guide is available from within the application.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At the end of the contract and including at any time during the contract, authorized users are able to export data in standard formats.
End-of-contract process Users will be intimated through designated emails that their contract is coming to an end one month before the contract expiry date. Designated users will be advised to carry out an export and copy all data that has been generated during the contract. At the end of the contract date, all user logins will be deactivated. Costs may apply if the client requires data to be provided in unsupported formats.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service User interface will be automatically optimized for mobile devices since iMAAP is a responsive web application. In some user interfaces, the amount of data displayed will be optimized for best viewing in mobile devices.
Service interface No
Customisation available No


Independence of resources IMAAP is hosted on Amazon Web Services (AWS). When there is a demand, when the application automatically scales with the auto-scaling features offered by AWS.
The scaling is determined based on CPU usage, memory usage, network throughput and other key parameters that could affect the application performance.


Service usage metrics Yes
Metrics types System usage, Browser usage, Feature Usage, date and time based usage, device type, device usage, user based metrics.
These are provided through Usage Statistics Module within iMAAP for authorized users.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach IMAAP is hosted in AWS. AWS ensures the industry standard data at rest compliance for its services. Application data and assets are strongly encrypted and stored at any point of time.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach There is an export module in the iMAAP software which helps users to export data any time to CSV and standard formats.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • PDF
  • Text
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability For scheduled maintenance, we shall inform the client at least 2 weeks in advance for a maintenance downtime of one hour.

The service is normally available 24x7. The service is intended to be available except during scheduled and unscheduled maintenance windows.
Approach to resilience Application is hosted in multiple AWS zones in the UK. Further information available on request.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels IMAAP follows a role-based authentication and authorization to manage its resources.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 NQA Certification Limited, LU5 5ZX
ISO/IEC 27001 accreditation date 10/05/2018
What the ISO/IEC 27001 doesn’t cover No exclusions in the TRL statement of applicability.
Below are covered:
The provision of research, consultancy, expert advice, project management services and software development in connection with transport; the environment; sustainability; natural resources and waste management in accordance with the Statement of Applicability dated 18/05/2017
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 27001
  • Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes TRL is committed to maintaining and continually improving an Information Security Management System (ISMS) that satisfies applicable requirements and is certified to the international standard ISO/IEC 27001:2013.

The objectives of the ISMS policy are to establish and maintain the security and confidentiality of information systems, applications & networks owned or held by TRL within which:
· Members of staff are aware of their roles, responsibilities and accountability and fully comply with the relevant legislation;
· Information assets under the control are adequately protected against unauthorised access;
· Information assets and supporting business processes, systems and applications, will be protected by implementing appropriate controls to preserve their confidentiality, integrity and availability;
· Risks to information assets will be actively identified and assessed to identify controls that reduce risks to an acceptable level;
· Confidentiality of information is protected;
· Third parties with access to information assets under the control of TRL will be assessed to ensure they meet the necessary information security requirements;
· Business continuity plans are in place and will be tested periodically;
· Actual or suspected information security breaches are identified, analysed and investigated;
· Information security objectives are monitored and reviewed annually at the Management Review Meeting;

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Configuration management of source and documents is done by Git processes. Change management process subscribes to ISO standards.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Conduct regular vulnerability checks, penetration tests and audits. Patches are deployed as hot fixes as soon as possible as a response to any vulnerability detected.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Provocatively observe for unusual network traffic using AWS tools. Constantly monitor audit logs and access logs for suspicious activities. Adequate measures as suggested by in-house security experts will be taken based on the nature of compromise. All incidents will be dealt immediately.
Incident management type Supplier-defined controls
Incident management approach Predefined processes and procedures for InfoSec events and incidents.
The event or security incident is recorded, investigated and corrective / improvement actions are identified including the root cause.
Infosec incidents, events and weaknesses are reported via the helpdesk, in person to the IT, Compliance or the Senior Management team.
Any actual or suspected incident is promptly reported within 24 hours providing key details.
All incidents requires an in depth investigation to establish the facts and to determine what went wrong and how to prevent the issue reoccurring. An Internal Investigation Form is completed and issued to the CEO and FD.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 per instance per year
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑