GilbyIM - EDRMSaaS

'GilbyIM' is a best in breed records management system (EDRMS) based on Micro Focus's Content Manager and deployed in the cloud as Software as a Service. An afforadble easy to use solution, to enable your organisation to meet its legaslative, functional and GDPR compliance obligations.


  • Remotely access your records when away for your premises
  • Out-of-the-box ready, fast deployment and implementation
  • Best-in-breed technology used by governments throughout the world
  • Comprehensive security and access controls
  • Supported throughout the contract


  • Ease of use for staff at all levels
  • Speed and efficiency of accessing and saving your records
  • High assurance and Legal Admissibility with full audit logs
  • Automate the management of records
  • Regulatory and Legislative Compliance
  • Respond quickly to DPIAs and embed GDPR requirements
  • Protecting the records that protect your organisation


£495.00 to £9,995.00 an instance a year

  • Education pricing available

Service documents


G-Cloud 12

Service ID

9 5 2 2 2 4 8 8 5 1 3 6 7 3 8


Telephone: 07767871653

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Scheduled maintenance will be carried out outside of working hours (8:00 to 18:00). The customer will be given two business day's notice, if it is expected that the maintenance will require the service to be taken offline.
System requirements
  • The service requires an HTML5 compliant browser
  • The browser must have JavaScript enabled
  • The users' devices must be able to connect to:
  • The users' devices must be able to connect to:
  • The users' devices must be able to connect to:
  • The users' devices must be able to connect to:

User support

Email or online ticketing support
Email or online ticketing
Support response times
Customers may log requests for support by sending an email to support mailbox. The mailbox is monitored during Support Hours (09:00-17:00 on Business Days) only.

Response times for the different priority tickets are:

High: 30 minutes.
Medium: 1 Business Day
Low: 3 Business Days


A user emails the support mailbox at 16:55 on a Friday evening. They will receive a response no later than 16:55 on the following Monday.
User can manage status and priority of support tickets
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard support includes on-boarding, initial training via web, a monthly webinar and email support.

The SLA for email support is as follows:

High Priority: 30 minutes.
Medium Priority: 1 Business Day.
Low Priority: 3 Business Days.

Additionally, a Premium Records Management-as-a-Service support package for schools at £499 per year 24 hour SLA and unlimited questions.
Support available to third parties

Onboarding and offboarding

Getting started
Our on boarding process is designed from the ground up to allow new users to be up and running within days.

We help you by, generating a fileplan, folders, customised access controls and retentions schedules, and issuing licences within two weeks from agreement.

Training can be on-site or web based and both come with a full range of training materials.

We offer assistance or training for importing current records. With this full 'Getting Started' package users to take control of their vital records rapidly.
Service documentation
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
All information is owned by the customer. Upon the end of the contract, the customer may request that the supplier undertakes to provide a copy of all records, and that the supplier destroys any copies of those records (and associated metadata) held within 20 Business Days.

Provided that the volume of customer data does not exceed 450GB, the copy of the customers data will be supplied free of charge on an encrypted hard drive (or similar), securely couriered to the customers premises.

Where the volume of customers data exceeds 450GB further charges, reflecting the costs to the supplier may apply.

The supplier will provide the customer with a Certificate of Destruction upon completion.
End-of-contract process
At the end of the contract:

1) The supplier will disable all customer user accounts.
2) The customer may request that the supplier provide a copy of all of the customer's records stored with the EDRMS, which the supplier will provide within 20 Business Days.*
3) The supplier will destroy any copies of the customer's records stored within the EDRMS and provide the customer with Certificate of Destruction.
4) The supplier shall retain records about its dealings with the customer, such as it is required to do by law.

*All of the above are included in the price of the contract except where the volume of customer data exceeds 450GB, in which case charges may apply. These charges will not exceed the costs incurred by the supplier.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
That service has customisations designed to enhance the user experience. At the time of writing, these customisations have been applied only to the desktop version of the web interface. If the service is accessed from a mobile device, the out-of-the-box Micro Focus Content Manager web interface is presented.
Service interface
Description of service interface
The service has two interfaces: Web & Super User.

The web interface is a customised version of the Micro Focus Content Manager Web Client, optimised for simplicity of user experience.

The Super User interface uses HTML5 to stream a Windows-like client to the user via their browser. This interface is intended only for advanced users.
Accessibility standards
None or don’t know
Description of accessibility
The Content Manager Web Client satisfies the requirements of WCAG 2.1 AAA.

The Super User interface streams a Window-like client to the user via their browser. As such it contains "non-text content" and may have some constraints around accessibility.
Accessibility testing
No specific testing has been carried out with users of assistive technology.
What users can and can't do using the API
No API is provided as part of the standard service. However, Micro Focus Content Manager has a fully documented API which could be exposed if there was specific customer requirement to do so. This would incur additional charges.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available


Independence of resources
The service is based on Micro Focus Content Manager. Content Manager is designed to scale horizontally. That means that it can be configured to optimize compute, or - where appropriate - to isolate one customer’s workload from another. Resource consumption is proactively monitored and, because service is deployed on the public cloud, many components can be scaled vertically at the touch of a button. Some components already use auto-scaling to respond to demand, and there are almost unlimited options to extend approach as the customer base grows.


Service usage metrics
Metrics types
Monthly service reports are supplied. These contain data on: service availability; licence utilisation; data and object storage usage; moves, adds and changes; and inactive/dormant user accounts.

Additionally, the customer is able to access metrics from within the service itself.

Ad hoc reports can be supplied on request.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Micro Focus's Content Manager - In the cloud as SaaS

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
All customer data at rest are held on devices managed by Amazon Web Services. CSA CCM v3.0 and SSAE-16 / ISAE 3402 compliance reports are available for Amazon Web Services.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Individual records may be extracted through normal end-user operation of the service.

Micro Focus Content Manager meets the requirements of the e-GMS (eGovernment Metadata Standard) and e-GIF (eGovernment Interoperability Framework).

For bulk exports, customers may submit a request for their data to be exported and supplied to them in an agreed format. This would normally incur an additional charge.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • Metadata would normally be supplied in XML or CSV format
  • Documents would normally be exported in their native format
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Metadata would normally be supplied in CSV or XML format
  • Document would normally be imported in their native format

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
Where possible, our service requires that communication between the buyer's network uses a minimum of TLS 1.2.

However, some parts of the service require the user to connect directly to a host managed by a third party - Amazon Web Services. These hosts support earlier versions of TLS (1.0 & 1.1). Amazon Web Services intend to deprecate support for TLS 1.0 and TLS 1.1 by the end of March 2021.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The service is guaranteed to be available 97.5% of the time between 07:00 and 19:00 on Business Days (for a definition of Business Days see the accompanying Terms & Conditions document).

If the service fails to meet this SLA, customers will be automatically credited for any excess non-availability, on a pro rata basis.
Approach to resilience
The service leverages public cloud infrastructure as the core of its resilient design. Further information is available on request.
Outage reporting
Users are notified via email in the event of a service outage. Data about service outages are supplied customer in aggregated form, as part of monthly service reporting.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
The approach to authentication can be configured on a per customer basis. Although username and password authentication is available, we strongly encourage all our customers to choose the option to enforce two-factor authentication for their users.
Access restrictions in management interfaces and support channels
Management access is facilitated via “jump servers” or “Bastion hosts”. These devices can only be accessed via two-factor authentication and are isolated from the management users’ workstations.

All security groups used in relation to management interfaces are configured on the basis of the principle of least privilege.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Information Governance Training
Information security policies and processes
We have assigned Information Asset Owners who are trained annually. All information assets are logged on the information asset register and the Information Governance Board meets quarterly to review.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our Change Management approach is designed to enable us to maximise our responsiveness, while minimising risk. For example, our engineers can spin up additional compute resource to meet customer demand without the need to go through an onerous change control process. But, by contrast, any change that relates to security or to the functional operation of the system is rigorously tested in our Non-Live Environment, and must be approved by our Change Advisory Board before being implemented in Production.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The service makes use of various Platform-as-a-Service components. These are automatically patched by the cloud service provider.

Components that run on Windows are automatically patch with Critical Patch Updates using Windows Server Update Service.

The supplier is subscribed for security alerts from the vendors of other software components. Where necessary Critical Patch Updates for these components are applied manually, within 10 days of being made available.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The service incorporates solid perimeter defences, and a robust approach to Identity & Access Management (at both an infrastructure and application level), which means that a compromise involving an unauthenticated users is extremely unlikely. In order to combat the threat posed by an authenticated user, every user action is logged and this data is available to the customer of a self-service basis.

We are also able to support customers in forensic analysis of this audit data.

We have an expedited process for security incidents, and aim to respond within 30 minutes of becoming aware of a potential compromise.
Incident management type
Supplier-defined controls
Incident management approach
Our philosophy is that we should know about a problem (or potential problem) with the service before out customers do. We have numerous automated monitoring and alerts in place to achieve this.

When we become aware of an incident our twin
priorities are restoring the service and letting our customers know what is happening.

We have a culture of continuous improvement, which means that after every incident we hold a Post Incident Review to evaluate whether we could have restored service faster, and whether we can change the way we do things to prevent the same thing happening in future.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£495.00 to £9,995.00 an instance a year
Discount for educational organisations
Free trial available

Service documents