Boomalert’s incident communication software enables the distribution and receipt of broadcast communications over SMS, Voice and Email and the escalation of urgent or critical messages. This ensures that an organisation can plan and prepare effectively for critical incidents, and consequently mitigate against the negative impact that might otherwise occur.
- Fully automated and interactive critical communication management
- Dynamically escalate communications through groups/individuals and across communications channels
- Provide live reporting for real-time visibility into incident progress
- Build/implement dynamic, layered communications workflows via a user interface
- Utilise multiple communications channels repeatedly as required
- Remote activation via Email, SMS, GUI, Machine alerts, API
- Run simultaneous workflows to different business entities during incidents
- Minimise service disruption negative impact of critical incidents
- Manage incidents by exception to reduce resolution timescales
- Improve speed and efficiency of decision-making in real-time
- Fulfil duty of care requirements
- No end user impact - no download required
- Improve safety of staff and stakeholders in isolated situations
- Limit the impact of business continuity or disaster recovery incidents
- Full visibility of large scale personnel mobilisations
- Enhance governance by maintaining a full audit trail of communications
£9600 to £730000 per licence per year
- Education pricing available
+44 207 224 5555
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Service constraints||There are no constraints that would impact the user. The service is evergreen therefore all upgrades, maintenance and developments are seamless to the user.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Response time within an hour, regardless of day or time.|
|User can manage status and priority of support tickets||No|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Onsite support|
|Support levels||There are two levels of support: working hours and 24 / 7|
|Support available to third parties||Yes|
Onboarding and offboarding
On-boarding documentation is completed to ensure that services are provisioned according to a customer's requirements and when accessing the Service Set-up wizards are used to guide a customer through the implementation steps and aim to provide a baseline overview of the system functionality.
The user interface also provides user documentation an in-application help library supported FAQs and troubleshooting..
Where required, we provide on-site training, user guide documents and telephone support where required. The in-built help facility is comprehensive and adaptive.
|End-of-contract data extraction||
Data can be extracted at any time into Excel or CSV format. For data extraction requests requiring manual intervention, all transactional consumer data will be removed from all systems; including computers, storage devices and other storage media once provided to the customer. After a service has been decommissioned, a request to access data must be submitted in writing, specifying the data required and the timeframe over which it is required.
A limit on the time period over which data extraction requests can be fulfilled (e.g. previous 6 months) may apply
Requests for data would usually be completed within 48 hours working at no cost to the customer
Upon completion of data extraction and after this has been provided to the customer, all transactional consumer data will be removed from all systems; including computers, storage devices and other storage media.
We have a controlled exit process in line with Information Security Management System that manages the extraction or removal of data securely. All service cancellation requests must be submitted in writing and are subject to the cancellation period stated in the contract (standard 30 days). Where any additional services have been contracted to (dedicated or shared inbound short code services for example) the terms of these agreements will remain in place.
The service will remain active up to the agreed cancellation date and upon reaching the cancellation date, will be fully decommissioned and all subsequent requests to the service will be blocked. The customer will be obliged to pay any outstanding monies for subscriptions or message transactions that have not already been invoiced.
Personal information can be removed by the customers directly in line with our off boarding processes. We can do this on behalf of the customer for non-standard requests (such as transactional message data) for which there may be a small cost. Please note that during the on-boarding process, customers can specify elements of personal data that are to be automatically deleted on completion of a message transaction (mobile numbers or message content).
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||No difference|
|Accessibility standards||None or don’t know|
|Description of accessibility||N/A|
|What users can and can't do using the API||The API can be used to trigger cascades|
|API documentation formats||
|API sandbox or test environment||No|
|Description of customisation||The UI is totally customisable|
|Independence of resources||
The nature of the service and the speed of processing are such that our systems have headroom for far more traffic than system users could possibly be able to generate.
The hardware supporting the Services is provisioned with resources that are managed by VMware and resources can be spread across the Cloud as and where required. The baseline resources provide substantial headroom to accommodate dramatic spikes in messaging activity. System utilisation is monitored and notifications are triggered based on pre-defined thresholds being reached. These thresholds are set to ensure that additional resources can be applied before the service is impacted.
|Service usage metrics||Yes|
|Metrics types||Either a 'live' dashboard for management or pushed csv file reports emailed to the management.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users export data before the term ends or request export from Boomerang|
|Data export formats||CSV|
|Data import formats||
|Other data import formats||Manual typing|
|Data protection between buyer and supplier networks||Private network or public sector network|
|Data protection within supplier network||
Availability and resilience
|Approach to resilience||
The platform has been designed and built to achieve 5x9 service availability. VMware provides full hardware fault tolerance along with multi-site failover in the event of a Data Centre outage or network issue. Failover between data centres can be achieved within minutes to help minimize the impact of a site isolate disaster. In the event of an issue at the application level, we are able to roll back cluster instances in real time via SNAP shot that are maintained via our SAN architecture. Node failure does not impact the production platform as VMware fences the node and ejects this from the running cluster without service impact. Version 5 is currently used with ‘DRS Configuration’ post failover, along with the VMware Fault Tolerance module
All Services are replicated between sites, both memory and disk blocks are replicated in real time via VMware & SAN to SAN Replication. As such, when implementing a site failover, both memory and data is captured and replicated, thus removing any transition loss.
|Outage reporting||Outages are very unlikely to occur as the system has built in resilience from its fail-over composition, but in the exceptionally unlikely event of an outage, cliets are alerted by dashboard or direct email.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||User defined hierarchical layered controls dictate permissions across the system.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
The organisation currently complies with a range of the requirements, policies and controls that maps to ISO 27001:2013. Our practices will also ensure compliance with the information security and privacy elements expressed in the EU General Data Protection Regulations. The following ISO 27001: 2013 focused tools, policies and frameworks are either in place or in the process of being implemented
- An information security management system (ISMS) consisting of detailed policy controls in line with ISO27002
- Regular management reviews
- Risk management methodology
- Regular staff training
- Performance evaluation and audits with corrective actions
|Information security policies and processes||
Our policies and controls in line with ISO 27002 to address risks and requirements in the areas of:
o Asset management
o Access control
o Physical and environmental security
o Operations security
o Communications security
o System acquisition, development and maintenance
o Supplier selection and management in life, including a robust segmented approach to supplier work based on the information assets the suppliers have access to in line with the risk assessment
o Information security incident management (including readiness for EU GDPR)
o Information security for business continuity planning and disaster recovery
o Other compliance in line with applicable legislation, privacy and protection of personally identifiable information
Performance evaluation takes place at regular intervals including reviews of policies, management reviews, audits as well as processes. An Improvement Track is used to manage instances of non-conformance and corrective actions.
Additional capability already invested in includes processes and tools for managing specific aspects of EU GDPR such as subject access requests (SAR). In addition, the organisation has invested in capability for undertaking privacy impact assessments (PIA) and working in line with both EU GDPR and ISO 27001:2013 for information security in projects.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
All service assets are recorded, tracked and updated via an inventory. Assets have a designated owner who is responsible for ensuring that assets are classified correctly, up to date and reviewed periodically, to safeguard access and accurate security classification. The asset owner is also responsible for ensuring that assets are securely returned disposed of or de-commissioned.
Changes to any assets are recorded. A formal approval process is used for change requests (including risk assessment) and requisite testing is carried out across separate environments (Development, UAT) before release to production. A controlled process is also in place for emergency changes.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||External tools are used regularly to check for vulnerabilities across the estate; primarily Vulnerability Management scans and web application scans to verify that the application code is secure to DDS standards. Vulnerabilities are also identified and notified at a cloud and server management level (VMware, Plesk and CPanel). Patches are applied automatically to address specific vulnerabilities. It is also responsibility of the TISO to keep up to date with the latest information regarding technical vulnerabilities.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Intrusion detection and intrusion prevention software is used to monitor network traffic to identify any potential compromise (surges in traffic from single sources, irregular traffic etc). Potential compromises are dealt with by isolating the affected environment and inspecting logs to assess the threat. Affected stakeholders are notified and root cause analysis carried out and mitigation plan developed.
Real time monitoring takes place with immediate response for suspicious alerts. Abnormal patterns that may not trigger alerts are identified using dashboards or similar reporting tools. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Customers, staff and other stakeholders can report incidents through standard channels such as email and telephone. All incidents are recorded, assigned priority level and tracked through to completion, with the lessons learned feeding into other processes such as problem management. A dedicated process is followed for P1 Incidents to ensure stakeholders are pro-actively notified of the event and of the root cause.
Our processes are ready for EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£9600 to £730000 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||All aspects of the full service are included in a free trial.|
|Link to free trial||https://boomalert.com|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|