Core Systems

Probation Self-Service Portal – Direct2probationer

Probation Self-Service portal, Direct2probationer is the leading software for Community Rehabilitation Companies. It allows users on probation to access communications, information, and services. It’s the perfect tool for probationer reintegration. It can integrate with biometrics and other types of verification apps or hardware.


  • Access to communication and rehabilitation services in one place
  • Signposts information personalised to the probationer’s situation
  • Operational on kiosks, remotely on PCs and mobile devices
  • Allows officer to view who needs attention or intervention
  • Provides an interactive calendar to help probationers manage themselves
  • Allows offenders to access emergency contacts and self-help resources
  • Generates appointments and messages for compliance with license
  • Records audit trail for reporting and intelligence
  • Optimised for low digital literacy users
  • Customisable for different probation providers


  • Supports better decision-making with all information in one place
  • Enhances relationships between officer and probationer
  • Allows officers to prioritise probationers according to intervention needed
  • Helps to keep probationers organised and prevent violations
  • Encourages offenders to be self-managed and responsible
  • Supports more effective risk management
  • Stores information protecting both parties in times of dispute
  • Future proof through allowing logging in remotely
  • Cost effective by encouraging bring your own device
  • Supports offenders through the re-entry process started in prison


£1.25 to £2.50 per person per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

9 9 8 7 1 8 0 8 8 6 0 3 3 1 1


Core Systems

Sinead Dillon

02890 722044

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
System requirements
  • Windows Server 2012 R2 Standard
  • Microsoft SQL Server 2012 R2
  • SQL Server Reporting Services
  • IIS 8
  • SMTP Server

User support

Email or online ticketing support
Yes, at extra cost
Support response times
This is scoped out on a per job bases to meet the needs of the customer.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Core provide a technical account manager and a cloud support engineer. A typical support scenario with a customer will be as follows:

Once it has been determined that the fault is a software issue relating to Core, Core will provide first-level support. Core will provide a help desk service which will provide for the recording and escalation of issues.

Second-level support – Core will further investigate the issue following the steps outlined in the documentation. This may include resolutions or temporary workarounds for complex issues.

Third-level support – Core Systems shall provide resolutions for reported errors or issues. Core Systems shall make, and provide Customer with, revisions and enhancements to the code.

The cost of 1st, 2nd and 3rd level support is included in SaaS pricing document. This is based on remote software support, 9 am – 5 pm, Monday – Friday, excluding bank holidays. Any additional support required for customers specific SLAs will be negotiated and costed separately.
Support available to third parties

Onboarding and offboarding

Getting started
To help users to get starting using software solutions Core Systems provide training and assistance with go live on site. We also provide training videos and manuals to support training sessions.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
All data will be managed to ensure availability at contract end. At end of contract we will make consumers archived data available. The consumer will provide instructions of where the data is to be transferred. Core confirm that we will purge and destroy consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer)
End-of-contract process
All data is stored within a SQL database. Data may be archived off the database onto another storage device or exported from the database using a .csv file. In the same way data can be imported using a csv file. Note the import / export of data can be automated as a scheduled task. Core will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Core commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction.Data that will not be available for later extraction will also be published.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Opera
Application to install
Compatible operating systems
  • Android
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
All websites are designed for mobile, tablet and desktop.
Service interface
Description of service interface
We use our own platform to manage end users’ needs. We also offer a ticketing system so that any issues can be resolved and recorded.
Accessibility standards
None or don’t know
Description of accessibility
The solution has not been tested to meet these requirements. Core Systems will work with the customer to satisfy all accessibility needs required.
Accessibility testing
What users can and can't do using the API
There is an API for importing and updating end users into the system and setting up locations. Limitations based on validation of business rules are set up to protect the integrity of the data. Other functionality that is required to be exposed through an API can be created as a bespoke piece of work for a customer to meet their needs at an additional cost.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Branding on the officer and probationer login page can be customised to be the customer’s logo and product name – carried out by Core Systems.

Customisable permissions on the officer website so that functionality can be separated to authorised user groups – configurable on the officer website.

Access to permissions on the probationer website can be switched on/off for different user groups – configurable on the officer website.

Content can be added and updated easily e.g. FAQs, PDFs uploaded, media uploaded. – configurable on the officer website.

Settings are available to turn pieces of functionality on/off e.g. Probationer receives SMS when an appointment is missed, Generate e-mail to officer for new messages

Settings to set values for particular areas e.g. Number of failed login attempts allowed, Account lockout duration (minutes)


Independence of resources
Web hosted solution on IIS, so can have unlimited concurrent users, the only limiting factor is the amount of available resources on the machine. The software is hosted in a cloud based environment, so resources can be scaled up as required. Hosting environment provides a dedicated resource that is not shared with other customers. The software has been hosted in a single datacentre before and has scaled up to handle a total of 166,000 users and counting.


Service usage metrics
Metrics types
Officer dashboard displaying numeric information on the tasks to be carried out, with links to the appropriate page in order to take these actions, e.g. new messages received. Dashboard also shows graphs e.g. missed appointments graph. Reports available through the officer interface which displays usage metrics, access to these is configured through permissions in the officer website. e.g. number of logins in a time period, number of missed appointments, changes in risk score.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Standard reports which can be saved in multiple formats including Excel spreadsheet, Word document, XML file, PDF file, CSV file. These reports can also be set up to be scheduled and emailed to authorised users if required.
CSV files of the data from the database can be produced on request by Core Systems if required.
Core Systems could potentially create a bespoke API for required data if required at an additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel spreadsheet
  • Word document
  • XML
  • PDF
  • JSON from API
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
Can implement whitelist of IPs on the TLS solution so that a VPN does not need to be set up but still restrict access to the URLS so that only users from authorised networks can access the service. Can also work with a full VPN solution if required.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Hosting environment 99.99% availability
Approach to resilience
Available on request
Outage reporting
Dashboard to monitor if all kiosks are up and running.
Email alerts if any of the websites are not accessible.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
IP whitelisting for officer website along with permission groups to limit access to only authorised users. Support website requires username and password to be setup in order to manage the support issues. Only authorised users have access to the cloud environment and each user has their own account. Login access to the database is restricted to only authorised support users.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Certification covers all business functions within the company
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a well established security information management system and related policies in place which adhere to ISO 27001 international standards. We have held ISO 27001 certification which is AKAS accredited since 2014. We have regular internal audits and review meetings to ensure that our processes and practices adhere to our information management policies and that these are in line with the ISO 27001 standard.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Core Systems have a dedicated change manager who will manage the paperwork and approvals. Changes required can be discussed and scoped out with the business team and they will be passed on to change manager.
Change Process:
• Changes agreed with business
• Change request completed
• Customer approver’s review and approve the change
• Core implement the change in development & QA environments and test thoroughly
• Core implement the change in production and test thoroughly. Changes can be rolled back if necessary
• Core notify customer of change completion
• Close the change – Post implementation report
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Monthly patches are carried out on the OS and other 3rd party software installed.
Current and newly emerging vulnerabilities are monitored by subscriptions to email distribution groups, publications and relevant websites are reviewed regularly.
A list of 3rd party libraries used to build the software is maintained along with the current version number used, this is periodically reviewed to identify whether there are any security vulnerabilities and if a newer version is available. If an action is deemed pertinent and prudent then it will be handled through the Change Management Process.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Antivirus, Malware, Intrusion Detection & Protection, threat detection, correlation analysis, stateful firewall, execution environment checks are all provided by a cloud based Protective Monitoring service. This provides real-time, contextual and predictive threat intelligence. This will identify potential software compromises.

The response process when we find a potential compromise is as follows:
• Ascertain the issue and impact
• Contingency plans put in place around potential risks e.g. snapshots and backups
• Resolution agreed with customer and implemented

A number of risk scenarios are automated and responded to immediately.
High impact incidents are escalated to high priority.
Incident management type
Supplier-defined controls
Incident management approach
When a support issue is received by Core Systems a ticketing system will operate and once an issue has been logged a unique support reference number will be assigned to it and should be quoted in all future communications relating to the issue. Users must report as much information as possible to ensure faster diagnosis of the issue, examples of the information required will be provided. A common issue responsibility matrix will be provided along with the corresponding SLA level.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£1.25 to £2.50 per person per month
Discount for educational organisations
Free trial available
Description of free trial
What’s included: We offer a trial version of software license.
What isn’t included: hosting costs from 3rd party, support and installation.
Limited time period: 2 months.

Service documents

Return to top ↑