STLP CONSULTING PTY LTD

Castlepoint Manage Information Everywhere

Castlepoint reads, registers and regulates all information in a network, in any format and any system. It uses Explainable AI to automatically detect and classify high-risk and high-value information, and track what happens to it. It provides enterprise eDiscovery, privacy and security management, audit, records management, and Generative AI governance.

Features

• Discovery: Makes every asset discoverable based on content and function
• Discovery: Indexes structured or unstructured records, on-premises or cloud
• Privacy: Detects PII, PCI, and PHI, and organisation-specific data
• Privacy: Enables eHold and Data Minimization to manage data obligations
• Audit: Logs, tracks, and alerts on events on all data
• Audit: Flags data handling and policy breaches and problems
• Records Lifecycle: Manage-in-place EDRM and dynamic Information Asset Register
• Records Lifecycle: autoclassification with compliant sentencing and disposal
• GenerativeAI Governance: Quality and risk oversight of genAI, e.g. Copilot
• Visualisation, graphs, dashboards, reports for BI, audit and strategy

Benefits

• Read/register all information in a network regardless of format/system
• Apply rules from records authorities, Acts and Regulations automatically
• Use true AI and automation, avoiding complex rules engines/models
• Manage information in-place, without moving/copying to another system
• Manage cloud or on-premises systems from the web portal
• Avoid any user impact with a completely transparent compliance engine
• Reduce costs of eDiscovery searches/reporting by up to 98.5%
• Relate information together across systems through single pane of glass
• Track, alert and report on breaches (e.g. deletions/data spills)
• Manage all your systems without additional apps or connectors

£9,090.91 to £39,119.20 an instance a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rachaelg@castlepoint.systems. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

219537094089145

Contact

Rachael Greaves
44 7442 462 675
rachaelg@castlepoint.systems

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: There are no constraints to use of Castlepoint SaaS. Where customers wish to deploy Castlepoint on their own cloud environments, Linux-type servers must be used.
• System requirements: Operating System licences when running within your own environment

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 4-6 hours response within business hours M-F
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Our chat service uses the Freshdesk portal, which is fully tested against WCAG accessibility requirements.
• Onsite support: Yes, at extra cost
• Support levels: We provide two support levels: Business support for office hours, Monday to Friday, and Premium support, for on-premises assistance and after-hours support. Business support is included in the software subscription cost. Premium support is billed at our standard time and materials rates per hour. ; ; An Account Manager is assigned to each client. ; ; Our support portal provides multiple channels for support, including: ; • Dedicated support email account ; • Support Request portal ; • Business hours phone support ; ; The support portal also provides a Help Centre accessible online for your Level 1 staff. The Help Centre provides a comprehensive suite of knowledge articles for all capabilities Castlepoint provides to your organisation. The support portal is a key resource for first, second and third level support. Support is available by phone, email, and our online support portal from 9AM to 5PM Monday to Friday, excluding public/bank holidays in your region. Out of hours support can be provided by agreement. ; ; Responses are provided: a. Under 4 hours (during business hours) for High priority. b. Within 48 hours for Medium priority c. Within 5 working days for Low priority.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training and user documentation is available online to customers. Implementation of Castlepoint in our SaaS environment is performed by our resources.; ; Configuration is simple, and involves: ; • You providing Castlepoint with access to your data to commence registration and indexing ; • Us adding your records disposal schedules and other regulatory retention requirements to the system ; • Us adding your ontologies as required, to identify your high-value and/or high-risk data ; • Us setting any alerts you want to receive. ; ; Castlepoint is a turn-key system. If required, our staff are available to assist you with any of these access management steps on a time and cost basis per our rates
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users request download of their data via a service desk ticket, and it is provided via a secure download location. There are no impediments to clients extracting data from Castlepoint.
• End-of-contract process: Data can be extracted on behalf of the client at the end of the contract. ; ; The system is decommissioned 30 days after the contract ends (unless requested earlier).

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Form-factor of the mobile device changes the display and order of elements on the device
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Castlepoint includes a HTML5 web portal for all interactions with the service, including dashboards, visualisations, and (fully exportable) reports.; ; The interface includes:; • Records Management (automatic registration, classification, sentencing and disposition); • Security and Privacy Management, automatically identifying high-risk information; • Audit and monitoring with events captured on all records, by all users, and across all systems; • Alerts and Reporting when high-risk or high-value content is created, modified or moved; • eDiscovery with powerful and defensible search, ontology, and relating records across systems; • GenerativeAI governance; ; All Castlepoint user interface components and capabilities are included in the standard license.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: WCAG AA controls are part of our base test plans for the application
• API: Yes
• What users can and can't do using the API: Castlepoint provides a REST-based interface for all interactions with the system. All commands available through the user interface are available via the REST API.; ; No configuration is required to setup the API service, it is available by default.; ; The API can be used to connect Castlepoint to source systems in order to manage them in place. It can also be used to export information created by Castlepoint, such as classifications, disposal rules and regulatory requirements mapping, for consumption by other systems (such as RPA or BI tools).
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Services are automatically scaled via serverless infrastructure design. Services are automatically constrained to ensure systems aren't impacted by demand or denial of service events.

Analytics

• Service usage metrics: Yes
• Metrics types: Castlepoint logs all events, both of user accounts and of service accounts. Events report on system and service usage, which is available to Account Managers, Administrators, and via the API.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export data directly from the user interface. All Castlepoint reports are exportable into .XLSX format by normal users at any time.; ; Users can also request export of full or partial contents of the Castlepoint database at any time, and this will be downloaded to a secure location.; ; Castlepoint also supports REST-based APIs to automatically export or ingest data from the Castlepoint system into any other supported system.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The Castlepoint service is available to users 24 hours a day, 365 days a year. From time to time the availability of the service may be impacted by planned outages for support and sustainment purposes. Planned outages are not SLA impacting. Service updates, including enhancements, updates, and patches are made continually, in an evergreen model, without downtime or user impact. Availability is measured as Monthly Uptime Percentage (MUP), in which uptime is service availability, and downtime is periods where the system is not available, outside of a planned outage window. The MUP is the percentage of total minutes in the month where the system experienced unplanned downtime. The Castlepoint MUP target is 99.9%. Availability is measured monthly as a monthly uptime percentage, in which uptime is service availability and downtime is periods where the system is not available, outside a planned outage window.
• Approach to resilience: Castlepoint will use all commercially reasonable efforts to provide 99.9% availability for the Castlepoint Software. When hosting, Castlepoint uses resilient platforms such as Microsoft Azure for hosting. ; ; Castlepoint conducts routine, planned maintenance of the Castlepoint Software and other aspects of the hosting services (Hosting Maintenance) when we host the platform. Castlepoint provides release management and change control services to ensure that versions of servers, storage, operating system software and utility and application software are audited and logged, and that new releases, patch releases and other new versions are implemented as deemed necessary, following testing and validation, to maintain the Castlepoint Hosting services. ; ; When hosting, Castlepoint also develops the back-up schedule, performs scheduled back-ups, provides routine and emergency data recovery, and manages the archiving process. In the event of data loss, Castlepoint will provide recovery services to restore the most recent back-up.
• Outage reporting: Outages are reported to nominated client contacts by email or phone per our Incident Response Plan, services agreements, and SLAs. Outages can also be reported via API.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is restricted using Role Based Access Control in management and support channels. Access to services requires MFA.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: TQCS International Pty Ltd
• ISO/IEC 27001 accreditation date: 27/09/2023
• What the ISO/IEC 27001 doesn’t cover: The provision of compliance, security and discovery management software solution.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 07/04/2023
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: None
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Castlepoint complies with the ISO27001 (security management) and the Cabinet Office Security Policy Framework. Castlepoint is Cyber Essentials certified. ; ; Our team are certified in data privacy (CDPSE), information management (CIP), information systems audit (CISA), security management (CISM), and privacy management (CDPSE). We have extensive experience developing and implementing security controls at all layers, from governance to infrastructure. We are a trusted provider of security services to Federal and Central governments, and have active Secret-level (SC) security clearances. ; ; We ensure the safety and quality of our products and services by following and documenting strict quality management and information security management procedures. We formalize this governance by complying with the international standards ISO9001 (quality management) standard, in which we are certified. We also have a strong corporate responsibility culture. We maintain detailed security documentation and controls.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All solution components are individually change tracked. All changes are assessed for security impact via assessment against Statement of Applicability controls. ; ; We use our certified change managers oversee the design, transition, and operation of our projects into sustainment mode with our clients according to proven best practices. ; ; We apply a formal and repeatable methodology, and interface effectively with not only project SMEs, but with the systems owners and administrators who will have long term responsibility for the solutions that we implement.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We are enrolled in several security threat notification services, including vendor-managed and 3rd-party services. We deploy critical security patches within 48hrs of notification. Our in-house resources manage vulnerability assessment, testing and secure development. We are an Australian Government Joint Cyber Security Centre Partner.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Potential compromises are identified via our management logging system, data exception monitoring, and managed service notifications. ; ; We respond within 4-8 hours of notification. We maintain a detailed Data Breach and Incident Response Plan which is regularly updated.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have pre-defined processes for common incidents. Users report incidents via our service desk system, email, or direct contact. Incident reports are provided using a standard template. Our Incident Response Team includes our CISO, CTO, Program Manager, Client Manager, and key resources in our IT Team. The dedicated Response Team will involve external stakeholders in the response as required.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Castlepoint is an Ethical AI which supports government organizations to protect the rights and entitlements of stakeholders, including vulnerable members of the community, by protecting and preserving relevant sensitive and high value information. Castlepoint's Artificial Intelligence and Automated Decision Making is explainable, transparent, and contestable.

Pricing

• Price: £9,090.91 to £39,119.20 an instance a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Access to the Castlepoint online trial environment in a read-only format. Users have full browse, review and discovery access to the environment but cannot change the configuration. Configuration is read-only and can be viewed.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rachaelg@castlepoint.systems. Tell them what format you need. It will help if you say what assistive technology you use.