EXTRAC AI LIMITED

ExTrac

ExTrac is an open-source intelligence platform. It ingests the highest-relevance, expert-curated data streams, and uses AI to make sense of these at scale. ExTrac detects and maps risks in the physical world, online, and where the two intersect, alerting you so that you can get ahead of the threat.

Features

• Automated threat and risk event detection
• Customisable threat and risk alerts
• Threat and risk level forecasting
• Narrative, topic, and theme detection and modelling
• AI analyst co-pilot (co-analyst)
• Advanced data analytics capabilities
• Automated data visualisation tools
• Available via a secure web portal or API
• Bespoke threat and risk intelligence reporting
• Secure and compliant by design

Benefits

• Access high-relevance threat data, curated by human domain experts
• Receive live threat alerts about risks that your organisation faces
• Detect and track emerging risks via a real-time threat map
• Forecast future threat and risk levels
• Detect and model hostile strategic communications campaigns and narratives
• Leverage ExTrac's AI-powered intelligence ‘co-analyst’ to save time and resources
• Build custom threat intelligence dashboards to reflect unique risk profiles
• Expand data coverage based on your evolving requirements

£36,000.00 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bertie@extrac.ai. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

444111588758511

Contact

Robert Basset
07771550277
bertie@extrac.ai

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements: Nil

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 4 hours, often quicker
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We have a dedicated customer success team that provides email, telephone and onsite support to our customers. The majority of training and ongoing support is done virtually as the platform is very intuitive to use, but onsite support is also provided as required at no cost if the location is within the UK and the requirement is reasonable.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: All ExTrac uses are provided with initial training and unlimited ongoing support from a named customer success representative. Training is provided virtually as standard, though can be conducted onsite if required.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The platform does not use or store any user data
• End-of-contract process: At the end of the contract, if access is no longer required by the user, their access permissions are removed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Besides offering a web application with a login page through a browser, users can interact with our service programmatically via an API. This involves making GET requests to the API endpoint using any programming language or through our provided web user interface.
• Accessibility standards: None or don’t know
• Description of accessibility: Users can create dashboards to view and download our data, including text, images, and videos. Additionally, a read-only API allows data retrieval by providing input parameters (filters) and specifying desired output content. Note that users cannot modify the data, ensuring the integrity of the original information.
• Accessibility testing: Testing is not conducted at this stage.
• API: Yes
• What users can and can't do using the API: Users can obtain an API key by contacting info@extrac.ai. The API operates as a read-only service, meaning users cannot make changes to the data. Users can request data from the service by providing input parameters and specifying desired output content.; There are limitations to what users can do through the API, which are determined based on the account's specifications at the time of key request. These limitations may include monthly quotas for data retrieval from specific endpoints, restrictions on accessed data types, and limits on the volume of data fetched per request. If users need to adjust these limits, they may contact us directly.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: ExTrac offers customizable contracts that allow clients to request tailored threat and risk coverage. They can access specific system components, obtain particular data coverage or types, or receive our service through a single method—whether via an API, web application, or reports delivered by email or other tools.

Scaling

• Independence of resources: ExTrac's data hosting and compute infrastructures has been designed with scalability in mind and can be dynamically adjusted based on levels of platform usage.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: No user data is held in the platform.
• Data export formats: Other
• Other data export formats: Users do not export data
• Data import formats: Other
• Other data import formats: Users do not import any data

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The standard ExTrac Service Level Agreement commits that ExTrac will use all reasonable endeavours to ensure that the uptime of cloud services is at least 99% during each calendar month. ExTrac commtis to clients that, for any working day where services are unavailable for 25% of the workday or more, one full day will be credited to the Contract term. A working day is defined as 0900-1700 based on the time zone of the jurisdiction where the Contract is held. An outage is defined as one or more core platform capabilities being unavailable.
• Approach to resilience: ExTrac leverages an ephemeral, auto-healing infrastructure with a strong focus on resilience. We utilize Terraform to manage our infrastructure as version-controlled code, enabling us to recreate the entire environment within hours if necessary. For backend and API services, we rely on Kubernetes, which ensures high uptime, automated scaling, and self-healing capabilities. This combination of tools allows us to maintain a robust, fault-tolerant service that swiftly adapts to challenges and minimizes downtime.
• Outage reporting: ExTrac utilizes Incident.io to maintain a status page that provides real-time system updates internally and can be shared with customers. Additionally, ExTrac offers an email alerting system to keep active users informed about outages and their resolutions, ensuring that they receive timely updates and maintain visibility into the service's operational status.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: User Management in the SaaS product is restricted to the ExTrac Organisation, wherein only select users are granted Administrator Access.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: ExTrac holds Cyber Essentials Plus certification.
• Information security policies and processes: ExTrac operates according to a documented cyber, data, and information security policy that is reviewed every six months or on an ad hoc basis following changes to system architecture or regulations in any of the jurisdictions where ExTrac operates. All ExTrac team members receive training on this policy as part of onboarding, including training on the identification of the full range of cyber and information threats, and are required to complete refresher training on an annual basis. The policy covers information classification and handling, password management procedures, management and security of individual IT devices, regulation of the use of removable media, regulation of the use of authorised software and applications, erasure of systems and safe disposal of IT assets, information security incident response procedures, acceptable use of social media, and identification of insider threats. Adherence to ExTrac policies is monitored by individual line managers with the oversight of the IT department and the executive team.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Any changes to services, features or infrastructure relating to the production release of the SaaS platform are put through the following processes:; ; 1. Change request raised via our internal task management system.; 2. Request moved to triage and discussed with internal stakeholders.; 3. If approved, engineering tasks are created, approved and scheduled.; 4. A detailed record of changes made are tracked via tasking software and their related code Pull Requests.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Assessment: (a) Vulnerability assessments are conducted on all software products and systems; (b) these assessments include automated scanning tools, internal manual testing, and external audits; (c) The assessments are performed by certified personnel or third-party experts. Information: Threat data is drawn from up to date vulnerability testing software, leveraging systems such as VulnHub & OWASP. Patching: (a) critical patches are prioritised for immediate deployment and applied within 48 hours; (b) non-critical patches and updates are applied within 14 days.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: ExTrac implements a range of proactive security measures to ensure the security and integrity of our systems, including AWS Web Application Firewall. ExTrac also leverages monitoring and observability toolings to proactively monitor our API and AWS Cloud Front service logs for potential compromises.; ; The ExTrac incident response policy requires that all critical security-related incidents receive an immediate response, and are prioritised over all other activities. Non-critical incidents are dynamically prioritised, with the majority of incidents receiving a response within two business days.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: ExTrac operates a documented Incident Response Protocol which details processes for declaring, classifying, escalating, communicating, and learning from security and engineering incidents. This is managed via the incident.io platform. Incidents can be declared by either internal stakeholders or users (via email or phone with the ExTrac Customer Success team). Following declaration of an incident, a response team is immediately identified, the impact evaluated, and a plan put in place for communicating updates to the user base. Regular updates are provided to users until the incident is resolved. After-action reports are produced for every incident and lessons learned are shared internally.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  ExTrac is committed to promoting economic equality. Central to our approach is the use of flexible working policies to promote geographically diverse employment opportunities in the artificial intelligence and research sectors. In this way, we have created new and high-paying positions for individuals residing outside of London, supporting economic growth in regions with fewer economic opportunities, and contributing to more demographically balanced development. Additionally, ExTrac has taken a proactive stance to supporting development of high-value skills such as coding and data science, particularly amongst underrepresented groups including veterans. At the time of writing over 10% of ExTrac employees were veterans. Through our learning and development and mentoring programmes we aim to support individual career prospects and contribute to efforts to narrow the skills gap in the UK's workforce, further promoting economic equality and inclusivity.

Pricing

• Price: £36,000.00 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: It is possible to conduct an 2 month unpaid trial of the ExTrac SaaS solution for 1 - 5 licences by agreement

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bertie@extrac.ai. Tell them what format you need. It will help if you say what assistive technology you use.