Continuous Transdermal Alcohol Monitoring and Tagging as a Service
The SCRAM Continuous Alcohol Monitoring® (SCRAM CAM®) device is the world’s most widely used and trusted 24/7 transdermal alcohol testing system. SCRAM CAM provides supervising authorities with a fact-based, comprehensive profile of higher-risk clients’ alcohol consumption and curfew compliance.
Features
- Automated, noninvasive monitoring
- Samples perspiration continuously, transmits every 30 minutes for alcohol content
- Industry-leading anti-tamper technology
- Data analysis of every alert
- Validated by 10+ years of independent, peer-reviewed research
- Customer care provided by 24/7 Support Centres
Benefits
- Continuous, automated testing means no drinking around test schedules
- Single-source admissibility–no back-up tests required
- Accurate results–conclusively distinguishes alcohol consumption vs. environmental alcohol
- Ankle-worn tag allows clients to maintain family and work obligations
Pricing
£3.10 to £5.50 a unit a day
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
5 6 6 9 2 0 5 1 7 3 3 1 0 8 9
Contact
    SCRAM Systems
    
    Amit Sethi
    
    
    Telephone: 0207 268 4852
    
    
    Email: rfp@scramsystems.com
    
  
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Hybrid cloud
- Service constraints
- None.
- System requirements
- 
      - Desktop with the latest Chrome, Firefox or Internet Explorer browsers
- Windows 10 desktops or later
- Requires client electronic monitoring tag (bracelet).
 
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Service levels are agreed upon during procurement process.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- Web chat
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- None or don’t know
- How the web chat support is accessible
- Web chat is available through the product user interface "Live Chat" option.
- Web chat accessibility testing
- Have not tested with assistive technology users.
- Onsite support
- Yes, at extra cost
- Support levels
- Customer support is available 24/7/365 support to all customers at no extra cost. This includes phone, email, and live chat. Onsite support is available as needed. Technical account manager and cloud support engineer provided as needed. Service levels, if any will be discussed during procurement process.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- 
      Both onsite and online training are provided. All initial training is
 provided and included at no additional cost to the government agency. In addition to the initial training, all refresher training and written documentation is available online.
- Service documentation
- Yes
- Documentation formats
- 
      - HTML
- Other
 
- Other documentation formats
- Video
- End-of-contract data extraction
- 
      For customers who would like to extract their data on the conclusion of contract - that is a capability that is available to our customers. 
 End of contract process will be agreed upon during procurement process.
- End-of-contract process
- End of contract process and any associated costs will be discussed and agreed upon during the procurement process.
Using the service
- Web browser interface
- Yes
- Supported browsers
- 
      - Microsoft Edge
- Firefox
- Chrome
 
- Application to install
- Yes
- Compatible operating systems
- Windows
- Designed for use on mobile devices
- No
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- Description of service interface
- Service management is conducted through the SCRAMnet Optix (online portal) and mobile interfaces.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- There has not been testing with users of assistive technology.
- API
- Yes
- What users can and can't do using the API
- 
      The solution has a RESTFul API set which allows them to among other things 
 1. Inquire about the Alerts
 2. Setup users / get user info / delete users / update user info
 3. Get billing information
 4. Get information on Service Providers and Agents managing users
- API documentation
- Yes
- API documentation formats
- 
      - Open API (also known as Swagger)
 
- API sandbox or test environment
- Yes
- Customisation available
- No
Scaling
- Independence of resources
- We have designed a multi-tenant application that is monitored on a continuous basis. The monitoring allows us to update and upgrade the systems without interruption. We also are using VM technology to allow for the movement of systems and needed resources to the appropriate server, application or service quickly without interruption of the user. Our application is designed to be stateless allowing for the movement to a redundant environment / server with little impact to any user of our service.
Analytics
- Service usage metrics
- Yes
- Metrics types
- 
      The number of Users , 
 The number of Clients
 The number of Releases /month
 The average response time
 The compliance rates of clients
- Reporting types
- 
      - API access
- Real-time dashboards
- Regular reports
- Reports on request
 
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- Other locations
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- 
      - Physical access control, complying with SSAE-16 / ISAE 3402
- Encryption of all physical media
 
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can export their data by using several of the reports which are available to them
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- 
      - Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
 
- Data protection within supplier network
- 
      - TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
 
Availability and resilience
- Guaranteed availability
- Our SLAs are 99.9% except for areas that we have no control over such as cellular system outages, data center disasters; however, through redundancy (we have fail over facilities) and resiliency (applications have automated recovery routines). In all cases where we have an outage we examine the ability to improve the systems with higher availability services when and where available. In the case of refunds they are proportional to the time of the out outage.
- Approach to resilience
- Resilience in the case of our systems is viewed differently from system redundancy. Redundancy would be having multiple occurrences or fail over occurrences of application servers, network connections, etc. Resilience is the architectural design of the application where the application has the ability to correct for issues or to restart when a failure occurs. Resilience is using application architecture to ensure the continued processing when the application encounters a problem. Our applications are designed with both redundancy and resiliency principles.
- Outage reporting
- Our services have multiple methods of reporting outages. There are simple issues which will be e-mailed, SMS text messages, we have instrumentation with display on critical services and we can display some information in a dashboard (not a public dashboard). And our employees are 24x7 on call and may detect an issue before or monitoring software alerts to a situation.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 
      - Public key authentication (including by TLS client certificate)
- Username or password
 
- Access restrictions in management interfaces and support channels
- Management interfaces are controlled with both role based authentication as well as username and passwords.
- Access restriction testing frequency
- At least once a year
- Management access authentication
- 
      - Public key authentication (including by TLS client certificate)
- Username or password
 
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Perry Johnson Registrars, Inc
- ISO/IEC 27001 accreditation date
- 03/11/2017
- What the ISO/IEC 27001 doesn’t cover
- 
      Development, Support and Operation of the SaaS Platform for Alcohol Monitoring and Offender Management Services      (Statement of Applicability:  28/02/2017 Version 1.2)
 Certificate No: C2016-03050-R1
 Revision Date: November 3, 2017
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- 
      We are an ISO 27001 audited organization and complete an annual review with audit findings and continued registration as an ISO 27001 accredited organization. Additionally, we were granted our ISO 27701 certification, which is an extension of ISO 27001 that provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It builds upon the requirements of ISO 27001 and extends them to cover privacy management aspects. ISO 27701 aims to help organizations manage and protect personally identifiable information (PII) in accordance with applicable privacy regulations and requirements, such as the General Data Protection Regulation (GDPR). 
 Security policies are define at a corporate policy level and we use DarkTrace behavior monitoring to ensure compliance with best practices in security. There are also annual audits to ensure compliance of security polices with penetration testing, both internal and external.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- The facilities are SSAE 16 audited, security is examined and penetration audit are conducted and the application services are ISO 27001 audited for compliance to best practices. Each of the published audits by outside audit groups create management reports for improvements and verification that we are following best practice standards. System hardware is reviewed and update on a regular basis and Nessus scans are completed on the systems and applications on a quarterly basis.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- The facilities are audited each year for SSAE 16 and the systems and application is reviewed both internally and externally. We have a annual external review for attack surface with penetration testing and we internally complete Nessus scans and OWASP scans of our applications on a quarterly basis. We deploy patches quarterly to our servers and more frequently to our desktops. Our applications are maintained in an Agile environment and are updated every other week. We are warned of threats by KnowB4, Trend Micro, Sonic Wall, DarkTrace and Dell Secure Works.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- We comply with SSAE 16 for our Physical facilities and ISO 27001 for our application and computing best practices. Our systems are being scanned on a quarterly basis and we have preventative monitoring by DarkTrace with is a behavior monitoring system to identify abnormal behavior and notify the Operation team of the unusual behaviors of an individual or a device in the network. When we see a potential compromise it is classified from information to critcal. Information we inquire and ask the offender to discuss, critical we would respond immediately. We have an Incident management policy that governs our response.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- We use have SSAE 16 for physical and ISO 27001 for our applications. We have a incident response process with an OCCM (On Call Crisis Manager) which is responsible for handling both user reported incidents; as well as, system reported incidents. Our incidents are reported to management via the ISO 9001 Corrective Action Preventative Action (CAPA) process and the ISO 27001 Incident Reporting process. We also provide incident reports to our customers upon request or as agreed to in our notification requirements as defined by our services contract.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
- 
      Social Value - Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
 Fighting climate change At SCRAM Systems, we encourage employee carpooling, In addition, we have consolidated some of our shipping pick-ups/drop-offs to reduce the number of trips.
 SCRAM Systems seeks to help the fight against climate change multiple initiatives and holds certificates in the following:
 - ISO14001 (Environmental Management System)
 - Waste Electrical and Electronic Equipment (WEEE) Directive
 - ROHS - Restriction of Hazardous Substances DirectiveCovid-19 recovery To assist in Covid-19 recovery, SCRAM Systems:
 - encouraged work from home for those who were able to do so
 - did not lower salaries or have any layoffs due to COVID-19
 - followed all federal, state, tribal, and local guidelines during the
 pandemic
 We also mitigated exposures and illnesses by:
 - restricting business travel, paid for testing as needed, paid
 employees with Families First COVID Recovery Act who became ill
 or needed to isolate
 - instituting rigorous and frequent cleaning and disinfecting protocol
 within the offices
 - providing PPE for all employees that had customer-facing positions
 - providing disinfecting cleaning materials and multiple
 hand sanitizing dispensers were installed in all offices
 - checking temperatures of all visitors and employees prior to
 entering the building
 - immediately sending home symptomatic individuals or asked to stay home if they had any COVID-19 symptoms
 - upgrading ventilation system filters to the FDA recommended
 specificationsTackling economic inequality We focus on ensuring our staff have the right skills and are paid fairly for the work being completed through various processes. Our recruiting process allows us to review skills and previous experience that match the role. Prior to offering employment, we undergo a full compensation analysis for the position based on the duties the position would require. We use a compensation benchmarking system that allows us to review the market against the hiring area. After hiring, SCRAM Systems’ Human Resources Team completes at minimum an annual review of compensation through our merit review process. During this process, not only is compensation reviewed against the performance of said duties, but a market analysis is completed for each role. During this market analysis, the company determines the market compensation and will make adjustments to pay rates as necessary to continue to be an employer of choice and in line with market rates. Lastly, when posting new roles internally, pay rates are transparent for all to understand the pay range for specific roles.Equal opportunity SCRAM Systems is dedicated to the principles of equal employment opportunity in any term, condition, or privilege of employment. In addition, SCRAM Systems does not discriminate against applicants or employees on the basis of disability, race, creed, color, sex, sexual orientation, gender identity, religion, age, national origin, ancestry, military or veteran status, pregnancy, genetic profile, marital status, or any other status protected by national, state, or local law. This prohibition includes unlawful harassment based on any of these protected classes. Unlawful harassment includes verbal or physical conduct that has the purpose or effect of substantially interfering with an individual’s work performance, or creating an intimidating, hostile, or offensive work environment. This policy applies to all employees, including managers, co-workers, and non-employees such as customers, clients, vendors, consultants, etc.
 To ensure those covered under this policy have a safe and secure location to report potential findings, SCRAM Systems has provided a confidential human resources line that allows for anonymous reporting of harassment, inequality issues, retaliation/victimization, and more. SCRAM Systems prohibits retaliation/victimization against any employee for filing a complaint under this policy or for assisting in a complaint investigation.
 SCRAM Systems also strives to provide reasonable accommodation for qualified individuals with known disabilities. This policy governs all aspects of employment, including recruiting, selection, job assignment, promotions and transfers, compensation, discipline, termination, access to benefits and training, and any other term or condition of employment.Wellbeing Our Employee Assistance Program, LifeWorks is a free support resource available to all employees. LifeWorks supports a person's total wellbeing – mental, physical, financial, social – helping them be their best and most productive self. In addition, to maintain a positive social and psychological environment for employees, SCRAM Systems provides many company events that include social gatherings, sports activities, as well as yearly health screenings on-site.
Pricing
- Price
- £3.10 to £5.50 a unit a day
- Discount for educational organisations
- No
- Free trial available
- No