GDPR Information Asset Register & ROPA
GetSwarms provides an Information Asset Register (IAR) and Record of Processing Activity (RoPA), empowering organizations to identify personal data flows and maintain accurate records of processing activities to meet UK GDPR requirements. It automatically updates with Data Protection Impact Assessment (DPIA) findings and aligns with ICO templates and best practices.
Features
- Efficiently meet UK GDPR requirements for processing activity records.
- Automate data discovery and RoPA creation for GDPR compliance.
- Utilize built-in business intelligence for automated compliance reporting.
- Empower business users with self-service RoPA management tools.
- Seamlessly connect and discover data using flexible intake methods.
- Identify personal data in various systems and highlight risks.
- Integrate data mapping into operations to simplify RoPA adherence.
- Maintain an evergreen data map for managing data flows.
- Centrally track, monitor, and update processing records.
- Accurately classify personal data for swift incident response.
Benefits
- Accelerate RoPA completion through collaboration and productivity tool integrations.
- Easily track progress with automated compliance reporting.
- Cut down on time spent searching for information assets.
- Accurately assess data protection risks and privacy program maturity.
- Translate intricate compliance requirements into actionable tasks.
- Access real-time insights and analytics for compliance demonstration.
- Optimize data protection compliance management processes.
- Eliminate manual data discovery, reducing costs and enhancing productivity.
- Prevent reliance on outdated or erroneous data for crucial decisions.
- Boost efficiency with automated workflows, templates, and integrations.
Pricing
£5 a licence a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
6 2 8 1 7 5 2 7 4 9 7 2 3 1 7
Contact
    GET SWARMS LIMITED
    
    Amit Jain
    
    
    Telephone: 07545641528
    
    
    Email: Amit.Jain@getSwarms.com
    
  
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- 
      - Public cloud
- Private cloud
- Community cloud
- Hybrid cloud
 
- Service constraints
- N/A
- System requirements
- 
      - A secure high speed internet
- Modern web browser such as Safari, Chrome, Firefox, Edge etc.
 
User support
- Email or online ticketing support
- Yes, at extra cost
- Support response times
- 
      We provide 24x7 prioritised service for the customer technical support staff. Our response times are as follows:
 P1: CRITICAL - 15 mins
 P2: URGENT - 1 Hour
 P3: IMPORTANT - 3 Hrs
 P4: COSMETIC/MINOR - 1 Day
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
- Accessibility Testing, Functional Testing, UAT Testing
- Onsite support
- Yes, at extra cost
- Support levels
- We provide a dedicated Technical Account Manager for the duration of contract who serves as an escalation point for any service-related issues. Additionally, we can offer Level 1, 2 and 3 support depending on the needs of our clients. Cost will vary depending upon the required service levels.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- There are online how-to videos, extensive help guides, documentation, community forums, comments, support desk available for users. The GUI itself is quite intuitive. We can provide onsite training at an extra cost.
- Service documentation
- Yes
- Documentation formats
- 
      - HTML
- ODF
- Other
 
- Other documentation formats
- 
      - Videos
- Troubleshooting Guides
 
- End-of-contract data extraction
- All the data of a user or organisation in any service reside in their own namespace. This is deliberately designed this way from ground up to maximise user control on their information. They can download all the info pertaining to them. Also they can raise SAR requests as per GDPR if required. At the end of the contract, data is provided to the user/organisation as per data retention policies, legal frameworks and their requirements
- End-of-contract process
- Buyer may terminate the relationship with Supplier for any reason by (i) providing Supplier with notice and (ii) closing Buyers account for all services for which Supplier provide an account closing mechanism. Buyers pay for the services they use to the point of account termination. Supplier customers retain control and ownership of their data. Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.
Using the service
- Web browser interface
- Yes
- Supported browsers
- 
      - Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
 
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- None - The service is fully responsive and offers all the features on mobile .
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 AAA
- Description of service interface
- There are various level of admin, editor and role based GUI. This can also be accomplished via API. The security is down to the DB level so only the information user is supposed to know is returned to them
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- Accessibility testing, Google lighthouse, Auditing, Screen reader testing etc.
- API
- Yes
- What users can and can't do using the API
- No limitations - API is fully secure, user can authenticate using various mechanisms. Users can use API keys or their login info to authenticate. The API offers full CRUD operations. There is a SWAGGER UI available to help users understand API better.
- API documentation
- Yes
- API documentation formats
- 
      - Open API (also known as Swagger)
- HTML
- ODF
 
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- We are world's first fully extensible, customizable service built on Particles technology that we have developed in-house. You can customize not just the look & feel but also the data attributes, capture additional info in new attributes, change existing attributes, add new entities, add data or whatsoever is required - all that with almost zero coding. It's all configurable from the Web GUI itself. Users can customize it themselves, It is very user friendly. Also, there is lots of documentation, how-to videos available for each service we offer on ParticlesCloud.com
Scaling
- Independence of resources
- The app is built on auto-scalable infrastructure and will automatically expand to use more instances/storage/memory when it experiences additional load
Analytics
- Service usage metrics
- Yes
- Metrics types
- The app has data analytics available via GUI and API. This measures various aspects of usage of service from page views, number of active users, login history, account audits, audit trail for changes and so on
- Reporting types
- 
      - API access
- Real-time dashboards
- Regular reports
- Reports on request
 
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- 
      - United Kingdom
- European Economic Area (EEA)
- Other locations
 
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- 
      - Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
 
- Data sanitisation process
- Yes
- Data sanitisation type
- 
      - Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
 
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- They can get a database dump in a CSV, excel format or they can download it from GUI
- Data export formats
- 
      - CSV
- ODF
- Other
 
- Other data export formats
- 
      - JSON
- Text Files
- Xml
- YAML
 
- Data import formats
- 
      - CSV
- ODF
- Other
 
- Other data import formats
- 
      - JSON
- XML
- Delimited Text
 
Data-in-transit protection
- Data protection between buyer and supplier networks
- 
      - Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Bonded fibre optic connections
- Legacy SSL and TLS (under version 1.2)
 
- Data protection within supplier network
- 
      - TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Legacy SSL and TLS (under version 1.2)
 
Availability and resilience
- Guaranteed availability
- 
      We provide 99.99% SLA for availability of our services. We are available on Multi-Cloud therefore please also check SLAs below pertaining to your chosen cloud. AWS provided here for Azure/GCP check their SLA:
 AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on our website via the links below: • Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/ • Amazon S3 SLA: http://aws.amazon.com/s3-sla • Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/ • Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/ • Amazon RDS SLA: http://aws.amazon.com/rds-sla/ • AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/ Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
- Approach to resilience
- 
      This information is available on request. For quick reference, we use auto-scaling with multi-AZ, multi-region deployments. We are using AWS cloud. Also see AWS services resilience approach below:
 The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions. AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS
- Outage reporting
- Publicly available dashboard; personalised dashboard with API and events; configurable alerting (email / SMS / messaging)
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 
      - 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
 
- Access restrictions in management interfaces and support channels
- The Identity and Access Management (IAM) module ensures controlled user access to our services, APIs, and resources. It incorporates various parameters like time, IP address, SSL usage, and multi-factor authentication (MFA) for authorized users. Customers sign API calls with their Secret Access Key, which could be either the root Account’s or a user's created through IAM. Without access to this key, customers' API calls cannot be executed. API calls are further secured via TLS/SSL encryption, ensuring confidentiality. Additionally, customers have the option to utilize TLS/SSL-protected API endpoints for enhanced security measures.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 
      - 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
 
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- IAF
- ISO/IEC 27001 accreditation date
- 20/09/2023
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- 
      - CSA CCM version 3.0
- ISO/IEC 27001
 
- Information security policies and processes
- We follow ISO27001 recommendations. Apart from our services, our base cloud provider, AWS, implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment. Employees maintain policies in a centralised and accessible location. AWS Security Assurance is responsible for familiarizing employees with the AWS security policies. AWS has established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives. The output of AWS Leadership reviews include any decisions or actions related to: • Improvement of the effectiveness of the ISMS. • Update of the risk assessment and treatment plan. • Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS. • Resource needs. • Improvement in how the effectiveness of controls is measured. Policies are approved by AWS leadership at least annually or following a significant change to the AWS environment.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- Changes to our services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation. Teams set bespoke change management standards per service, underpinned by standard guidelines. All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party. Emergency changes follow incident response procedures.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Security team performs vulnerability scans on the host operating system, web applications, and databases in the AWS environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities. Our underlying cloud e.g. AWS Security monitors newsfeeds/vendor sites for patches and receives customer intelligence via http://aws.amazon.com/security/vulnerability-reporting/. We are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for our Amazon EC2 and Amazon ECS instances/ applications and other services.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- We deploy (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor: • Port scanning attacks • Usage (CPU, processes, disk utilization, swap rates, software-error generated losses) • Application metrics • Unauthorized connection attempts Near real-time alerts flag incidents, based on AWS Service/Security Team- set thresholds. Requests to AWS KMS are logged and visible via the account’s AWS CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK,and identify the AWS resource protected through the CMK use.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- We adopt a three-phased approach to manage incidents: 1. Activation and Notification Phase 2. Recovery Phase 3. Reconstitution Phase To ensure the effectiveness of the Incident Management plan, conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact. The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
- 
      Social Value - Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
 Fighting climate change We help implement effective stewardship of environment by supporting following activities:
 • Deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions.
 • influence staff, suppliers, customers and communities through the delivery of the contract to support environmental protection and improvement.
 • We adapt to our clients’ priorities and change our working approach to our client’s needs, such as working on-site, working remotely, or at an offsite short-term rental office if needed. We don't have plans to invest in long-term office premises that could potentially be underutilised. This gives us the flexibility to rent office space close to our clients.Covid-19 recovery We support following activities to help local communities recover from the impact of Covid-19:
 • We have paid particular attention to the mental well-being of our remote teams and made changes as needed to ensure everyone has the best working pattern and environment to continue to be part of the team, feel productive and deliver successfully.
 • Create employment, re-training, and other return to work opportunities for those left unemployed by COVID-19, particularly new opportunities in high growth sectors.
 • Support people and communities to manage and recover from the impacts of COVID-19, including those worst affected or who are shielding.
 • Support organisations and businesses to manage and recover from the impacts of COVID-19, including where new ways of working are needed to deliver services.
 • Support the physical and mental health of people affected by COVID-19, including reducing the demand on health and care services.
 • Improve workplace conditions that support the COVID-19 recovery effort including effective social distancing, remote working, and sustainable travel solutions.Tackling economic inequality We support following activities:
 • Create opportunities for entrepreneurship and help new, small
 organisations to grow, supporting economic growth and business creation.
 • Create employment opportunities particularly for those who face barriers to employment and/or who are located in deprived areas.
 • Create employment and training opportunities, particularly for people in industries with known skills shortages or in high growth sectors.
 • Support educational attainment relevant to the contract, including training schemes that address skills gaps and result in recognised qualifications.
 • Influence staff, suppliers, customers and communities through the delivery of the contract to support employment and skills opportunities in high growth sectors.
 • Create a diverse supply chain to deliver the contract including new businesses and entrepreneurs, start-ups, SMEs, VCSEs and mutuals.
 • Support innovation and disruptive technologies throughout the supply chain to deliver lower cost and/or higher quality goods and services.
 • Support the development of scalable and future-proofed new methods to modernise delivery and increase productivity.
 • provide collaboration throughout the supply chain, and a fair and responsible approach to working with supply chain partners in delivery of the contract.
 • identify and manage cyber security risks in the
 delivery of the contract including in the supply chain.
 • Influence staff, suppliers, customers and communities through the delivery of the contract to support resilience and capacity in the supply chain.Equal opportunity As a diverse group of people, we value culture differences and approaches in the workplace and recruit people into our network in an inclusive way.We actively promote inclusion in our resources including the following considerations:
 • Women in It
 • Minority representation
 • Disadvantaged backgrounds
 • Returning to work
 • Local economy
 We help tackle workplace inequality by supporting following activities:
 • identify and tackle inequality in employment, skills
 and pay in the contract workforce.
 • Support in-work progression to help people, including those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract.
 • identify and manage the risks of modern slavery in
 the delivery of the contract, including in the supply chain.Wellbeing We work with our clients and consultants to encourage a flexible working environment which allows everyone to attain a good work-life balance. We’ve paid particular attention to the mental well-being of our remote teams and made changes as needed to ensure each individual has the best working pattern and environment to continue to be part of the team, feel productive and deliver successfully.
 We always work with individuals to understand and appreciate any personal challenges they may have, both hidden and visible, and agree how we can cater for specific needs, without prejudice or detriment to any individual or to the work we deliver.
 We ensure we share and agree best practices and we encourage debate, intellectual curiosity and building of trust both with internal and external team members. Online collaboration, blog articles and community wiki pages are key to our well-being of staff members.
Pricing
- Price
- £5 a licence a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- Particles Cloud pricing is usage based with a free tier