Aetopia Digital Asset Management (DAM)

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud

Private cloud

Community cloud

Hybrid cloud
Service constraints: Private cloud deployments may be subject to specific hardware and software pre-requisites.
System requirements: Supported browser (Chrome, Firefox, Safari, Edge)

Private Cloud : Linux virtual machines

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response during UK business hours is within one hour. Weekend support times may be longer.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: We provide technical support for all aspects of our DAM solution. This is normally 3rd line support - we expect customers to nominate support representatives and provide a 1st line service (e.g. ICT helpdesk) to their internal users. Triage training to ICT helpdesk operatives will be provided. All of our pricing includes telephone and email support during UK business hours. Extended support (7.00am to 8.30am and 5.30pm to 10pm) and 24x7 support can be provided for an extra cost. All customers have access to cloud support engineers via the Aetopia helpdesk. Larger customers will be allocated a dedicated technical account manager.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Aetopia's on-boarding service includes professional services for configuration, consultancy, data migration and knowledge transfer.

Onsite training packages using a professional trainer are tailored to the needs of the customer and are subject to an additional one-off cost.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Aetopia will assist customers to extract their data in the safest and easiest possible manner for them. The exact method used will depend on the total size and complexity of the data held. Possible options are: 1) Customer self-downloads their data using the DAM application. Suitable for smaller systems. 2) Aetopia copies customer data to a cloud storage bucket and provides customer with security key. Customer can then sync their data to the location of their choice. 3) Aetopia support performs bulk download of media files and metadata to secure and encrypted hard drive(s) which is/are then couriered to the customer. Metadata will be exported in spreadsheet format (XLSX or CSV). Regardless of the exact method used, Aetopia will assist at every step of the way, and after validation that the data has been successfully returned to the customer, we will destroy all of our copies of the data held.
End-of-contract process: Advice and assistance of up to 16 hours are provided as part of the end-of-contract process.

Additional assistance may be chargeable at our daily rate. Most cloud hosting providers impose data transfer charges and these may be passed onto the customer.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None - the desktop service uses a responsive design application that resizes intelligently for mobile device screens. Some administration functions may work better on a desktop browser or tablet due to the amount of information that is displayed on screen.
Service interface: No
User support accessibility: WCAG 2.1 AA or EN 301 549
API: Yes
What users can and can't do using the API: All major system user functions such as add asset and metadata, search, edit, download, resize etc. are also available via our REST / JSON API.

Some administrator functions may not be yet available through the API.
API documentation: Yes
API documentation formats: PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Admin users can customise many aspects of the application configuration dynamically, including metadata fields, groups and pages; data validation formats; user digital workflows; image thumbnail resolutions; allow and deny lists for uploads; application security rules and many other aspects of the application. Standard users can tailor application layouts; themes and colours, search and sorting defaults.

Scaling

Independence of resources: Aetopia uses a pro-active automated monitoring approach to continually ensure that service levels are being met. Our services are massively scalable and additional cloud resources will be added to match changes in demand.

Analytics

Service usage metrics: Yes
Metrics types: A reporting dashboard which shows various metrics including user logins, dormant users, asset downloads, search terms with results, search terms without results, top asset downloads, used storage space, total asset uploaded. Many of the metrics can also be downloaded in spreadsheet format.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest: Physical access control, complying with CSA CCM v3.0
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: 1) Using the provided functions in the user application, i.e. download media files and export data into a spreadsheet format. Data is downloaded directly to the user's browser.

2) Using the provided function to request media files which are then made available via a download link.

3) Using the application API to export media and/or metadata in JSON or CSV format.

4) Via a request to Aetopia's support helpdesk, who can export data in bulk using cloud and database utilities.
Data export formats: CSV

ODF

Other
Other data export formats: Excel

PDF
Data import formats: CSV

Other
Other data import formats: PDF

Any digital file format, e.g. Image, Video, Audio, Document

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: Aetopia can commit to 99.9% availability. Users may be compensated via a reduced subscription fee should this level not be met.
Approach to resilience: Through the use of multiple and resilient layers, e.g. highly-durable file and object storage; compute clusters running across separate availability zones; the use of microservices and serverless computing resources for intensive workloads; and digital checksums to verify the handoff of assets between storage locations. Full details are available on request.
Outage reporting: Email alerts using the built-in notification service.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: Aetopia manages its cloud servers with the following tools:

Secure Shell (SSH) - all console access to servers is over encrypted SSH channels. SSH key-based access means that our staff are issued with encrypted keys rather than username and passwords for the servers. A user’s key must already exist on the server before they can access it. These keys are issued on a needs-only and time-limited basis.

Application administrative tasks are carried out using the administration screens provided in the software - as per all web application access, these screens are encrypted using a TLS certificate configured with strong ciphers.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Dedicated link (for example VPN)

Username or password

Other
Description of management access authentication: Authentication for management access is only possible with a client X.509 digital certificate.

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: UKAS via Exova BM TRADA
ISO/IEC 27001 accreditation date: 1 May 2018
What the ISO/IEC 27001 doesn’t cover: The scope of the certificate is "Information security for the design, development, deployment, support and hosting of digital asset management and digital evidence management software applications for sectors including law enforcement agencies,
scientific and public archives, healthcare/NHS, museums and heritage, marketing and distribution, digital publishing, media/broadcast providers and education in accordance with the Statement of Applicability V1.7."
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Our approach to information security is governed by our ISO27001:2013 Information Security Management System (ISMS). This takes a goal-based and risk-centric approach to information security, where all identified risks are subject to evaluation and appropriate controls are applied to them.

To ensure compliance with ISMS policies, staff awareness is key, and we hold regular training and discussion sessions. Both internal and independent compliance auditing is built into the process and provides assurance that policies are being followed. The ISMS policy owner is the Aetopia Commercial Director.

Aetopia is also a Cyber Essentials certified company.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Aetopia's approach is governed by our ISO27001:2013 ISMS Change Management policy - brief summary:

Changes will be reviewed and approval given based upon the potential risks, benefits, effort required and urgency of the change.
The change will be scheduled, and if necessary communicated to anyone who may be affected.
Once the change is carried out, appropriate testing will be conducted (and documented) to ensure stability has not been impacted.
For urgent or critical changes, (for example, a security breach) the changes can be applied first and subsequently documented.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Aetopia's ISMS puts great emphasis on staff training and awareness, and especially the adoption of secure coding practices using resources from InfoSec special interest groups such as OWASP, Krebs on Security, the Internet Storm Centre and the National Cyber Security Centre (NCSC). Bulletins and advisories from these sources are frequently distributed to all staff, who are encouraged to discuss and learn from them.

External security testing, such as vulnerability scans and penetration testing is part of our regular testing framework. Security patches are given top priority and are often deployed with 24 hours of a vulnerability being identified.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Our ISO27001:2013 ISMS includes an audited monitoring process whereby server and application log files are regularly scanned to identify evidence of unauthorised access.

Any potential compromise or incident is subject to our ISMS Incident Management process which is given maximum priority in the company. Response to incidents tends to be immediate.
Incident management type: Supplier-defined controls
Incident management approach: Aetopia manages information security incidents as per its ISMS Incident Management Policy - where an Information Security Incident has occurred (or is suspected) the following process MUST be followed.

Incidents are reported to a member of the Management Team as quickly as possible, and should provide as much information as possible. Customer-reported incidents can be reported using the support helpdesk.

Once investigations have been concluded, a customer report should be prepared detailing everything that happened, steps that were taken to mitigate the Incident at the time, and record any possible corrective actions which may be recommended to prevent a recurrence.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Tackling economic inequality
Wellbeing

Fighting climate change

The effective use of DAMS software provides a number of important benefits in fighting climate change: 1) A reduction in the number of car journeys used to collect digital media from businesses and members of the public due to the on-line public upload facility. Eliminating these journeys reduces fuel use and traffic congestion, adding to the quality of life for local citizens. 2) A similar reduction in car journeys (due to the DAM on-line sharing features) that would otherwise be required to share digital evidence with authorised third parties. 3) Reduction in the use of consumables such as DVD-ROMs and USB drives. This reduces resource requirements and cuts down on e-waste that needs to be handled.

Tackling economic inequality

Aetopia Ltd is entirely based in the UK, meaning that all revenue, salaries, tax and profit from our activities stays in the UK. This indirectly benefits economic inequality by keeping more UK taxpayers’ money inside the country.

Wellbeing

Aetopia Ltd can actively demonstrate support of contract staff via health and wellbeing initiatives. Each employee avails of health and wellbeing support both internally and externally via a number of different support metrics inclusive of healthcare provider, dental care provider and mental health and wellbeing support under the companies private healthcare scheme .

Pricing

Price: £5 to £50 a unit a month
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: Aetopia will be happy to negotiate a free trial on a case-by-case basis.

Aetopia Digital Asset Management (DAM)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Aetopia Digital Asset Management (DAM)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents