Skip to main content

Help us improve the Digital Marketplace - send your feedback


CyberSmart - Cyber Essentials Compliance Platform

CyberSmart - A platform to continuously monitor your Cyber Essentials compliance and help protect your business from cyber attacks.


  • Continuously monitor you Cyber Essentials compliance
  • Continuous security monitoring
  • Catalogue and monitor installed applications
  • Upload and distribute your company policies
  • User security training
  • Cyber Essentials Plus Certification


  • 24/7 protection
  • Fix issues from dashboard
  • Full visibility of every device in your business
  • Cyber security training and policies
  • Supports any device


£89.90 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

9 5 1 1 6 9 1 4 4 4 5 7 4 7 5


Cantarus Lee Adams
Telephone: 0161 971 3200

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Active Protection application runs on Windows, MacOS, iOS and Android
System requirements
  • Internet Access
  • Web Browser (IE 11+, or compatible)
  • Desktop endpoint running Windows or macOS
  • Mobile endpoints running on Android or iOS

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard support is provided between the hours of 0900 and 1730 British time, Monday to Friday excluding public holidays.

We also provide dedicated 24/7 Business Critical support depending on the hosting package selected.

Service level targets – specifically the time within which we aim to be actively working on a resolution – for support are as follows (excluding on-site support):

Business Critical Within 1 business hour
High Priority Within 4 business hours
Medium Priority Within 2 business days
Low Priority Within 5 business days
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our standard support is provided between the hours of 0900 and 1730 British time, Monday to Friday excluding public holidays. 24-Hour Severity 1 support is also available on some hosting packages.

Standard timebank support is purchased on a per man-day basis and can be used across any of the Cantarus service offerings - any purchased time which is unused during the month can be rolled over for up to 3 months.

Standard timebank charged at £950/day with a 1/2 day minimum.
Support available to third parties

Onboarding and offboarding

Getting started
A new portal will be created for your company within the CyberSmart solution. Once created the the buyer can start to create users within the system manually or via the upload of a CSV file. Once users are created within the system, they can automatically be e-mailed a link to download and install the CyberSmart Active Protect application. Once installed the application will automatically be registered in the dashboard and begin to return compliance data. (Other enterprise distribution methods are available if required)
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Reports can be exported before the end of the contract to show current position - however no further data is stored.
End-of-contract process
When contract expires access to the portal will be removed. CyberSmart will provide the customer with an aggregation of data submitted over the course of the contractual relationship on request.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
User support accessibility
None or don’t know
Description of service interface
The CyberSmart Dashboard guides your business through a
journey to become cyber secure. It starts with assessing how
you’re doing and leads you all the way through to achieving
security your customers can trust.
Accessibility standards
WCAG 2.1 A
Accessibility testing
Both the CyberSmart portal and agent have been tested to be accessible for visually impaired users.
Customisation available
Description of customisation
Users can upload their own company policies for distribution via the CyberSmart system. CyberSmart Dashboard can be co-branded with the buyers logo.


Independence of resources
The CyberSmart dashboard is built on secure and resilient infrastructure from AWS, allowing the application to scale as needed.


Service usage metrics
Metrics types
Dashboard will show users who have installed the application, who is still to install, and the last time data was returned from an endpoint.
Reporting types
Real-time dashboards


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Reporting is available from within the dashboard.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
A monthly uptime percentage of 99.9% means that we guarantee you will experience no more than 43.8 min/month of Unavailability.

Service Credits are calculated as a percentage of the total charges due on your CyberSmart invoice for the monthly billing cycle in which the Unavailability occurred, applied proportionally to the Services that were Unavailable, in accordance with the schedule below:

For Monthly Uptime Percentage less than 99.9% but equal to or greater than 99.0%, you will be eligible for a Service Credit of 10% of the charges attributable to the affected resources.

For Monthly Uptime Percentage less than 99.0%, you will be eligible for a Service Credit of 30% of the charges attributable to the affected resources.

We will apply any Service Credits only against future payments for the Services otherwise due from you. At our discretion, we may issue the Service Credit to the credit card you used to pay for the billing cycle in which the Unavailability occurred. Service Credits will not entitle you to any refund or other payment from CyberSmart.
Approach to resilience
All CyberSmart services run in Amazon Web Services, where all components are deployed in multiple availability zones, minimising disruptions caused by any failure.
Outage reporting
Any outages will be reported via the public dashboard at

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Support channels are locked to a limited number of contacts who are allowed to raise requests on their behalf. These contacts are the only people who are allowed to raise tickets either via the web-portal, e-mail, or telephone.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
No audit information available
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We are Cyber Essentials Plus certified and place security and compliance at the centre of the services we provide. Our data protection, communications and freedom of information practices have been externally audited by NCC Group. We maintain and execute a number of internal policies around Information Security, GDPR and Data Protection that each team within the business are responsible for executing on, with managers of each team accountable for implementation. Our data protection policy includes our principles around GDPR, data subject rights, information on personal data breaches and how to handle these, data protection impact assessments, training and information on our Data Protection Manager's roles and responsibilities. Developers receive security training in order to ensure that our team is always following security best practice and are aware of recent developments in the field.We work closely with a number of government bodies and local authorities. As such, we're well-versed in the extensive regulatory and compliance standards imposed upon suppliers, including GDPR and the DPA.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes should be requested via raising a support ticket with the Customer Success team. The request will then be triaged, and allocated to the relevant internal team. The change will be assessed for any potential security or availability impact, and if appropriate a quote provided to the customer. Once agreement is in place a change request is raised. Where the change is judged to have a possible affect on the security of the site, or requires a change to a global setting to be changed the CR is escalated to a senior manager for review.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Where available we subscribe to security feeds from all our suppliers. When notification of an issue is received, we immediately assess these based on the CVSS score and the use of the feature or application within our environment. Using this data we decide if the patch can be deployed as part of our regular monthly patching schedule, or if we need to directly contact customers in order to arrange an additional at-risk window.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Full monitoring is implemented for the application and services itself. The Monitoring Service continuously executes multiple individual performance tests per Service Component at an interval no longer than 5 minutes from multiple datacenters.
Incident management type
Supplier-defined controls
Incident management approach
Full details of this process are documented in the Cantarus Incident Management Policy. Users who suspect an issue should immediately report this to the Information Security Manager. Depending on the scope of the potential incident, this may then immediately be escalated to the board of directors. Once an event has been verified as a potential issue, this will also be raised with the customer. On completion on the investigation and and remediation activity, the customer will be provided with a full incident report.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

As per our environmental policy, we are committed to minimising our environmental impact. In practice, this is delivered via a multi-pronged strategy including:
- encouragement of environmentally-friendly travel (including a cycle to work scheme program and railcard subsidies),
- a flexible hybrid working policy backed by investment in remote working technology to dramatically reduce commuting within the business,
- investing in digital collaboration tools (e.g. Zoom and Miro) to enable remote workshops with clients,
- office optimisations including segregated recycling bins, use of rechargeable AA and AA batteries, movement-based lighting, and paperless where practical.

We are currently working to accelerate our aspiration to become certified carbon neutral - including allowing for our datacentre power consumption - aiming for the end of 2022. Additionally, we would bring forward our plans to work with One Tree Planted.


As an organisation the wellbeing of both employees and the wider community is extremely important to us. We monitor our Glassdoor rating (5 /5) to ensure staff are happy. We have internal communication channels and maintain an inclusive process that enables staff to give and receive feedback.


£89.90 an instance a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.