eCase is a software service provided by Fivium to our customers who are primarily UK public sector organisations. Customers subscribe to eCase on a pay-per-use basis and are bound by the terms of the subscription agreement.
For the purposes of this policy the following terms are defined as:
Customer the organisation entered into a subscription agreement with Fivium to use eCase.
Customer data means data inputted into eCase, whether entered manually by users or imported via manual or automated means.
eCase administrator is a user who has privileges within eCase to access administration functions such as: to set user permissions, suspend/unsuspend accounts, manage organisation structures. This person should be made known to you when you start using the service.
Fivium FIVIUM LIMITED incorporated and registered in England and Wales with company number 05775733 whose registered office is at Palladium House, Argyll Street, London W1F 3LD. Also referred to as “we”, “our”.
User a person authorised by the Customer to use eCase and access the Customer Data stored within it.
User account protection
Your user account is unique to you and must only be used to fulfil functions you are required to perform as part of your role.
You must use a secure password to protect your account.
We store passwords in an encrypted format using a one-way hashing algorithm. It is not possible for any of our staff to decrypt your password.
We will never ask you to tell us your password over the phone.
You must not share your password with other people or write it down.
Your password shall be changed at least every six months.
If you know or suspect that someone has knowledge of your password you must change it immediately and alert the relevant security person in your organisation.
Your account will become locked after five consecutive incorrect password attempts. If your account becomes locked, you must inform one your organisation’s eCase administrator who will unlock the account.
Information held on eCase
The Customer owns all right, title and interest in and to all of the Customer Data they enter into eCase and shall have sole responsibility for its legality, reliability, integrity, accuracy and quality.
To the extent that Customers store any personal data in eCase, the Customer is the data controller and Fivium act as a data processor.
eCase automatically collects and stores logs of the following data:
- Details of how people use the service
- Audit of information accessed by users
- Logon attempts and IP addresses
- Device information such as browser version, language and operating system
- Cookies that identify user sessions
This information is used for security auditing purposes and may be analysed by us and used to improve the service.
Transmission of information
eCase is available via the internet and the Public Services Network (PSN) as two separate services.
- PSN customers will have a URL such as yourdomain.ecase.gsi.gov.uk
- Internet customers will have a URL such as yourdomain.ecase.co.uk
All user sessions are encrypted with TLS/SSL encryption between the browser and eCase.
PSN users can only access eCase from a device that is on the PSN network. All user sessions will be transmitted over the encrypted PSN network and further encrypted with TLS/SSL.
eCase lets users send information via email. Emails can be sent to other eCase users and to external email addresses. Emails are not encrypted and it is the user’s responsibility to ensure that information sent via email is sent appropriately and in line with the customer’s information assurance policy.
Emails sent to recipients with PSN hosted email accounts will be transmitted over the PSN.
Emails sent to recipients with non-PSN email accounts will be transmitted over the Internet after leaving the PSN gateway.
All emails will be sent over the internet and are not encrypted.
We work hard to protect our customers from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold on their behalf. eCase follows the UK government standards for security and is externally tested and accredited by government approved organisations. eCase implements the 14 Cloud Security principles set out by the NCSC (https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles). Our staff are only permitted access to customer data if it is strictly necessary to carry their duties or to maintain the services we provide.
eCase is hosted in UK datacentres which are ISO27001 accredited and have been approved by the UK government. As a web-based application, eCase can be accessed from remote locations. It is the User’s responsibility to ensure they access eCase from locations which are acceptable to their organisation’s information assurance policy.
eCase provides role-based access control for managing user privileges. It is the Customer’s responsibility to make sure that Users have the correct level of permissions and that accounts are suspended when necessary.
Customers can restrict access to their eCase application by IP whitelisting and Single Sign-on.
Further information about the security measures can be obtained from your eCase account manager.
If you suspect that the eCase application’s data or functionality has been compromised, you should contact email@example.com immediately.