Fifosys Limited

Cloud Managed Software as a Service Protection (Backup) for Office365 and Google

Fifosys provide a cloud based backup and disaster recovery service utilising Datto Backupify for Microsoft Office365 and Google Gsuite. This provides a secondary cloud copy of your data to a 3rd party secure cloud.

Fifosys have achieved the highest tier of partnership with Datto and ensure your data is protected.

Features

• Protect data hosted in Office 365 or Google
• Automated and secure backup of your cloud data
• Built in data encryption
• Regular vulnerability management and testing
• HIPAA compliant
• SOC 2 Type II audited

Benefits

• Fully managed and automated offsite backup.
• Protection of data against accidental deletion
• Protection of data against malicious activity
• Restore SharePoint data to different URL
• Remote web management and detailed reporting
• Fully managed service

£2.40 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at m.patel@fifosys.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

123198651921252

Contact

Mitesh Patel
02076442610
m.patel@fifosys.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Backups are available up to a maximum of 3 times per day
• System requirements:
  • Account with full rights over other accounts for Office365
  • Super admin user for Google backup
  • A modern web browser is required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: The Fifosys service desk is available 247 365 days of the year. This service provides a fully manned operation with engineers sitting in front of screen, taking calls, responding to emails and monitoring systems. Fifosys respond to incidents much faster than our SLA. We maintain a response and resolution time of 20 minutes for 86% of incidents to our desk. Our SLA is 1 hour for a priority 2 & 3 and 20 minutes for a priority 1. But we average 8 minutes response times to email support requests. These response times do not vary at weekends.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Fifosys provide 1st, 2nd and 3rd line support 24/7/365. Our Network Operations Centre (NOC) proactively monitor, maintain and remediate clients systems. This is all standard service as part of our pricing model. We provide a team which includes an IT Manager who manages the Service team (NOC & Support), an Account Manager who is responsible for day to day management of the account from a sales perspective, and Technical architects who are responsible for discussing and identifying the right technical solutions for our clients.; ; We encourage clients to make use of tools we provide giving full visibility of what we do, including access to a service portal to view Service Desk activity. Our incident reports and status reports give clients the information needed if anything does not meet expectations we will be open in our resolution. This forms the basis of agreed KPIs to help gain trust and sustain long professional relationships. ; ; This data is a central focus of Service Reviews and is invaluable in identifying training needs, potential problems or areas where systems aren’t delivering what the organisation needs. This detail has been noted in external quality audits and by vendors specialising in managed service applications and CRM systems.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a tailored training program for the cloud backup service dependant on the requirements. This can include on-site training, workshops or on-line training. This can even be combined if required. We have a large repository of user documentation that we share on how to use the various elements of the service, including instructional videos produced by the software provider.; ; The migration to this service is treated as a project and as such there will be several phases. During the discovery phase, the impact to the users will be assessed and we will work with the customer to determine a communication and training plan. ; ; Following the cutover i.e. when the service is live, we will have an onsite engineer to assist with any queries and provide initial training to the users.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The user may request data to be extracted via our service desk. We will then provide the data on removable media. The user must supply or agree to the costs of Fifosys supplying the media.; ; Fifosys will export the latest generation of data only for free. If additional generations are required there will be an additional charge for this. ; ; As an alternative customers can export individual backups from within the portal to either their own systems or an alternative cloud solution if they wish.; ; Any customer data and configuration relating to the delivery of the service. i.e. network diagrams will be exported from our IT Glue system and provided to the client in PDF.
• End-of-contract process: Extracting 1 generation of data is included in the price of the contract as are all termination fees. Any media required to export data is not included and this must be purchased by the user or the user must agree to the costs of Fifosys purchasing this on their behalf. ; ; The export of historic backups is not included as this can be a time-consuming process and the cost is dependant on how many generations of data need to be exported. ; ; The Datto cloud backup service is sold via an MSP only channel and therefore the customer will need to either migrate the service to another Datto MSP or cease the service.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The backup service is accessible via the Datto or Appriver web portal. The majority of tasks can be run from within the portal by the client, however this service is provided as part of a managed service and therefore we would action these requests on behalf of the client as per the user support.
• Accessibility standards: None or don’t know
• Description of accessibility: From the portal users can manually, run backups, review backup logs, perform restores and add additional users. They can also look at previous backup status, check for the last successfully backup and monitor the progress of any offsite syncronisation.
• Accessibility testing: No specific web interface technology testing has been undertaken with assistive technology users, however good practice development methods have been used to optimise the end user experience.
• API: Yes
• What users can and can't do using the API: The API makes it easy for enterprise customers to manage their SaaS protection account. Currently, the API facilitates user management within the customers SaaS protection account.; ; In addition Datto provides a RESTful API which allows administrators of the service to pull additional statistics from SaaS Protection.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: Load balancing occurs to ensure the backup traffic being received by the Datto cloud is evenly balanced across multiple receiving nodes. ; ; Bandwidth limits are also in place to prevent users from other organisations saturating the line.; ; The cloud environment is a massivley scalable enviornment and the addition of new users or cloud enviornments is unlikely to have any negative impact, however load across the environment is constantly monitored for performance issues and additional resources can be quickly brought on-line to cope with any peaks in demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Datto, Appriver

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Data is encrypted at rest using AES encryption, data sharding and key rotation. Physical access control is also compliant with SSAE-16
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data can be exported from the Datto portal directly by selecting the files, users or services required and choosing the export option.; ; Data can be then be manually copied as required.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • MBOX
  • PST
• Data import formats: Other
• Other data import formats: G suite via API

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide a 99% SLA on the datto cloud backup environment. ; ; Users are refunded up to 10% of the monthly cost of hosting if we do not meet the SLA
• Approach to resilience: Available on request
• Outage reporting: Any service outages would be reported via email alerts. Any outages would be classed as a priority 1 - High impact incident and follow our high impact incident process.; ; Users would be continuously updated on progress of the issue until resolved.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Only authorised individuals from our organisation can manage the system and strong authentication is in place. The management layer is segregated from the service networks to prevent any issues affecting service.; ; The operational processes that govern access to customer data in Datto's cloud services are protected by strong controls and authentication.; We perform regular audits (as well as sample audits) to attest that any access is appropriate and continually provide staff awareness training.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 14/12/2019
• What the ISO/IEC 27001 doesn’t cover: Microsoft's, Google, Datto and Appriver's own cloud - This is covered by their own accreditation
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Information data security is an essential part of the Fifosys business. The directors recognise the need for its clients and end users information data to remain secure and confidential at all times. Clients and Fifosys internal departments collaborate to ensure that data stays secure.; Information data security systems are reviewed at regular intervals and outcomes are made available to other relevant organisations. Current policies exist for the following which are audited each year as part of our ISO 27001 accreditation:; Information Security Organisation; Classifying Information and Data; Controlling Access to Information and Systems; Processing Information and Document; Purchasing and Maintaining Commercial Software; Securing Hardware, Peripherals and Other Equipment; Fifosys Personnel; Detecting and Responding to Incidents; Business Continuity

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Requirement for a change is identified by Fifosys or a supplier, customer or partner.; The pre-approved change list should be checked to confirm whether this change can be implemented without further review. If the engineer is happy to implement the pre-approved change without further approval they should log, implement and manage the change as a standard service request/support ticket or in a project task.; If the change is not on the pre-approved list or if the engineer feels that there are risks with this change that require additional consideration, the change should be logged and managed on the change board.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We are continually assessing threats to our service. We use automated cyber security tools such as cyberscore from XQ cyber ( A Check service provider) to continuously poll our environment for new threats and suggest remediation plans. ; ; We patch our and our clients servers every week using our automated patch management service.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use our proactive monitoring tool (Nable), to identify threats. This monitors all aspects of the environment from servers to networking to anti-virus. ; ; Data is also proactively monitored for RansomWare attacks through our backup solution. ; ; When a threat or compromise is detected a ticket is automatically logged in our ERP system (Connectwise) and handled as a priority 1 ticket.; ; We respond to these incidents within 15 minutes
• Incident management type: Supplier-defined controls
• Incident management approach: Our incident management process is based on the ITIL framework for service management. Incidents are categorised into service issues where IT has failed and support issues where IT hasn't failed i.e. a new user request. ; ; We have pre-defined processes for common events such as new users, subject access requests, permission changes, mobile device setup, upgrade and client specific common tasks. ; ; Users can report incidents via phone, email or online portal.; ; Incident reports are provided to pre determined stakeholders in PDF format for high impact incidents and users can check directly in the online portal for normal or low impact incidents.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As a part of our Environmental policy we are committed to continual improvement throughout our business operations to lessen our impact on the local and global environment by conserving energy, water and other natural resources. Our Environmental Initiatives include: • Reducing energy and fuel consumption. • Incorporating sustainability considerations into our supply chain. • Saving energy by using energy efficient lighting and equipment • Encouraging flexible working and reducing the need for face to face meetings through the use of technology such as Teams. • We adopt a “cloud first” approach to technology

  Covid-19 recovery

  Fifosys have taken a number of steps to aid Covid 19 recovery for both employees and customers such as: For employees - Hybrid working model with dedicated work from home time each week. Improved workplace conditions such as sanitising stations and social distancing. For organisations - Applying discounts to allow businesses to recover financially. Changing the underlying architecture to allow users to work from home more effectively. Introducing new communications solutions to allow better collaboration and communication. We have created significant employment opportunities by bringing some of our offshore services back to the UK.

  Equal opportunity

  We are committed to providing equality of opportunity in our employment practices and procedures, and to avoiding unlawful discrimination being suffered by our employees, job applicants, clients or customers. We will not discriminate directly or indirectly in recruitment or employment because of age, disability, sex, gender reassignment, pregnancy, maternity, race (which includes colour, nationality and ethnic or national origins), sexual orientation, religion or belief, or because someone is married or in a civil partnership. These are known as "protected characteristics”. We will not discriminate unlawfully against customers, contractors, suppliers or visitors using or attempting to use the goods, facilities and services that we provide. This aim of this policy is to assist us in putting this commitment into practice to ensure all our employees are treated fairly, respectfully and without prejudice, so that you are able to maximise your full potential, and do not commit and/or are not subjected to unacceptable and unlawful acts of discrimination. Our policy is implemented in accordance with the Equality Act 2010 and all other appropriate statutory requirements and has been compiled after consideration of all available guidance and relevant Codes of Practice. We will strive to ensure that our work environment remains positive, free from harassment and bullying, and that everyone is treated with dignity and respect at all times in maintaining and sustaining equal opportunities in employment.

  Wellbeing

  We promote a healthy work environment through our employee corporate wellbeing policy, initiatives include: • Adopting a hybrid work environment for all employees • Free fresh fruit deliveries • Regular Mindfulness and wellbeing sessions • Health insurance • A culture of support and celebration of achievements

Pricing

• Price: £2.40 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Fifosys will work with the customer to develop a proof of concept with clearly defined success criteria.; ; This is limited to 30 days and 500 users would not include services such as full DR restores, large data migrations, full resilience or production workloads.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at m.patel@fifosys.com. Tell them what format you need. It will help if you say what assistive technology you use.