IMMUTA LTD

Immuta SaaS

Immuta provides a dynamic, policy-based system of data access control, integrated natively into most modern cloud data platforms. Immuta is able to automatically identify sensitive data (such as PII), and automate many of a customer's existing data access processes, providing a single plane of governance across all data platforms.

Features

• dynamic access control for cloud data platforms
• sensitive data discovery for cloud data platforms
• data access audit records for cloud data platforms
• data anonymisation and redaction for cloud data platforms

Benefits

• automate access control for cloud data
• remove/reduce manual data access request processes
• Dramatically reduce data access rules management

£1,000 to £8,000 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at revops@immuta.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

243045727485083

Contact

Revenue Operations
+1 800-655-0982
revops@immuta.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Databricks, Snowflake, Amazon Redshift, Amazon S3, Microsoft Azure Synapse, Azure Databricks, Trino, Starburst, Google BigQuery, Collibra, Alation.
• Cloud deployment model: Public cloud
• Service constraints: Buyer agrees to maintenance window for updates and upgrades. If there is any service disruption planned with the update or upgrade customer will be provided 48 hour Notice.; ; Minimum user numbers can be applicable.
• System requirements:
  • Support for:
  • Snowflake
  • Databricks
  • AWS Redshift
  • Azure Synapse
  • Starburst (Trino)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Depends upon the support SLA, and varies with the reported support priority. Response times can be as short as 1 hour.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Immuta has 3 support levels, Basic, Advanced and Enterprise. All levels of support includes access to online documentation and Immuta University training. ; ; Basic is included as standard, and includes 12x5 support hours, and 2 support users.; ; Advanced includes 24x7 support and incudes 5 support users.; ; Enterprise includes 24x7, includes accelerated response times and 15 support users.; ; Advanced and Enterprise support are an additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We work closely with customers to provide an implementation package that is specific to the customer's needs. This can include a combination of both online and/or onsite training, in addition to Customer Success oversight and access to documentation.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Customer metadata and access policy information can be extracted via API. Core customer data is not stored by Immuta.
• End-of-contract process: As part of the Customer Success programme, we continually engage with customers throughout their lifecycle, including planning for any offboarding at the end of a contract. This involves regular discussions between the customer and our Customer Success team. Professional Services can be available for transitions, where required.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Authenticate with the API; Connect Data; Manage Policies; Create Purposes; Manage Projects
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: We offer s shared Kubernetes Cluster Model with customer tenant isolation. We are using Autoscaling to ensure that the cluster is able to adapt (grow) and re-balance on demand. We are also monitoring resource consumption on a continuous basis to re-distribute load as needed.

Analytics

• Service usage metrics: Yes
• Metrics types: We have a set of collected metrics that we measure and push to a central datastore the metrics collection can be opted out of.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data export allows users to extract their data from the Immuta platform and save it externally for various purposes such as backup, data integration and reporting. For audit logs, the Immuta platform allows customers to export the full audit logs to S3 and ADLS for long-term backup. For other metadata, customers can use the API to pull the data they want. For analysis, reporting, and compliance monitoring, Immuta reports make it possible to export various types of metadata through CVS files
• Data export formats:
  • CSV
  • Other
• Data import formats: Other
• Other data import formats: Database Backup (PGSQL)

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We currently offer 99.9% uptime SLA with exceptions for "permissible downtime" which includes updates and upgrades with notice and exceptions for third parties. Typically service credits are negotiated based on customer expectations.
• Approach to resilience: Using a combination of Kubernetes, local availability zones, and cross region data replication we are protecting against both Intra and inter region failures. documentation provided on request.
• Outage reporting: A public dashboard

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Immuta supports integration with 3rd party IAM services as well as a built-in Identity Management service. During provisioning, the customer creates an initial adminitrator account in the built-in IAM and manage the access of additional users
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR
• ISO/IEC 27001 accreditation date: 28/04/2023
• What the ISO/IEC 27001 doesn’t cover: There are no exclusions listed.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC2 Type 2
  • ISO 27701

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC2 Type 2, ISO 27701
• Information security policies and processes: Immuta's information security and privacy management systems are ISO 27001 and 27701 certified, and SOC 2 Type 2 is attested. Immuta maintains a comprehensive set of security and privacy policies to ensure the program meets internal and external requirements. Immuta's current policies include Acceptable Use, Access Control, Asset Management, Change Management, Compliance, Data Classification, Data Destruction & Sanitization, Data Protection, Data Retention and Lifecycle Management, Disaster Recovery and Business Continuity, Encryption, Human Resources Security, Incident Response and Management, Information Security and Privacy Program (ISMS/PIMS), Internal Audit, Logging and Monitoring, Network Security, Personal Data Request Handling, Physical Security, Risk Management, Software Development Lifecycle, Third-Party Management, Virus and Malware Detection and Prevention, and Vulnerability Management.; ; Security and Privacy policies may be edited, retired, or introduced as required under the approval of the Immuta Information Security Governance Committee (ISGC). The Immuta Office of the CISO is led by our Chief Information Security Officer, who reports to our Chief Operating Officer. All employees must sign the Immuta Acceptable Use Policy upon employment, which includes requirements for being aware of all other policies and how they apply to that employee.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All assets are tracked with asset tracking. Immuta is cloud-native, cloud assets and components are tracked and retired/destroyed when they are no longer needed. Assets are reviewed regularly as part of our ongoing cost and system management efforts. All changes are submitted to Jira which has automation built in to risk rank changes based on several criteria, including their potential impact.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Immuta uses Sysdig which provides continuous vulnerability scanning and alerting within the Immuta SaaS environment. Sysdig automatically scans hosts and containers then alerts the SRE and Security teams of findings via Slack, email and the console. Patches are deployed monthly and as needed dependent on risk and severity. Sysdig includes integrated threat feeds and the Immuta team subscribes to several alerting services to keep abreast of weaknesses.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Sysdig provides ongoing detection of vulnerabilities, configuration issues, and potential attacks or incidents. Incidents are sent through standard alert channels, including Slack, email and available through the Sysdig console. The team triages findings daily and incidents are responded to in 24-hours or less. Immuta also utilizes Rapid7’s Managed Detection and Response service which allows 24/7 monitoring, alert and investigation of risks and vulnerabilities detected within Immuta systems for both the SaaS and Corporate environments.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Immuta has a well-developed Incident Response plan that was built based on NIST and ISO. IR procedures are documented in the IR plan including reporting requirements and how to engage with our third-party response partners. In the event of an incident, a forensic investigator would be engaged through our cyber-insurance carrier. Our cyber-insurance carrier provides full support to insurance customers including reporting services for b2b and b2c incidents.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Recycling in every office location; Water dispensers in every office to cut down on plastics; Donating leftover catered food to local food banks to cut down on food waste

  Equal opportunity

  Immuta is committed to creating an environment where everyone is treated with dignity and respect as it brings out the full potential in each of us, which, in turn, contributes directly to our business success. We cannot afford to let anyone’s talents go to waste.; ; Immuta is an Equal Employment/Affirmative Action (AAP) Employer (this includes - Minorities and Females, Protected Veterans, and Individuals with Disabilities. We are committed to providing a workplace free of discrimination of all types from abusive, offensive, or harassing behavior.; ; Americans with Disability Act; It is Immuta's policy to prohibit discriminatory treatment of qualified individuals with disabilities. Immuta is committed to complying fully with the Americans with Disabilities Act (ADA) and all other applicable federal, state, and local laws that ensure equal opportunity in employment for qualified persons with disabilities. This includes providing reasonable accommodations for the known physical or mental limitations of a qualified individual with a disability who is an applicant or an employee.

  Wellbeing

  Medical, Dental and Vision insurance is provided for all full-time regular Immuta employees who work 30+ hours per week. All premiums for the employee and their dependents are paid by Immuta. For International employees, Immuta reimburses for all medical benefits that U.S. employees are eligible for, equivalent to the same value as what is offered for U.S. employees. ; ; Immuta covers a significant portion of full-time employees’ medical expenses by providing a Health Reimbursement Account (HRA) that commences upon an employee’s start date. Immuta contributes $2,000.00 to each individual regular full-time employee’s HRA and $4,000.00 to each regular full-time employee with dependents’ HRA. This account is to be used for all 213(d) IRS qualified medical, dental, and vision expenses.; ; All regular full-time employees are eligible for PTO immediately upon their hire date. Immuta maintains an unlimited PTO policy, including vacation, sick, holiday, religious, and bereavement for U.S- based employees.; ; Immuta has established a policy that will allow up to 12 weeks of paid leave in a 12-month period for the birth of a child, or placement of a child with you for adoption. Immuta has also established a paternity policy to include paid leave for 3 weeks.; Note that the leave program made available by Immuta, and the rules, terms and conditions for participation in such leave plans, may be changed by Immuta at any time without advance notice.; ; Immuta encourages the continuing professional education of its employees to enhance personal and professional goals that help contribute to the overall success of the company. Immuta will reimburse up to $1,250 per year for your enrollment in; conferences, seminars, and formal professional training on a case by case basis.

Pricing

• Price: £1,000 to £8,000 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 2 weeks of access to an Immuta environment, including all necessary data platform connectors.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at revops@immuta.com. Tell them what format you need. It will help if you say what assistive technology you use.