OneTrust

Service scope

Software add-on or extension: Yes, but can also be used as a standalone service
What software services is the service an extension to: Can be configured with many software services.
Cloud deployment model: Public cloud
Service constraints: N/a
System requirements: The infrastructure requirements will change depending upon the usage

User support

Email or online ticketing support: Email or online ticketing
Support response times: OneTrust offers 24/7 support via our "follow the Sun" model and provides support for global clients from our Atlanta and London offices.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: Web chat
Web chat support availability: 24 hours, 7 days a week
Web chat support accessibility standard: WCAG 2.1 AAA
Web chat accessibility testing: OneTrust provides ongoing support and maintenance through our in-house team of privacy certified Implementation and Support Consultants, through email, phone, and our online support portal where support tickets can be submitted at any time. myOneTrust (https://my.onetrust.com) is the central portal for OneTrust customers to navigate through for support tickets, certifications, documentation, and release notes. In addition, we have added new collaborative tools such as discussion boards, affinity groups, and idea voting. OneTrust Support teams are located in our Atlanta and London co-headquarter offices. OneTrust provides three different tiers of support: Basic, Advanced, and Enterprise.
Onsite support: Onsite support
Support levels: Please see our accompanying Support Guides in the Appendix of our accompanying proposal for full details on differences between our offered levels of support.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Training is provided remotely; onsite training requirements can be provided if included in the SOW.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: In the event of contract termination, a copy of customer data is provided to the customer and all remaining data on OneTrust systems is deleted within ninety days of contract termination; Microsoft Azure follows NIST 800-88 data destruction policies.
End-of-contract process: In the event of contract termination, a copy of customer data is provided to the customer and all remaining data on OneTrust systems is deleted within ninety days of contract termination; Microsoft Azure follows NIST 800-88 data destruction policies.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: OneTrust does not have a native mobile application, but is accessible through a mobile internet browser.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Via web-browser; same as internet browser.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: Access to production environments that store personal data is limited to authorized employees who have a need-to-know based on the principle of least privilege, and such is determined on a case-by-case basis. Our IT/Security Lead is responsible for managing access rights in production environments, and Microsoft Azure is used for auditing these rights. Access to a customer’s production environment is only performed after receiving a support request from the customer and is necessary to troubleshoot the issue; access is then requested and must be approved before moving further. Customer data cannot be pulled from the cloud environment. Remote access is performed through VPN from the office network only, through a bastion host with IP whitelisting to control access rights, and through SSH with RSA keys.
API: Yes
What users can and can't do using the API: OneTrust uses REST-based APIs to pull data into the OneTrust application. All API calls require an OAuth bearer token to prove that the user is logged in and has been granted access to the resource being accessed.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: OneTrust solution is fully configurable and allows you to make a wide range of changes, including help screens, text fields, labels, questions, branding, and more.

Scaling

Independence of resources: OneTrust scales its platform to support customer demand, there are currently no defined limits.

Analytics

Service usage metrics: Yes
Metrics types: OneTrust provides our customers real-time SLA metrics through our status page found within the OneTrust Support Portal (https://my.onetrust.com ), which allows our customer base to see direct, on-demand access to real time SLA data.
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Reseller providing extra support
Organisation whose services are being resold: OneTrust

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: OneTrust has built-in importing/exporting capabilities for incorporating and extracting your data into a machine-readable format.
Data export formats: CSV

ODF

Other
Other data export formats: Excel

PDF

HTML
Data import formats: CSV

ODF

Other
Other data import formats: Excel

PDF

HTML

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: OneTrust guarantees a high availability of our overall platform through our SLA of 99.95% during any given calendar month. Bytes can attach OneTrust's SLA to the contract by purchasing Enterprise Licensing or Support. OneTrust's also offers a SLA for our Website Scanning and Cookie Compliance module of 100% during any given calendar month.
Approach to resilience: Through load balancing and other performance mechanisms through the Azure infrastructure.
Outage reporting: Through our my.onetrust.com portal.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels: OneTrust is built on Roles-Based Access Controls with twelve pre-defined user role types and organizational hierarchy grouping functionalities to further support your business divisions and entities. OneTrust also supports custom permissions-based role types, and the ability to assign multiple roles and organizational levels to a single user. OneTrust also supports user authorization through SSO with SAML 2.0 and is compatible with cross-platform identity management through SCIM 2.0.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: Coalfire
ISO/IEC 27001 accreditation date: 15/2/2022
What the ISO/IEC 27001 doesn’t cover: N/a
ISO 28000:2007 certification: No
CSA STAR certification: Yes
CSA STAR accreditation date: 28/7/2021
CSA STAR certification level: Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover: N/a
PCI certification: Yes
Who accredited the PCI DSS certification: Please reach out to AE for accrediation certificates.
PCI DSS accreditation date: 04/05/2021
What the PCI DSS doesn’t cover: N/a
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: OneTrust has approximately 50 employees dedicated to information security and privacy governance. Our Security Operations team, led by our VP of Information Security Head of Security Operations, CISSP, is provided in conjunction with our Cloud Operations team. The Security Operations team is made up of Security Analysts who perform manual and automated tasks to ensure the ongoing security of the OneTrust application and OneTrust networks using tools and policies in place across our organization. Security gates are built into our SDLC process and SAST and DAST is conducted on each piece of new code.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: OneTrust has a policy that establishes procedures on the proper management of IT production, including change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: OneTrust utilizes monthly vulnerability scanning for all environments, source code scanning/analysis and vulnerability scanning on a per-release cadence. Microsoft Azure provides security review/patching services for our infrastructure, critical security patches which are more proactively alerted and notified to OneTrust. For all released patches, OneTrust has daily reports from all systems listing critical patches and any identified vulnerabilities. In addition to these scheduled, re-occurring practices OneTrust also employs ad-hoc, individual scans based on customer feedback, internal log assessment, or QA follow-up and confirmation of updates or hot fixes. Penetration testing is conducted at least annually through an external third-party.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: OneTrust performs performance monitoring in-house using tools and our security and cloud ops teams.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: OneTrust has a policy that provides a framework for reporting incidents, events and weaknesses, defining responsibilities, response procedures and collection of evidence.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

We take our environmental management and the impact we have on the environment very seriously. We have environmental policies in place and hold the ISO14001 accreditation. Our environmental assessments are conducted annually by an external Lead ESOS Assessor; they are signed-off by the board and compliance reported to the regulator (the Environment Agency). Our environmental policy is published on our website at https://www.bytes.co.uk/company/sustainability/environmental.
Bytes achieved carbon net zero in March 2022 through approved carbon offsetting schemes. We are always seeking to reduce our impact on the environment. We aim to minimise waste, reduce pollutants and use renewable materials. Our offices have recycling facilities for cans, plastic and paper. We aim to reduce our office printing to zero within the next few years.
An Environmental Steering Committee has been established to coordinate environmental activities and drive change.
To drastically reduce our emissions, we have switched to renewable energy. Our Head Office has reached our first milestone of using a specialist 100% renewable electricity provider. We are also exploring options to install solar panels on our Headquarters building.
Other environmental initiatives include installing electric vehicle charging points and encouraging staff to commute to work without the car (setting up a car share network and installing secure cycle parking).
We produce a SECR (Streamlined Energy and Carbon Reporting) report that details the companies energy consumption and carbon emissions. This report is produced annually by an independent assessor.
This report provides details of our emissions in Scope 1, 2 and 3 categories. It details the activities previously taken to reduce emissions and also recommendations for further improvements.
For scope 1,2 and 3 emissions we aim to reduce these by 50% by 2025-2026 from our 2021 baseline.
We aim to be Net Zero by 2040, covering our own operational emissions.

Pricing

Price: £360 a unit a month
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: A trial account can be created for Bytes. We will create a trial environment of and assign a Solutions Engineer to work with your team on proving out your use cases.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

OneTrust

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents