Sirion Contract Management

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: None.
System requirements: Stable internet connection of 10 Mbps

Browsers MS Edge, Chrome, Firefox, Safari (current or current-1)

1 Gigabyte RAM

User support

Email or online ticketing support: Email or online ticketing
Support response times: The standard response time SLA is as below:

SLAs
- Severity Level 1 – Initial Response -2 hours
Resolution/Workaround - 2 Business Days

-Severity Level 2 - Initial Response -1 Business Days
Resolution/Workaround - 6 Business Days

-Severity Level 3 - Initial Response - 2 Business Days
Resolution/Workaround - 10 Business Days

-Severity Level 4 - Initial Response -3 Business Days
Resolution/Workaround - 25 BusinessDays
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Sirion has a traditional cloud application support model based on Incident Severity Levels. Additional details regarding Sirion service level and service level credit methodology can be found in the Sirion G-Cloud 14 Terms and Conditions. Following is a summary.

Standard Service Level Definitions
Severity Level 1 – An incident that results in the complete loss of access to, or all capability of, the Subscription Services. We will work continuously until a Severity Level 1 Incident is resolved.
Severity Level 2 – An incident that disables major fundamental functions from being performed and therefore affects the normal operation of the Subscription Services
Severity Level 3 – An Incident that disables non-essential functions but that does not impair the normal operation of the Subscription Services
Severity Level 4 – Intermittent or minor Incidents that do not materially affect normal operation of the Subscription Services
SLAs
- Severity Level 1 – Initial Response -2 hours
Resolution/Workaround - 2 Business Days

-Severity Level 2 - Initial Response -1 Business Days
Resolution/Workaround - 6 Business Days

-Severity Level 3 - Initial Response - 2 Business Days
Resolution/Workaround - 10 Business Days

-Severity Level 4 - Initial Response -3 Business Days
Resolution/Workaround - 25 BusinessDays
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Sirion has a well-structured training program to assist client’s professionals to learn about the platform and its functionalities. We use a combination of providing remote class-room training sessions, sharing self-help manuals (online help) and provide helpdesk support to address the training needs of client users and their suppliers. Sirion has a developed a training approach where we take help of actual use cases and reference materials for end user training.
Some highlights of the training program are:
• Location: Instructor-led training sessions conducted onsite and/or online.
• Methodologies: Classroom training, online training, offline documentations, online help
• Illustrative training content: We conduct training sessions with the customer teams which is inclusive, but not limited to the following:
o Sirion demonstration and walk through sessions
o Sandbox set-up and training examples
o Sandbox vs Production
o Access control and role based system usage
o Sirion Approach to Contract Lifecycle Management
o Setup of Contracts and Change requests
o Setup of Deliverables/Obligations
o Approving/Rejecting Deliverables/Obligations
o Performing Workflow Actions
o Configuring Reports and Dashboards
• Self-help manuals - The system has an online self-help manual to help users understand the features and functionalities
• Language: All training sessions are conducted in English.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: At the end of the contract, all customer data is exported to a secure FTP location and credentials are shared with the customer to download their data from that location.
End-of-contract process: Upon termination or expiration of the contract, as requested by the customer, SirionLabs will provide assistance reasonably required to effect an orderly transition of the services and customer data to back to the customer. Such assistance is included in the price of the contract and there would be no additional cost.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The same web version is available on mobile devices as well, accessible through mobile web browsers. Almost all functionality is available on mobile devices except for a few that require larger real estate.
We also offer a mobile application Sirion Mobile Application – available free of charge for all users within the Apple AppStore or Google Play Store.
For AppStore: iPhone - 10 and above; iOS version 13 and above
For Play Store: Device screen size 5 inch and above; Android version 10 and above.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Personalised UI configuration including UI language, movable columns, column choosers, filter choosers allowing users to narrow their search, customisable dashboards, ability to decide which dashboards appear on the home page and save preferred views of tables and reports for future use. Various users within the environment have different needs, therefore SirionOne is flexible and provides role specific user access and customisation of the user experience. Offers customisable workflows with unlimited steps, views, permissions (include customer + 3rd party users), conditional steps as per customer requirements. Customisable graphs and reports, custom reports based on captured data elements, and full text searches.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: None
API: Yes
What users can and can't do using the API: SirionOne application works on RESTFUL API. Any activity that is possible on the web application is possible via the APIs.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

PDF
API sandbox or test environment: Yes
Customisation available: No

Scaling

Independence of resources: Sirion is a multi-tenant SAAS platform and can scale up/down for any number of customers, their registered users and any number of sessions/transactions. Sirion is monitored on a real-time basis, if there is additional load/more number of users/ more number of transactions happening at a given time, the system will automatically spin up more servers in order to cater to increased demand.

Analytics

Service usage metrics: Yes
Metrics types: Currently, we provide service usage metrics for the time spent by each user in the system for each session and the total time spent.
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Users have the ability to download their data through the web interface. In addition, SirionLabs also provides weekly data backup for customers to download from a secure FTP location.
Data export formats: CSV

Other
Other data export formats: XML

XLSX

PDF/A
Data import formats: CSV

Other
Other data import formats: XLSX

XML

JSON

CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: The standard SLA for Sirion's availability is 99.8% on a monthly basis. Our provision of the Subscription Services is subject to the Service Levels, available at https://www.sirion.ai/legal/service-levels/, as may be updated from time to time.
Approach to resilience: Sirion is hosted on Amazon Web Services (AWS) and MS Azure, and leverages their infrastructure for resiliency.
Outage reporting: The users of Sirion are updated with any outages via email alerts. Scheduled downtime i.e. any planned outage that is scheduled, is communicated to clients with not less than 24 hours prior notice via email.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: Sirion’s authentication module authenticates users via a login/password. Sirion can integrate with the customer’s Identity Management system.
Access rights are assigned as follows:
• User Role Groups: Templates contain a predefined set of all operations a user assigned the template may perform. This template can be named and any number of users may be assigned a template.
• Entity Stakeholders: Each entity type such as supplier, obligations, actions, etc. has a set of stakeholders with assigned permissions.
• Individual User Access: Each user has a profile and can be assigned custom permissions to perform system operations and access data.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Dedicated link (for example VPN)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: BSI Group
ISO/IEC 27001 accreditation date: 2014
What the ISO/IEC 27001 doesn’t cover: Being a SaaS provider, out of 114 controls, 1 control is not applicable to SirionLabs:
1.Outsourced Software Development
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: SOC 2 Type 2 Compliant

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Sirion is an ISO 27001: 2022 certified organization. We have implemented a gamut of security controls as per ISO standard. Security processes & controls have been implemented at all layers (application, hosting, network, etc.).

On the day of joining, every employee is introduced to Information Security policies through the HR induction program. During the induction period, all employees attend a mandatory Information Security training. Policy refresher trainings are conducted on an annual basis. Further, HR keeps the copy of acknowledgment for records.

In case of non-compliance to any of the policies by an employee, there is an action protocol that is initiated. The degree of action is directly related to the level of offence and the employee's record.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Sirion has standard, documented processes covering all components of Configuration and Change Management for bug fixes, feature changes, enhancements etc. The purpose is to ensure that standardised methods and procedures are used for efficient, prompt handling of all changes. Prior to any changes being deployed in production environment, a dedicated team ensures that all mandatory security checks are completed in the pre-production environment. This team performs security assessment and vulnerability and penetration test for all changes going into production. Additionally, Sirion engages an external vendor for VAPT to assess and remediate for potential security vulnerability in the system.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: With every release, Sirion goes through security testing prior to deployment on AWS. Sirion undergoes VAPT on its networks and supporting systems annually through an external vendor. The objective of the exercise is to identify unauthorised access by users, with limited or no prior knowledge of Sirion' IT environment, critical internal network equipment, applications and databases and servers from an external network.
• Sirion conducts ongoing security review of its source code prior to any patch release or upgrades.
• For any security observations, emergent patch is released immediately.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Sirion leverages automated tools including AWS monitoring tools to detect unusual or unauthorized activities and conditions at ingress and egress communication points that monitors server and network usage, port scanning activities and application access.

Depending on the severity of the incidents, the response and remediation SLAs are defined.

If SirionLabs detects that customer data has become corrupted, lost, breached or significantly degraded in any way for any reason, then the SirionLabs will notify the Buyer immediately.
Incident management type: Supplier-defined controls
Incident management approach: Sirion has in house 24*7 incident management team which takes care of Incident response.
• Information Security team has established a formal procedure for reporting any suspected events.
• Users report internal and privacy security incident via secured e-mail or helpline. Customers can report incident on 'support@sirioncloud.com'
• Incident reports are available in the tool and Customer Support team also shares the report with the client on regular basis.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Equal opportunity
Wellbeing

Fighting climate change

Our sustainability efforts focus on the conservation of energy and reduction of travel overheads by using teleconferencing wherever possible. We are committed to driving down our energy and carbon impacts, as we believe that climate change is one of the greatest risks to our world. Being a technology company our IT department created a specific power management system that efficiently controls all of their computers.

Equal opportunity

We value diversity in our workforce, as well as in our customers, suppliers, and others. We provide equal employment opportunities for all applicants and employees. We do not discriminate on the basis of race, color, religion, sex, national origin, ancestry, age, disability, medical condition, genetic information, military and veteran status, marital status, pregnancy, gender, gender expression, gender identity, sexual orientation, or any other characteristic protected by local law, regulation, or ordinance. We also make reasonable accommodations for disabled employees and applicants, as required by law.
We follow these principles in all areas of employment including recruitment, hiring, training, promotion, compensation, benefits, transfer, and social and recreational programs.

Wellbeing

We foster an environment of recognition and inclusivity, provide flexible working hours, and have clear goal setting for our employees. To foster employee well-being we offer our employees: Physical health benefits – life insurance, gym discounts, sick leaves, etc. Mental health benefits – mindfulness meditation, coaching sessions, counseling services etc. Work-life balance benefits – PTO, parental leave schemes, sabbaticals, etc.

Pricing

Price: £120 to £175 a user a month
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Sirion Contract Management

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents