Inclusivity (Web Accessibility and Digital Governance)

Service scope

Software add-on or extension: No
Cloud deployment model: Hybrid cloud
Service constraints: The Siteimprove Platform is a fully hosted Software-as-a-Service product. Users can only access the platform via the internet. There is no software or hardware required to utilize the platform. Siteimprove users are encouraged to subscribe to our Status Page to receive notifications whenever Siteimprove creates or updates an incident. Users can choose to be notified of maintenance or downtime through email, RSS feed, or Atom Feed. Users who are not subscribed to Status Page updates will not receive notifications when Siteimprove completes maintenance or experiences downtime.
System requirements: Buyers do not require any specific system requirements.

User support

Email or online ticketing support: Email or online ticketing
Support response times: Full documentation about the Siteimprove product is available 24 hours per day via the Help Center to answer most customer questions. For submitted questions, First Response Time targets are provided as part of the customer's purchased Success Plan. On average, we try to maintain a one business day response time. However, during periods of high traffic responses may take longer.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 24 hours, 7 days a week
Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
Web chat accessibility testing: We have audited against WCAG 2.1 AA and found it lives up to those criteria. WCAG 2.1 AA is the list of things that the web-chat lives up to. Please view our accessibility statement and VPAT, https://www.siteimprove.com/accessibility-statement/.
Onsite support: No
Support levels: For the support process, the language is spelled out in the Success Plan documentation. The specific language for their purchased service levels should be referred to in the contract.
Regional support Monday through Friday 8am - 5pm (Central US for North America, Central European for EMEA, Australian Standard Time for APAC).
Product Inquiries: For our Essential Success plan customers it's within 3 business days. For our Expert Success plan customers it's within 2 business days.
Support is included in all levels of our success plans. Essential Success plan is our basic plan and comes at no additional costs; Expert Success plan comes at a cost of 30% of software cost (Please see the Expert Success service listing for more information)
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Siteimprove provides a standard set of services including set-up, configuration, and education as set forth in this Implementation Plan (‘Implementation’). All meetings, correspondence, and trainings required during Implementation of the Software Services shall be in English. For more information, please view the following link : https://www.siteimprove.com/legal/implementation-plan/
Service documentation: Yes
Documentation formats: Other
Other documentation formats: Text articles (Help Center)

Inline interactive guides (in-platform)

Video (Frontier)
End-of-contract data extraction: Before the end of the contract, a ticket would need to be submitted to the Siteimprove tech support team prior to the end of the contract and the team will provide the direct extract from the database. The customer remains the ownership of all website content and reports that are created by the tool. Automated reports can be emailed or you can download the reports from the SaaS platform. All data would have to be downloaded prior to termination, as we mark everything for deletion upon termination.
End-of-contract process: Siteimprove stores personal data provided by the customer, and as long as the agreement between Siteimprove and customer stands, we process and retain the personal data provided by the customer. As soon as the Agreement between Siteimprove and the customer is terminated, we initiate deletion of the specific personal data provided by the customer, thus the retention period for the customer ends. However, Siteimprove will retain some information about the customer after contract termination, due to legal and financial requirements. When the agreement between Siteimprove and the customer is terminated, the following will occur: the tables in the database, containing the customer results, history and specific customizations to the Siteimprove Suite will be dropped; crawled website data (HTML) and/or any linked documents (such as PDF files) will be deleted; and elimination from backup from any scheme is initiated Due to the backup frequency and the technical setup, personal data will be fully rolled out of the backup scheme which is, at most, 90 days after initiation.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: WCAG 2.1 AAA
Description of service interface: Our service interface is completely self-serve.
You have full control of your user management. We provide the administrator of the account all rights, and then you can control the level of access for the following users and how they should use the platform. Customers can create custom user roles, where customized access to different features can be detailed.
Within the service interface, dependant on your subscription, you can find our solutions.
Along side this, you can access our Online training resource - Frontier, help articles and support
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: We have audited against WCAG 2.1 AA and found it lives up to those criteria, please find more information here https://www.siteimprove.com/accessibility-statement/. Please view our accessibility statement and VPAT, https://www.siteimprove.com/accessibility-statement/.
API: Yes
What users can and can't do using the API: The Siteimprove API gives users access to all of your site data through a RESTful API. This allows you to use any program language, using standard HTTP protocols, to integrate Siteimprove’s data into your own processes and applications.
All the information regarding API can be found on https://developer.siteimprove.com/
API keys generated in the platform are 128 bits.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: No

Scaling

Independence of resources: The Siteimprove platform uses a combination of auto-scaling and multi-tenancy best practices to ensure performance is not degraded by demands placed on the platform by our customers.

Analytics

Service usage metrics: Yes
Metrics types: In relation to user activity, we provide metrics such as the last time a user logged in.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Data can be exported in .xls and .csv format
Data export formats: CSV
Data import formats: Other
Other data import formats: Data can be exported in .xls and .csv format

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Siteimprove does not provide guarantee of restoration timelines in contracts. Please see the Siteimprove Incident Response Policy and Criticality Matrix. https://help.siteimprove.com/support/solutions/articles/80000724291-siteimprove-incident-response-policy-and-criticality-matrix
Approach to resilience: Siteimprove has replication of data and services across multiple locations to provide a resilient solution.
Outage reporting: Service status is recorded on status.siteimprove.com.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Customers do not have access to this. This is restricted to employees only, and restricted by "just in time" and "least privileged" principles.
Access restriction testing frequency: At least once a year
Management access authentication: Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: British Assessment Bureau
ISO/IEC 27001 accreditation date: 3/7/2024
What the ISO/IEC 27001 doesn’t cover: Scope: “The customer interface and the underlying cloud-hosted infrastructure and databases storing datathat support the delivery of Siteimprove's core Software as a Service to customers in all geographicallocations.”
ISO 28000:2007 certification: No
CSA STAR certification: Yes
CSA STAR accreditation date: 7/2/2018
CSA STAR certification level: Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover: None
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: "Siteimprove has developed its information security policy framework to meet the control requirements for ISO27001 and to reflect existing and emerging risks associated with its use of information and systems.
Siteimprove’s Information Security Department has defined an information security framework to support the implementation and embedding of information security throughout Siteimprove’s business units.
The framework adopts a why – what – how approach:
• policy sets the intent and rationale for security within Siteimprove, defining why it is necessary;
• standards define what controls and security measures need to be implemented to meet Siteimprove’s risk appetite;
• procedures define how the standards are to be implemented.
A series of standards define information security principles and baseline information security controls in alignment with Siteimprove’s information risk appetite. These controls support the implementation of Siteimprove’s security policy. The standards are owned and approved by Siteimprove’s Director of Security and fall into two categories: technology independent and technology specific."

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: "All changes are reviewed, approved and key teams notified in accordance with ITIL best practice before a change is made.
Siteimprove schedules and communicates changes and new features through a release management function that ensures changes are communicated to customers in a timely manner. This is done in-tool and using help center articles. For bigger improvements our Customer Success Executives communicate changes proactively."
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Siteimprove has processes for vulnerability identification and remediation. Roles and responsibilities have been defined and assigned to persons involved in the vulnerability management process.

Vulnerability scans and penetration testing are performed on a regular basis to identify vulnerabilities in systems handling restricted or controlled information and systems accessible from external networks.

Vulnerabilities are analysed, risk assessed and prioritised by security personnel using a defined vulnerability scoring method and remediated within defined timescales. Timescales are determined by the vulnerability score. Remediation of critical vulnerabilities affecting business critical systems will be applied within 24 hours of the vendor approved patch being available.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Siteimprove implements a “defence in depth” approach to its design and deployment of technical security measures. This includes the use of SIEM system for protective monitoring. Siteimprove also uses a variety of tools such as logging tools, vulnerability monitoring and endpoint detection & response (EDR) tools. Mobile Device Management (MDM) and infrastructure tools are used to apply security patches. Siteimprove uses a SOAR platform, to triage and investigate alerts generated by our EDR, XDR, SIEM, vulnerability management and threat intelligence systems. The Security Operations team reviews these cases and respond to the alert as required.
Incident management type: Supplier-defined controls
Incident management approach: "Siteimprove holds and maintains a Security Incident Response Plan based on guidelines from NIST (800-61). Security incidents are classified and handled with a priority based on the impact to the business and associated assets.
Incidents should be reported to security@siteimprove.com
Siteimprove will collaborate on the investigation of the incident with the customer, and is committed to providing full transparency in a manner that is technically reasonable and relevant to the current risk to the customer data and customer end user."

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Equal opportunity
Wellbeing

Fighting climate change

We are committed to and invested in sustainability for the planet, our business, customers and communities by making ESGs measurable and actionable. To do so, we publish two reports annually to official sustainability authorities including the UN and ESG survery via Position Green. Alongside reporting we are taking action to reduce our carbon footprint such as the following: New offices by reducing and modernizing new spaces to be more energy efficient; by donating office equipment with a value of £8375 to support education around the world via The Waste to Wonder Trust. In other cases we reupholstered furniture instead of buying it new, and re-potted existing plants.
Office hardware by using a fellow Global Compact Signatory, Atea, as our global IT hardware provide. They are ISO 140001 certified and screen their manufacturing suppliers using specific environmental criteria.
Data processing with our cloud provider and data processor, AWS. They have increased the ratio of renewable energy usage to 95% in many of their regions in 2022, and aspire to be powered by 100% renewable sources in 2025

Equal opportunity

Our platform helps fight inequality by helping companies to provide a more accessible website and providing a level playing field for disabled people. Please find more information about how we tackle these issues here, https://sintra.siteimprove.com/home/si-social-good-page.

Wellbeing

Our platform helps fight inequality by helping companies to provide a more accessible website and providing a level playing field for disabled people. Please find more information about how we tackle these issues here, https://sintra.siteimprove.com/home/si-social-good-page.

Pricing

Price: £8,000 to £28,700 a licence
Discount for educational organisations: No
Free trial available: No

Inclusivity (Web Accessibility and Digital Governance)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Inclusivity (Web Accessibility and Digital Governance)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents