Merkle UK One Ltd

Customer Data Platform (CDP)

Merkle offers cloud management for marketing solutions, adaptable to all customer touchpoints. Complementing our fully managed services, clients can outsource omnichannel campaign production. Partner-agnostic, we excel in Microsoft Azure, AWS, and Google Cloud, ensuring tailored, efficient solutions for diverse marketing needs.

Features

• Unified customer view
• Enhanced personalisation for marketing campaigns
• Data compliance and governance
• Omnichannel orchestration
• Revenue growth
• Operational efficiency
• Actionable insights and ROI reporting
• Customer acquisition, loyalty, and retention
• Scalability - our solutions are designed to grow with clients.
• Agility - quickly adapt to new trends and market conditions

Benefits

• Quick access to real-time data
• Report on performance in real time
• Improved marketing performance
• Improved ROI
• Better understanding of your customer
• Improved operational efficiencies through a single portal for all marketing

£850 to £1,950 a unit a day

• Education pricing available

Service documents

• Pricing document

  ODT

• Skills Framework for the Information Age rate card

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.spencer@merkle.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

354703680632706

Contact

David Spencer
+44 (0) 330 060 1813
david.spencer@merkle.com

Service scope

• Service constraints: Maintenance windows for all software are planned in advance, and outages are agreed upon with clients. In some instances, when urgent hotfixes are published by a software provider, these are applied as quickly as possible but scheduled for out-of-hours to avoid impact on critical processes.
• System requirements:
  • Licences for all required software
  • Anti-virus that complies with company policies

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We can provide 24/7 email support for clients using our follow the sun model.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Support levels are dependent on client requirements. We can provide support 24/7 using our "follow the sun" staffing model for clients that want 100% coverage for critical solutions. This would be supported by a technical lead who would oversee the cloud solution and ensure we meet those SLAs.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Full training by service provider information and documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • Other
• Other documentation formats: Open API
• End-of-contract data extraction: Data is typically supplied to the user's chosen platform, for example, secure S3. Data deletion processes and documentation have already been established and are provided post-transfer. Data extraction will typically be performed by Merkle as a one-off extract.
• End-of-contract process: As per the statement above, the data deletion processes and documentation have already been established and will be provided after the transfer. The data extract will typically be performed by Merkle as a one-off extract. All costs are included in the contract. Any additional functionality not described in the contract would incur additional time and materials (T&M) costs.

Using the service

• Web browser interface: Yes
• Using the web interface: There is no limitation on services that can be used using the web interface. The preference is for any configuration to be via pipelines and automation. The front end is provided as is by cloud providers.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Provided as-is by cloud providers.
• Web interface accessibility testing: Provided as-is by cloud providers.
• API: Yes
• What users can and can't do using the API: There is no limitation on services that can be used using the API. The preference is for any configuration to be via pipelines and automation. API provided as is by cloud providers.
• API automation tools:
  • Terraform
  • Puppet
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
  • Other
• Using the command line interface: No limitation on services that can be used using the command line, for example, Powershell for Azure. The preference is for any configuration to be via pipelines and automation. Command line as provided as is by cloud providers.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: As provided by the service provider and will be subject to the limitations of the service provider, who is constantly reviewing the scaling capacity.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: We partner with Microsoft Azure, AWS, and Google Cloud.

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Full backup and recovery service provided for DR functionality.
  • Files
  • Virtual machines
  • Data
  • Configuration
• Backup controls: Full backup control as provided by cloud provider.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Private Network VPC Peering
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The service levels agreed will depend on the solution we have devloped for the client. We have previously agreed 99.9% availability 24/7 (outside of mandatory pre-agreed IT patching) with service credits as a percentage of the monthly fee for missing this for clients that need global availability. This depends on the overall solution design and how we can switch over to a mirrored back up solution when necessary.
• Approach to resilience: The cloud services we deploy support resiliency using:; Regions and Availability Zones: When provisioning a service, it can be split across regions and availability zones within a region. An individual region has separate availability zones to avoid hardware issues by having separate power, cooling, and networking. This can be extended to regional replication, which provides greater fault tolerance but comes with higher latency and cost.; Failover & Fault Tolerance: Resiliency can be provided for compute with failover nodes. In this instance, we mirror applications and data so that if a component becomes unavailable, another slave component takes its place.; Load balancing: One of the more common issues that necessitate resiliency is load and performance management. In order to address this, we use elastic compute and storage, implementing PaaS solutions to allow scaling. As part of delivery, we also include performance testing as an optional component.; Backups: Geo-replicated backups are used to allow system restoration. It is also critical to ensure that backups are fit for purpose and can restore the entire system.; Each layer of resiliency carries risks and therefore adds costs. It is essential to ensure that the requirements match the business needs.
• Outage reporting: The solution will be designed to report outages automatically to all users. This will be configrured based on client needs, and in the past we have built email alerts that go to users to inform them and subsequently keep users up to date with the service being reinstated. We have also integrated this solution with APIs to link to client dashboards and SMS providers.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All users are given a unique username and password that are, at a minimum, at the same level as the organisation's security policy. Where required, we also implement two-factor authentication.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DNV
• ISO/IEC 27001 accreditation date: 28/04/2024
• What the ISO/IEC 27001 doesn’t cover: There are no scope exclusions on the certificate, however the only control not on the scope is the outsourcing of development as everything is built in house.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Online Enterprises, dba Online Business Systems
• PCI DSS accreditation date: 20/11/2023
• What the PCI DSS doesn’t cover: 2.1.1 – Not Applicable - There are no wireless environments in scope for assessment; 2.6 – Not Applicable – Dentsu is not a shared hosting provider; 3.6 – Not Applicable - Dentsu does not share keys with its customers; 4.1.1 – Not Applicable - There are no wireless technologies in scope for assessment; 6.4.6 – Not Applicable – No significant change occurred within the past 12 months; 8.1.5 - There are no vendors providing remote management services to Dentsu; 8.5.1 - Dentsu does not have remote access to its customers’ premises
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Dentsu maintains a group-wide Security Policy, aligned to ISO27001 framework, that is approved, published, and reviewed by senior management. The purpose of our policy is to provide a framework, based on industry standards and best practice, for assessing security risk and deploying appropriate security measures. Dentsu expectations, requirements, and control objectives are defined in this policy and helps ensure Dentsu meets these. The scope of our Security Policy encompasses all Technology (IT) assets, data, and services that are owned, controlled, or used to conduct Dentsu business.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our service platforms fall under a standard set of IT protocols we operate under inclusive of a formal, documented change management process to assess any system level changes for both security and performance impacts.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Merkle Security maintains a threat intelligence function. On a daily basis, the Cyber Security Team reviews the threat landscape and manages security tools that protect our estate. They monitor intel and vulnerability data from multiple sources, including vendors, public domains, national organizations, and managed security service providers (MSSP).
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Merkle consolidates and assesses significant system events using a managed security information and event management (SIEM) solution. The system is tuned to provide event correlation across multiple system layers and provide alerts when unexpected activities are detected.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Merkle has established procedures for managing security incidents (including data breaches) using a structured framework that is aligned to the National Institute of Standards & Technology (NIST 800-61).The Security and Data Incident Management Policy establishes notification targets associated with incident severity. As a general rule, any affected client or external party will be notified without undue delay, and where feasible, not later than 72 hours.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: KVM hypervisor
• How shared infrastructure is kept separate: All clients will have dedicated hosting environments and will never share the same infrastructure to ensure there is no risk of GDPR non-alignment.

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Accelerating climate change and natural resource constraints, digital transformation and the continued rise of inequality are transforming the environment in which we live and work. By using the power of digital communications and marketing, we can address inequality, create opportunities and uncover solutions to society’s greatest challenges. We do this through our work with stakeholders and by sharing our knowledge and talent with the communities in which we operate. Our aim is to drive the delivery of the UN Sustainable Development Goals and to deliver social impact across the globe.; Dentsu’s Environmental Policy requires that suppliers comply with applicable environmental legislation, identify and manage environmental impacts to achieve best in class environmental performance, and ensure staff are aware of the environmental impacts of their work activities.; We have an Environmental strategy centered around three pillars: Sustainable World, Fair and Open Society and Digital for Good. These represent areas where dentsu’s uniquely positioned to drive change, leveraging our capability in data and technology, creativity and innovation. Our strategy is fuelled by our people, and success will depend on multi-stakeholder collaboration as well as innovating our own operating model. Our Social Impact Report reflects on the progress made against our 2020 targets and goals, and also sets out the biggest opportunities for growth from good as we look at the next ten years and pivot our focus to our new 2030 strategy.; We know that for business growth to be truly sustainable, we must accelerate the transition to a low carbon future, and therefore we have committed to becoming a Net Zero emissions business by 2030. The radical decarbonisation of our business and value chain is only the first step – by raising awareness through our powerful work, we have also committed to helping 1 billion people make better, more sustainable choices.

  Equal opportunity

  Diversity, Equity and Inclusion (DEI) is firmly embedded in our company vision. Our global DEI principles outline our unwavering commitment to a diverse workforce that represents wider society and fostering inclusion and has been defined as a key competency for our employees in our behavioural framework. We want to foster an environment of growth, where ideas and contributions are actively encouraged. We need this culture of courage to continue to thrive in our fast-paced industry.; Our people have created our seven DEI pillars (Gender, Ethnicity, Mental Health, Religion, Parent and Carer, Disability and LGBTQ+). Each group is made up of individuals from Merkle and each programme is sponsored by a member of the Merkle Executive Team. We are proud to have been recognised as industry leaders by the likes of Microsoft who named us the winner of Global Inclusive Marketing and Culture Partner Award in 2020.; We believe everyone has the right to feel included in their place of work, and able to be their authentic selves. We know that diversity and inclusion in the workplace – that is, diversity of thought, background and experience – is what drives creativity and innovation, which in turn lets us produce truly great work. Our goal is to make Merkle an inclusive, equitable workplace that is representative of the markets in which we operate, and where our differences are celebrated. We seek to educate and empower our colleagues and effect positive change within the wider industry – because the benefits of diversity in the workforce are too strong to ignore.

  Wellbeing

  Mental health has never been spoken about more candidly or frequently. Taboo still surrounds the topic, however, and many people feel unable or unwilling to talk about struggles with mental health in any setting, let alone a professional one. Work is a place where you spend a huge proportion of your week, and we believe it shouldn’t be somewhere that mental wellbeing is forgotten or put away in a box to be dealt with at another time. In fact, we believe quite the opposite. We seek to make Merkle a workplace with a formal support network for those struggling with, or affected by, mental health conditions, plus provide easy access to work mental health resources whenever they’re needed. By actively encouraging our senior leadership to speak openly about how mental health issues have affected them or those they love, we have seen an uptake in use of resources like our mental health first aiders. We raise awareness and educate the Merkle community on all conditions and their potential circumstances and aim to become a leading voice for change within corporate policy.; Dentsu has committed to three key areas of focus: flexibility and time off, upskilling and empowering managers, and support for home schoolers. All employees can access an array of support tools, including counselling, mental health first aiders, mindfulness platforms (inc. Headspace), three wellness days per year and a sickness policy that includes mental health leave.

Pricing

• Price: £850 to £1,950 a unit a day
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  ODT

• Skills Framework for the Information Age rate card

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.spencer@merkle.com. Tell them what format you need. It will help if you say what assistive technology you use.