IOCO SOLUTIONS LIMITED

Data Protection

Data protection enables customers to securely protect their growing data volumes whilst meeting business and regulatory demands for data availability and recover-ability. The service is interoperable with all operating systems and platforms, and can handle recovery of critical data within individual databases, mailboxes, or cluster nodes.

Features

• Offsite backup and disaster recovery
• Securely transfers data over an SSL/TLS
• Automatic load balancing
• Built-in WAN Acceleration maintains data reduction ratios
• Resource allocations and expiration dates for each tenant
• Available if the primary backup or data center is lost
• Uses a single port to simplify firewall configuration

Benefits

• Recovery of data to on-site system or another location.
• Hosted backup repositories or complete backup services
• Cloud repositories are isolated
• Encrypted data streams

£0.06 to £2.10 a gigabyte a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.morey@ioco.tech. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

355388184929248

Contact

Mick Morey
0118 206 2938
michael.morey@ioco.tech

Service scope

• Service constraints: Unless expressly stated, the Customer shall be solely responsible for backing up all Content on the Cloud Servers.
• System requirements:
  • Support for Windows, Linux, OSX, VMware, Xen, Hyper-V
  • Microsoft 365
  • Google Workspace

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Severity 1 (Critical Service Incident) - Within 30 mins; ; Severity 2 (Critical Service Incident) - Within 1 hour; ; Severity 3 (Non-Critical Service Incident) - Within 4 business hours; ; Severity 4 (Minor Support Request) - Within 4 business hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide a service desk to log incidents and support requests. Calls are prioritised based on severity and assigned accordingly. 4 Levels of severity is classified. The service included 3 levels of support engineers based on skill level (i.e 1st , 2nd and 3 rd level support ) as well as a vendor escalation process.; We provide a client account manager and a cloud architect, as well as Service delivery manager where appropriate.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide initial configuration assistance, along with assisting with any issues with initial copy job configuration.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Upon termination or cancellation or expiry of the Agreement, the Parties will deliver to each other or, at each Party’s option, destroy all originals and copies of Confidential Information in their possession
• End-of-contract process: Setup and support are included in our service fees.

Using the service

• Web browser interface: Yes
• Using the web interface: Through the Web Management Portal, you can manage and monitor the entire data workflow, including backup, offsite storage, and recovery— anytime, anywhere. Organizations can create customized backup policies, check status, delegate responsibilities across the enterprise, and initiate restore operations whenever needed. Role-based access control allows you to define access levels for various user classes across the enterprise.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Through the Web Management Portal, you can manage and monitor the entire data workflow, including backup, offsite storage, and recovery— anytime, anywhere. Organizations can create customized backup policies, check status, delegate responsibilities across the enterprise, and initiate restore operations whenever needed. Role-based access control allows you to define access levels for various user classes across the enterprise.
• Web interface accessibility testing: NA
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Capacity management ensures capacity on storage and compute systems supporting this service, allowing the customer to grow without disruption to their service.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Disk
  • Network
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: LiveVault, Veeam, Avamar, Redstor, Acronis

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Files
  • System data
  • Workloads
  • Virtual Machines
  • Databases
• Backup controls: Scheduling, retention and deletion policies are configured on a per set basis. Backup sets may be per server or set at a more granular level for particular data sets.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: 99.5% Uptime Guarantee
• Approach to resilience: Network: Dual data fabric; Compute: Converged and hyper-converged infrastructure, Sufficient spare capacity, dual fabric connectivity, industry leading hypervisor; Storage: Dual fabric connectivity, dual storage controllers, multiple redundant clusters; Edge security: Clustered UTM appliances; WAN and WWW: Multiple redundant inter-site connections, Redundant multi-site internet connectivity
• Outage reporting: Automated Alerts through managed toolset. Email/text/voice alerts.

Identity and authentication

• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: All management networks are isolated from user and customer networks, with specific access rules and user-traceable accounts used throughout. Restricted and vetted named users are allowed administrative access to the application management areas.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • INFORMATION SECURITY MANAGEMENT SYSTEM ISO/IEC 27001:2013 for the Datacentre
  • PCI DSS Compliant Datacentres

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The change management processes follow ISO27001 A.12.1.2 controlled mechanism for making changes to operational environments.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The change management processes follow ISO27001 A.12.1.2 controlled mechanism for making changes to operational environments.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to multiple vendor provided vulnerability notification services. All vulnerabilities are reviewed and applicable patches are administered through the change control process . Mitigation measures will always be considered first, with critical patches targeted for resolution within 30 days.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Denial of Service is applied on all Internet links , with Intrusion detection\protection available to customers on request. All security events are logged\notified based on severity. Any attempted platform security compromises are dealt with 24/7 by security engineers. The responsibility remains with the customer to ensure detected intrusions are re-mediated where customers have control, permission, or access to modify their service. iOCO recommends that customers follow security best practices including, but not limited to: • Maintaining effective firewall rules • Limiting the communication ports to only the necessary, for conducting business • Locking down access
• Incident management type: Supplier-defined controls
• Incident management approach: The incident response process complies with industry standards for legally admissible chain-of-custody and forensic data collection management processes and controls. Response standards, procedures, and methods are implemented based on the severity level of an incident. Incident reports are produced as part of standard post incident process and provided to customers on request.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Each customer is provided with a dedicated, virtual UTM appliance that serves as the perimeter edge device for their environment, along with private, non-routed virtual LANs to host virtual machines.; ; In the case of CloudBackup services, each customer is supplied access to the backup management platform, and customer data is stored in separate encrypted vaults.

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  The Data Protection Solution empowers organizations to efficiently manage their protected data, ensuring that only essential information is safeguarded. By doing so, organizations not only enhance their data security but also contribute to the fight against climate change by reducing their data footprint.

Pricing

• Price: £0.06 to £2.10 a gigabyte a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: IOCO offers a full working environment for a limited scope of SaaS / IaaS as a trial.; ; The trail period is scoped for a 30 days.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.morey@ioco.tech. Tell them what format you need. It will help if you say what assistive technology you use.