zsah Limited

zsah Email Encryption Software as a Service

Zsah’s email encryption and secure webmail solution, enables organisations to keep their corporate data secure and compliant with data protection legislation. It works with the majority of corporate email solutions such as Exchange, Office365 and Gmail. It can be supplied either as a SaaS, managed or on-prem solution

Features

• Software as a Service (SaaS) based solution and pricing
• Can be provided on or off premise
• Fully hosted Solution available
• S/MIME Compliant
• PGP compliant
• PDF encryption included as part of standard solution
• Fully secure webmail
• Feature rich
• Easy to install
• Can integrate with EPKI solutions, EJBCA and most HSMs

Benefits

• Secure, personally identifiable information
• Secure personal health information
• Automatic certificate requests and renewals
• GDPR compliance
• Compliant with EIDAS
• Software as a Service (SaaS) solution / service
• Hosted service solution
• On premise solution can be provided if required
• Ensures full compliance with legislation on secure email
• Protects against fraud and loss of data

£60 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@zsah.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

360447553763142

Contact

Alex Lane
020 7060 6032
sales@zsah.net

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Hosted email, Data Loss Prevention, O365, PCI compliance
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: No constraints - can be used with or configured for any situation.
• System requirements:
  • All / any SMTP email
  • SaaS requires changes to MX records and smarthost connector settings
  • Variety of OS versions available for
  • Red Hat 8 support
  • Integrates with Globalsign Atlas PKI
  • Integrates with Mimecast

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Severity 1 incidents are responded to within 15 minutes during normal service hours in our standard contracts, but response times and service hours can be amended or customised as required.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: In progress
• Onsite support: Yes, at extra cost
• Support levels: Support is based on customer requirements and can be tailored as required. zsah IT engineers provide Level 1, 2, and 3 IT support. ; As part of the services and at no further cost to the customer, we provide IT support, hosting queries, service management handling and data backup plans. Tiered support comes as part of the package. Inclusive on-site support is negotiable depending on frequency. ; We have a team of highly skilled cloud support engineers that hold various vendor certifications including Microsoft, Cisco, VMware, Oracle, Sybase, Prince 2, Scrum.; We provide a dedicated technical account manager along with cloud support engineers and a support ticket system.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Based on client requirements, they will all have documentation on how to access services such as how to use online ticket support system. Others may require onsite or online training, which can be tailored and provided to suit.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Interface is through email, so there is no data to extract.
• End-of-contract process: As per process, once we receive notice from the customer, services are switched off. There is no additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No differences between the mobile and desktop service - all email can be encrypted, regardless of device with full functionality designed in across all platforms.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: A number of elements and attributes of the service can be customised, including logos, forced encryption from senders, forced encryption based on content of emails, DLP forced encryption, and forced encryption based on recipient.

Scaling

• Independence of resources: Through careful monitoring of the SaaS service. We have access to real-time stats and can increase the capacity requirements based on demand to meet agreed SLAs and performance metrics.

Analytics

• Service usage metrics: Yes
• Metrics types: Number of inbound and outbound emails. Number of emails sent using S/MIME, PGP, Encrypted PDF, Secure webmail. Number of spam emails blocked, number of emails containing viruses blocked
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Ciphermail.com piesecurity.com

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Not applicable - all data is through emails so there is no data to export.
• Data export formats: Other
• Other data export formats: Not applicable - data is in emails; no external data
• Data import formats: Other
• Other data import formats: N/A - data is through emails; no data upload required.

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Zsah guarantees 99.99% uptime and availability, 24 hours a day, 365 days per year. Service credits are for Priority 1 and 2 if the SLA is missed as per agreed contract.
• Approach to resilience: Through the use of multiple data centres separated by a minimum of 60 miles. Service is based on a redundant cluster configuration so is always on.; ; Our hosting services are delivered from highly resilient and secure Data Centre facilities located in London and Manchester. We own everything else outright from the racks to switches, servers and storage. Our "gridz" platform is an enterprise cloud platform that we can lift and put anywhere in the world. ; ; Resilience all depends on the clients requirements. Generally, there is redundant hardware such as servers, switches, clustering for hardware servers, automatic failover for VM's, High Availability, vMotion. Further details available on request.
• Outage reporting: Outages are reported to customers via dashboard, email, phone and twitter.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Only authorised users can access management interfaces and support channels using strong passwords via SSL. Access details are restricted and stored in an encrypted password application. Only authorised users have access to that application.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Exova BM Trada
• ISO/IEC 27001 accreditation date: 20/07/2016
• What the ISO/IEC 27001 doesn’t cover: Everything is covered in the ISO/IEC 27001 certification
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: UK Government Cyber Essentials
• Information security policies and processes: Zsah's security policies and processes are compliant with ISO/IEC 27001:2013. Information Security is the responsibility of the Managing Director and is implemented and reported on throughout the organisation in line with our Information Security Policy. Implementation and the Policy itself is formally reviewed at least once a year.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All components are configured as per clients requirements and are monitored regularly. If changes are required, the client requests a change via a Change Request. Once reviewed and approved by zsah change management, the changes are then implemented.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability and Penetration testing is an integral part of the service. Patches are deployed as soon as a threat is identified. We have signed up to various vendors and third party organisations who send out regular alerts. We also have a regular patching schedule every 2 months.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We ensure that your business and daily operations run smoothly, with full support from our support team as required. This means that we consistently monitor the network to ensure everything is running without any problems and should a problem arise then we can address it before users are affected.; ; Our monitoring is constant on a 24hr, 365 days a year basis. If issues arise, the zsah support team are contactable at any time to resolve problems on the system.
• Incident management type: Supplier-defined controls
• Incident management approach: Our incident management procedure which is aligned to ISO/IEC 27001: 2013. Pre-defined processes for common events depend on the type of event, whether it is an incident or not. Events that are classified as incidents include malware infections, excessive spam, information system failures, Denial of loss of service. ; ; Users report any incidents to the nominated zsah Information Security Management agent. Appropriate action is then taken quickly after discussion with the zsah service management team if and when required.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  N/a
• Covid-19 recovery:

  Covid-19 recovery

  N/a
• Tackling economic inequality:

  Tackling economic inequality

  N/a
• Equal opportunity:

  Equal opportunity

  N/a
• Wellbeing:

  Wellbeing

  N/a

Pricing

• Price: £60 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: SaaS or on-prem

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@zsah.net. Tell them what format you need. It will help if you say what assistive technology you use.