S3 Ltd

Drata Automated Governance, Risk & Compliance Platform

Drata is a security/compliance automation platform that continuously
monitors and collects evidence of your security controls, while
streamlining workflows to ensure audit-readiness. It’s an all in one GRC
platform, integrating with all your SaaS services to bring compliance
status of all your people, devices, assets, and vendors into one
place.

Features

• Automates evidence collection: live, local support, including certified auditors
• Manages 20+ Prebuilt Frameworks simultaneously. plus Custom Frameworks
• SOC2Type 2, SOC1Type 2, SOC3, ISO27001/ISO27701, M365SSPA, GDPR, HIPAA/NIST/PCIDSS
• Library of built-in controls & standard framework requirements
• Automated Compliance Monitoring of Personnel
• 140+ integrations https://drata.com/platform/integrations
• Audit Hub, Risk Management, Policy Centre, Access Reviews
• Remote first, cloud native, Zero Trust Principles
• Vendor Management Directory AddOn
• TrustCentreAddOn: Display security reports: VM assessments/pentests/certifications /policies etc

Benefits

• Automated compliance & risk, saving you time, and money
• Simplify audit process: leave time to focus on other priorities
• Continuous complete view of compliance status
• Streamline acceptance of policies, security training, hardware tracking, background checks…..
• Send auto-reminders to personnel out of compliance
• Continuously monitor controls and see security in real time
• Continuous Compliance & Cut audit times by 50%
• Up to date frameworks
• Helps you prioritise issues that need to be addressed
• Know exactly how secure/ready you are for your next audit

£6,300 a licence

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.mason@s3-uk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

383665281102699

Contact

Tony Mason
01628 362784
tony.mason@s3-uk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Drata leverages AWS infrastructure and provides customers a choice; of US or EMEA cells. No constraints.
• System requirements:
  • High-speed Internet connection is required for proper transmission of Service.
  • Customer is responsible for procuring/maintaining network connections that connect Customer

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our customers are designated a team of CSM's guiding you through the process. They are available by email and phone during business; hours. We also have support through the platform. There is a European HQ in London with a separate Customer Success Team there.; Support. Drata will, at no additional charge, provide support via chat and ticket on Mondays through Fridays (24 hours per day), excluding federal public holidays in the United States and other Drata announced support holidays. If purchased by Customer, Drata will provide upgraded support or support that includes service level agreements.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Our customers are designated a team of CSM's guiding you through the process. They are available by email and phone during business; hours. We also have support through the platform. There is a European HQ in London with a separate Customer Success Team there.; Support. Drata will, at no additional charge, provide support via chat and ticket on Mondays through Fridays (24 hours per day), excluding federal public holidays in the United States and other Drata announced support holidays. If purchased by Customer, Drata will provide upgraded support or support that includes service level agreements.
• Web chat accessibility testing: Drata will, at no additional charge, provide support via chat and; ticket on Mondays through Fridays (24 hours per day), excluding federal public holidays in the United States and other Drata announced support holidays. If purchased by Customer, Drata will provide upgraded support or support that includes service level agreements.
• Onsite support: Yes, at extra cost
• Support levels: SLAs are defined in the Terms and Conditions. https://drata.com/terms; Our customers are designated a team of CSM's guiding you through the; process, those folks are available by email and phone during business; hours. We also have support through the platform. There is a European; HQ in London with a separate Customer Success Team there.; Support. Drata will, at no additional charge, provide support via chat and; ticket on Mondays through Fridays (24 hours per day), excluding federal; public holidays in the United States and other Drata announced support; holidays. If purchased by Customer, Drata will provide upgraded support orsupport that includes service level agreements.; Online Ticketing: 24 hours a day Monday - Friday; Web Chat: 24 hours a day Monday - Friday
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers purchasing Drata can benefit from:; Our customers are designated a team of Customer Success Managers guiding you through the process, those folks are available by email and phone during business hours. We also have a support through the platform
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Yes, Export of Customer Data. Upon Customer’s written request and in; accordance with Drata’s Customer Data Deletion and Retention Policy; found in Drata’s Trust Center, Drata will make Customer Data available; to Customer for export or download as provided in the Documentation; for thirty (30) days after the effective date of termination, expiration or; migration of the Account, except for Customer Data which (i) has been; deleted in accordance with the Documentation; (ii) was created and/or; used in violation of this Agreement; or (iii) which, if made available,; would violate applicable law. End-of-contract process
• End-of-contract process: Yes, Export of Customer Data. Upon Customer’s written request and in; accordance with Drata’s Customer Data Deletion and Retention Policy; found in Drata’s Trust Center, Drata will make Customer Data available; to Customer for export or download as provided in the Documentation; for thirty (30) days after the effective date of termination, expiration or; migration of the Account, except for Customer Data which (i) has been; deleted in accordance with the Documentation; (ii) was created and/or; used in violation of this Agreement; or (iii) which, if made available,; would violate applicable law. End-of-contract process

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Drata’s Open API will put you in the driver’s seat by enabling integrations to the endpoints you use. It will allow you to connect any solution—like security training solutions, background check providers, MDM systems, and more—and bring in necessary evidence you’ve been storing separately. Use our endpoints to expand past your compliance and audit needs. With Drata’s Open API, you have a comprehensive set of tools to manage your; security posture, operationalize your risk management program, and fully integrate any other risk solutions. Drata’s Open API gives you granular access control and the power to build a solution that fits your needs. Scope read and write permissions for every API key granularly, on a per-endpoint basis, and revoke access as you see; fit.; Any call that makes a change in your Drata App will be tracked as a; separate event and entity—ensuring a complete audit trail and helping you maintain compliance.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Drata’s Open API gives you granular access control and the power to build a solution that fits your needs. Scope read and write permissions for every API key granularly, on a per-endpoint basis, and revoke access as you see fit. Any call that makes a change in your Drata App will be tracked as a separate event and entity—ensuring a complete audit trail and helping you maintain compliance

Scaling

• Independence of resources: Refer to terms of service. Drata also publishes the availability of; service - https://dratastatus.com/; ; High availability with replication across to geo-graphical data centres

Analytics

• Service usage metrics: Yes
• Metrics types: These are available via https://dratastatus.com; Real time report of the operating effectiveness of your security controls. Auditor Access Controls: determine what evidence your auditor has access to, whether it’s for a specific audit or framework.
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Drata

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Encrypted CSV or PDF formats
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Refer to terms of service. Drata also publishes the availability of; service - https://dratastatus.com/
• Approach to resilience: High availability with replication across to geo-graphical data centres
• Outage reporting: Publically available here https://dratastatus.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Okta phishing resistant MFA
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: https://trust.drata.com/
• ISO/IEC 27001 accreditation date: https://trust.drata.com/
• What the ISO/IEC 27001 doesn’t cover: https://trust.drata.com/
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • HIPAA
  • NIST 800-171
  • SOC1 Type 2
  • SOC2
  • GDPR
  • https://trust.drata.com/

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC 1; SOC 2; NIST; HIPPA; ; https://trust.drata.com/
• Information security policies and processes: ISO/IEC 27001; SOC 1; SOC 2; NIST; HIPPA; ; - https://trust.drata.com/

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: https://trust.drata.com/
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: https://trust.drata.com/
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: https://trust.drata.com/
• Incident management type: Supplier-defined controls
• Incident management approach: https://trust.drata.com/

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Tackling economic inequality

  Drata invest in not-for-profit to help communities less fortunate than our own

  Equal opportunity

  Drata are proud to follow best practice when it comes to equal; opportunities

  Wellbeing

  Check out these pages on Drata's website:; https://drata.com/blog/drata-receives-first-pair-workplace-accolades#heading-investing-in-genuine-connection; ; https://drata.com/about/careers; https://drata.com/press

Pricing

• Price: £6,300 a licence
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Free trials are available. Contact Security Software Solutions Ltd sales@s3-uk.com
• Link to free trial: Sales@s3-uk.com

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.mason@s3-uk.com. Tell them what format you need. It will help if you say what assistive technology you use.