Bright Cyber (Voodoo technology LTD)

NowVertical Privacy

Privacy is an information governance solution that helps organisations manage and govern on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily creating a holistic, up-to-date view of their data with automated data categorization and data classification. Enabling data owners and stewards to easily identify and protect the data that matters most.

Features

• Unstructured data catalogue & inventory at scale
• Automated PII Data Identification
• Privacy & Risk Data Dashboards
• Workflow Policy Management
• Real-time data search (multi-faceted)
• Data visualization
• Data Subject Search
• Data Classification (metadata insertion)

Benefits

• IDENTIFY AND PRIORITISE THE MANAGEMENT OF DATA MOST AT-RISK
• REMEDIATE ACL’S TO SECURE DATA TO LEAST PRIVILEGE ACCESS MODEL
• IDENTIFY AND ELIMINATE STALE/REDUNDANT DATA TO REDUCE RISK
• SATISFY AUDITING AND COMPLIANCE REQUIREMENTS AND SUSTAIN SECURE OPERATIONS
• ENFORCE DISPOSITION, QUARANTINING, AND DATA RETENTION POLICY’S
• REDUCE COSTS OF INFORMATION GOVERNANCE
• IMPROVED CONTROL AND EFFICIENCY OF DATA
• DEMONSTRATE REGULATORY COMPLIANCE
• MULTI-FRAMEWORK CONTROL (PCI-DSS, NIST, PRIVACY, ISO27001, ISO27701)
• MAKES DATA PROTECTION MANAGEMENT MORE EFFICIENT

£1,000 a terabyte

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at murray.pearce@bright-cyber.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

432906939724989

Contact

Murray Pearce
07788 560 801
murray.pearce@bright-cyber.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: We are an add-on to the customer IaaS or PaaS, or can be run as a stand-alone solution.
• Cloud deployment model:
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None
• System requirements:
  • Supported hypervisor or physical servers or supported cloud provider
  • Sufficient CPU, Memory and Disk for size of data scanned

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times are between 1-8 hours depending on the severity of the support
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The customer success team is available to assist any licensed customer with their requirements. An additional fee can be paid during the contract for consultation days, this can range from a few days a year to a completely managed service.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Through our customer success team and training
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Export CSV or database dump
• End-of-contract process: We will agree an exit plan agreed with the client, including return of any software to DocAuthority (NowVertical) plus any additional services (if required) to transfer, export, or otherwise secure client data they wish to retain or remove.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Other than different applications that are used for each OS the features are the same regardless of the device
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Run searches, return results, basic adminitration of accounts.
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: They can configure the service; They customise via the configuration interface; The service contain roles based access for users and their configuration options

Scaling

• Independence of resources: We use an establish sizing process to compute resources required for the system based on data size and user count

Analytics

• Service usage metrics: Yes
• Metrics types: We track and make available a rich level of metrics, both internal metrics of platform performance, and user-facing metrics such as how frequently users are logging on/accessing the service.
• Reporting types:
  • API access
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: NowVertical (previously DocAuthority)

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: AES256 hashing of data
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users can export data via CSV
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection between networks: Connections to end-user repositories are via secure connection to data repositories (for example - Windows File Shares connections use SMB3); ; Customers also have an option to install within their own virtual network, keeping everything in the user's network. All data is transformed into a hash before storing in our system
• Data protection within supplier network:
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: Hashing of data

Availability and resilience

• Guaranteed availability: SLA's are agreed with the customer on a case-by-case basis and based on scoping their service requirements.
• Approach to resilience: Multi-system, multi-node, enterprise architecture, and system dashboard that informs users of the health of all components of the system. Further information is available on request.
• Outage reporting: Planned or other outages are reported to any affected users via email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Users are authenticated using SSO. Users AD accounts are mapped to Operational accounts in the platform, for example "viewer"
• Access restrictions in management interfaces and support channels: RBAC
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Dedicated link (for example VPN)
  • Other
• Description of management access authentication: RBAC

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: NowVertical is ISO 27001 certified but this service is currently not included in the statement of applicability. However, the Privacy service is compliant with ISO 27001.; ; Bright Cyber are compliant, not certified, with ISO27001
• Information security policies and processes: ISO 27001.; ; Strategic alignment is reviewed by senior management. All business functions are controlled through defined objectives, policies, the delegation of authority, monitoring, and implementation of appropriate security controls in line with our ISO certification.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our configuration and change management follows a typical software lifecycle - component change is tracked through an internal ticketing system and passes Quality Assurance (QA) checks and tests (including assessing any potential security impact) before being deployed as an update to any system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Regular pen-testing via an accredited external firm. Internal monitoring of OWASP vulnerability lists and internal QA testing. Security patches are quickly deployed.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Users will define the controls for managing their instances as applicable. NowVertical processes include software testing, Q&A, ISO 27001 including risk process for IR.
• Incident management type: Supplier-defined controls
• Incident management approach: ISO 27001 Incident Response process including CAPAR

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  NowVertical information is available on request.; ; - Bright Cyber's corporate infrastructure is cloud-first with a range of leading cloud services from the likes of Microsoft, AWS, and other tier-one providers with mature data centres that include environmental and sustainability. ; ; Furthermore, we reduce our carbon footprint through the following policies:; ; - Disposing of IT and assets using WEEE compliant and ISO 14001:2105 certified providers. ; - Meetings related to the service delivery are conducted remotely wherever possible ; - Business travel is conducted by public transport wherever possible ; - Service documentation is electronic to reduce printing waste
• Covid-19 recovery:

  Covid-19 recovery

  NowVertical information is available on request.; ; Bright Cyber is concerned with the well-being of our employees, clients, and suppliers. During the delivery of this service, Bright Cyber will accommodate appropriate and reasonable changes and take steps to support customers that are impacted by COVID-19, on a case-by-case and specific needs basis e.g. rescheduling consulting days without financial penalties. ; ; The Privacy service we are offering is resilient to continue operating during the COVID-19 pandemic, with no single point of failure from an employee or systems perspective, and with remote systems for meeting delivery obligations.
• Tackling economic inequality:

  Tackling economic inequality

  NowVertical information is available on request. ; ; Bright Cyber expect to create 11 new employment opportunities this year, and our policy is to hire for development potential rather than existing experience or certifications, and this opens the door to prospective employees from a wide range of backgrounds including those from disadvantaged and minority groups that might otherwise not be considered. ; ; Bright Cyber offers employees personal mentoring and training appropriate to their position, drawing on internal skills and leveraging a vast array of training programs that are available through our supplier network e.g. online academy with certification credits.; ; We also have a community initiative to support Security Leaders. This is a program called Positive Intelligence for Security Leaders, coached by an experienced executive coach with material that is contextualized to enable board skills, stakeholder relationships, personal and team performance, well-being, and positive culture with relevance for security leadership. Details of this program are available on our website or on request.
• Equal opportunity:

  Equal opportunity

  1. NOWVertical UK Ltd (the Employer) is committed to equal opportunities for all staff and applicants.; 2. It is our policy that all employment decisions are based on merit and the legitimate business needs of the organisation. The Employer does not discriminate on the basis of race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, marital or civil partner status, pregnancy or maternity, disability, religion or belief, age or any other ground on which it is or becomes unlawful to discriminate under the laws of England and Wales (referred to as Protected Characteristics).; 3. Our intention is to enable all our staff to work in an environment which allows them to fulfill their potential without fear of discrimination, harassment or victimisation. The Employer's commitment to equal opportunities extends to all aspects of the working relationship including:; • recruitment and selection procedures;; • terms of employment, pay, conditions and benefits;; • training, appraisals, career development and promotion;; • work practices, conduct, allocation of tasks, discipline and grievances;; • work-related social events; • termination of employment and matters after termination, including references.; 4. This policy is intended to help the Employer achieve its diversity and anti-discrimination aims by clarifying the responsibilities and duties of all staff in respect of equal opportunities and discrimination. The Employer will promote effective communication and consultation between the Employer and staff concerning equal opportunities by means it considers appropriate. ; 5. The principles of non-discrimination and equal opportunities also apply to the way in which staff treat visitors, clients, customers, suppliers and former staff members.; 6. This is a statement of policy only and does not form part of your contract of employment. This policy may be amended at any time by the Employer, in its absolute discretion.; ; Bright Cyber inforamtion avaialble on request
• Wellbeing:

  Wellbeing

  NowVertical information is available on request.; ; Bright Cyber places high value on employee well-being because we recognize that well-being is a fundamental pillar in building a high-performing, resilient and sustainable team and positive company culture and these are strategic imperatives for our success.; ; To enable employee well-being and development, we offer all employees an opportunity to participate in a program called Positive Intelligence www.positive-intelligence.com which is a world-leading coaching program for enabling well-being, relationships, and performance.; ; Furthermore, we enhance our customer well-being by offering Positive Intelligence to selected customers as a free program.; ; We do this because we have observed that the resilience of people is an often-overlooked factor in cyber resilience, which is our business focus, and that security leaders and teams experience high levels of stress and burnout.; ; Our program is called Positive Intelligence for Security Leaders, it is coached by an experienced executive coach with material that has been contextualized to enable board and stakeholder relationships, personal and team performance, well-being, and positive culture with relevance for security leadership. ; ; Details of this program are available on our website or on request.

Pricing

• Price: £1,000 a terabyte
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Limited time proof of value based on an identified scope of requirements.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at murray.pearce@bright-cyber.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.