Grove Information Systems

Google Workspace

Google Workspace is a professional office suite of collaborative productivity apps. Easily work on email, calendars, documents, spreadsheets, and slides across your devices, with or without the internet. Keep all your work in one place with secure access from your computer, phone, or tablet.

Features

• Inbound and outbound email security
• Real-time collaboration
• Vault for records management - eDiscovery and archiving
• Advanced enterprise controls and customization
• Unlimited storage
• Data regions
• Analyze Gmail logs in BigQuery
• Build no-code apps with AppSheet

Benefits

• Make decisions faster, face to face
• Collaborate in real-time
• Store and share files in the cloud
• Secure your data and devices
• Easy to connect, create, access and control
• Enhanced 24/7 Live support
• Detect sensitive data in Gmail/Drive and prevent sharing

£55.20 a user

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

541685150553807

Contact

Philip Witheridge
+44 207 493 6741
pwitheridge@groveis.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Refer to Service Definition document and Terms & Conditions for the applicable service.
• System requirements: Internet

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: No, response times are 24/7
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: P1; - Critical business impact or critical loss of service; - The issue must be logged via telephone; A resolution of a next-steps action plan will be relayed within four hours for all support cases received from customers during each annual support period.; ; P2; - Major or partial loss of service, where a work-around does not exist; - Issue must be logged via telephone or the support portal; A resolution or an initial next-steps action plan will be relayed within five hours, provided the customer provides all requested information in a timely manner.; ; P3; - Questions, how-to queries or minor service impact; - The issue must be logged via telephone or the support portal; - A resolution plan will be relayed within eight hours, provided the customer provides all requested information in a timely manner.; ; P4; - Documentation and enhancement requests; - Issue must be logged via telephone or the support portal; A resolution plan will be relayed within 24 hours, provided the customer provides all requested information in a timely* manner.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide the users with a demo, online training, change management and support.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Can provide tools to help extract the data - see link: https://support.google.com/a/answer/100458?hl=en#all
• End-of-contract process: For information about ending contract/offboarding, see link: https://support.google.com/a/answer/1257646#direct_step2_cancel_subscriptions

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Native applications for Android and iOS which are designed with those user interface frameworks in mind have been written
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: With the Admin Console you can easily add users, manage devices, configure security and settings so your data stays safe.
• Accessibility standards: None or don’t know
• Description of accessibility: See link: https://support.google.com
• Accessibility testing: ASK JK!
• API: Yes
• What users can and can't do using the API: The scope of capabilities exposed via API to GSuite/Cloud Identity/Drive/Cloud Search Platform users is very broad and encompasses most major use cases. API's are can be found here: https://developers.google.com/
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: "With Apps Script, you can create Add-ons for Google Docs, Macros, menus, and custom functions as well as managing responses for Google Forms"

Scaling

• Independence of resources: Google Workspace provides scalable and elastic cloud services.

Analytics

• Service usage metrics: Yes
• Metrics types: Sfgffdgdfgf
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Google Workspace

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: See link: https://support.google.com/accounts/answer/3024190?hl=en
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • DOCX
  • XLSX
  • PPTX
  • PDF
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats:
  • DOCX
  • XLSX
  • PPTX
  • PDF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: During the Term of the applicable G Suite Agreement (or prior versions of the agreement governing the use of G Suite) (the "Agreement"), the (i) G Suite Covered Services web interface will be operational and available to Customer at least 99.9% of the time in any calendar month; and (ii) Google Voice will be operational within 2 business days of Customer's acceptance of the Voice Service Specific Terms via the Admin Console (the "G Suite SLA"). If Google does not meet the G Suite SLA, and if Customer meets its obligations under this G Suite SLA, Customer will be eligible to receive the Service Credits described below. This G Suite SLA states Customer's sole and exclusive remedy for any failure by Google to meet the G Suite SLA.
• Approach to resilience: All data is redundantly stored across a minimum of 3 data centers, and all services are designed to leverage the redundant data center infrastructure powering Google services.
• Outage reporting: See following link: https://www.google.com/appsstatus#hl=en-GB&v=status

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: "A built-in Password Monitor is visible to the end user upon password; creation and to the System Administrators of the tenant whom can decide to force a password change on any user that is later detected to have a password that is weak. Google's native authentication has; protections in place that would detect a brute force attack and challenge the user to solve a Captcha and would auto lock the account if suspicious activity is detected. The tenant's System Administrators can; reset that account for the end user."
• Access restrictions in management interfaces and support channels: "G Suite provides administrative features made available to Customer within the Admin Console for the management of Google-hosted accounts, mobile devices, and application within the Customer’s domain. Advanced security and control features may be subject to an additional charge; ; Support services are only provided to authorized customer administrators whose identities have been verified in several ways. Googler access is monitored and audited by our dedicated security, privacy, and internal audit teams.; ; https://cloud.google.com/iam/; https://cloud.google.com/security/overview/whitepaper#administrative_access; https://cloud.google.com/files/Google-Cloud-CSA-CAIQ-January2017-CSA-CAIQ-v3.0.1.pdf"
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: Google's native authentication requires a minimum 8 character complex password. Tenants can set the; maximum or increase the minimum. A Password Monitor is visible to the end user upon password; creation and to the System Administrators of the tenant. Google's native authentication has; protections in place that would detect a brute force attack and challenge the user if suspicious activity is detected. System Administrators can reset that account for the end user.; Google provides the capability for domain administrators to enforce Google's 2-step verification. The 2nd; factor could be a code generated via several supported mechanisms.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: EY CertifyPoint
• ISO/IEC 27001 accreditation date: 17/04/2020
• What the ISO/IEC 27001 doesn’t cover: See certificate for full list of products covered, anything not listed is not covered. See the certificate link: https://services.google.com/fh/files/misc/gcp_iso27001_spring_2020.pdf
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 28/05/2020
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: The supported list of services is available at https://cloud.google.com/security/compliance/csa-star/
• PCI certification: Yes
• Who accredited the PCI DSS certification: Google Cloud's QSA is Coalfire
• PCI DSS accreditation date: May 2020
• What the PCI DSS doesn’t cover: The supported list of services is available at https://cloud.google.com/security/compliance/pci-dss/
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Full list available at https://cloud.google.com/security/compliance/#/

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
• Information security policies and processes: "Google's cloud services are designed to deliver better security than many traditional on-premises solutions. Google makes security, and protection of data it's primary design criteria, which is the cornerstone of it's overall security governance and compliance audits. Google’s third party audit approach is designed to be comprehensive to provide assurances of Google’s information security capabilities. Customers may use these third party audits to assess how Google’s products can meet their compliance and data-processing needs.; https://cloud.google.com/security/overview/whitepaper; https://cloud.google.com/security/compliance"

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: In Google production environments, software updates are manually vetted to ensure the stability of the system. Changes are then tested and cautiously rolled out to systems. The details vary somewhat depending on the service being considered, but all development work is separated from the operation systems, testing occurs in a multi-staged fashion in both environments and in dedicated test settings. We can share, under NDA, the SOC2 audit report (based on standards from the International Auditing and Assurance Standards Board), which describes the change management process. Additionally, changes to code go through a process of code review involving additional engineer(s).
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: "Google administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive-automated and manual penetration efforts, quality assurance processes, software security reviews and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The vulnerability management team tracks and follows up frequently until remediated. Google also maintains relationships with members of the security research community to track issues in Google services and open-source tools.; ; https://cloud.google.com/security/overview/whitepaper#vulnerability_management"
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: "At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. A proprietary correlation system built on top of Google technology also supports this analysis. Network analysis is supplemented by examining system logs to identify unusual behavior, such as attempted access of customer data. Google security engineers place standing search alerts on public data repositories to look for security incidents that might affect the company’s infrastructure.; ; https://cloud.google.com/security/overview/whitepaper#monitoring"
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: "We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Google’s security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). Key staff are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas, such as systems that store sensitive customer information.; ; https://cloud.google.com/security/overview/whitepaper#incident_management"

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  The solutions and services we offer to G Cloud procurement organisations typically require new skill sets for which we provide employment and follow on mentorship training and growth opportunities.

Pricing

• Price: £55.20 a user
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 30 days; Non-obligatory; Access to the console; Service can be evaluated on various domains; Includes 24/7 support

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.