Oyster Information Management Solutions Limited

OneTrust Privacy and Data Governance Software Suite

OneTrust Privacy and Data Governance Suite facilitates privacy and data governance automation helping organizations better understand their data across the business, meet regulatory requirements, and operationalize risk mitigation to provide transparency and choice to individuals. The suite consists of:
Privacy Management,
Data Discovery & Security,
Consent & Preferences,
Responsible AI.

Features

• PIA / DPIA Automation
• Data Mapping
• Privacy Rights Automation
• DSAR Redaction
• Enterprise Data Discovery
• Privacy Maturity & Benchmarking
• Privacy Incident Management
• Cookie Consent
• AI Governance

Benefits

• Enables organizations to consolidate information from internal and external stakeholders
• Creates a thorough map of IT assets, processing activities, vendors
• Eliminates most time-consuming components of privacy rights workflows.
• Automatically classify and redact necessary data
• Enables complete data visibility
• Enables organizations to better prepare for compliance
• Centrally manages incidents, automates tasks
• Uncover hidden cookies and trackers, configure branded banners
• Facilitates AI system management and risk reduction

£18,090 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at josef.elliott@oyster-ims.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

663223148347171

Contact

Josef Elliott
0207 199 0620
josef.elliott@oyster-ims.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: OneTrust is a cloud-native solution. It can be implemented on-premises if required but this will incur additional costs.
• System requirements: OneTrust is completely SaaS based and requires a browser only

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: OneTrust provides 24/7 support. Customers can use the support portal form on myOneTrust to submit support requests directly to the OneTrust Support team. The form includes fields for contact information, issue description, severity level, and any relevant attachments. Once submitted, the form data is automatically routed to the appropriate support team for processing. ; Oyster IMS provides additional support via their Solution Support service at additional cost.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: OneTrust provides our customers real-time SLA metrics through our status page found within the OneTrust Support Portal (https://my.onetrust.com ), which allows our customer base to see direct, on-demand access to real time SLA data
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Oyster IMS implementation services ensure that the OneTrust tool is used effectively. Our services deliver a return on investment and help to mitigate risk from the earliest possible opportunity.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Customer data is retained for the life of the contract with OneTrust unless deleted by the customer through the UI of the application.; ; In the event of contract termination, a copy of customer data is provided to the customer and all remaining data on OneTrust systems is deleted within thirty days of contract termination; Microsoft Azure follows NIST 800-88 data destruction policies.
• End-of-contract process: In the event of contract termination, a copy of customer data is provided to the customer and all remaining data on OneTrust systems is deleted within thirty days of contract termination; Microsoft Azure follows NIST 800-88 data destruction policies.; ; There is no additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: The OneTrust site is available via a URL
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: OneTrust have carried out this testing
• API: Yes
• What users can and can't do using the API: See OneTrust site
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Many elements of the OneTrust platform are customisable by administration users through a simple user interface.

Scaling

• Independence of resources: No resource pools are used.

Analytics

• Service usage metrics: Yes
• Metrics types: All support levels include Software Updates, remote support, unlimited support requests, and support requests and responses via telephone (onetrust.com/company/contact) or web (my.onetrust.com). Scheduled maintenance takes place between the hours of 10PM – 2AM local time based upon the location of the data centre and users will receive notification of scheduled maintenance 24 hours in advance via the support portal (provided such user has opted to receive notices from the support centre). See further information in our Support Level Document
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: OneTrust

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: OneTrust supports an export/import feature that allows external users (e.g. a vendor receiving an assessment) to download the related template into a practical excel format. This means that, in case of latency issues that impact the ability to operate directly online, this functionality would enable the recipient to complete the assessment offline and then subsequently upload results back into the platform
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: OneTrust guarantees a high availability of our overall platform through our SLA of 99.95% during any given calendar month. Tmc3 can attach OneTrust's SLA to the contract by purchasing Enterprise Licensing or Support. OneTrust's also offers a SLA for our Website Scanning and Cookie Compliance module of 100% during any given calendar month.
• Approach to resilience: Backups are stored at secondary Azure data centre, more details available on request.
• Outage reporting: Through an online support portal

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Other
• Other user authentication: MFA is used for access to all critical systems and infrastructure components.
• Access restrictions in management interfaces and support channels: MFA is used for access to all critical systems and infrastructure components.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Other
• Description of management access authentication: OneTrust is built on Roles-Based Access Controls with twelve pre-defined user role types and organizational hierarchy grouping functionalities to further support your business divisions and entities. OneTrust also supports custom permissions-based role types, and the ability to assign multiple roles and organizational levels to a single user. OneTrust also supports user authorization through SSO with SAML 2.0 and is compatible with cross-platform identity management through SCIM 2.0.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Coalfire Certification
• ISO/IEC 27001 accreditation date: 21/10/22
• What the ISO/IEC 27001 doesn’t cover: The scope of the Integrated Management System (IMS) is bounded by specified services for OneTrust Privacy, Security &; Governance. The IMS is comprised of components, network devices, and software, that are operating to make OneTrust Privacy,; Security & Governance Software available to customers within Microsoft Azure production accounts
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: OneTrust has completed a Type 2 SOC for Service Organizations (SOC 2 Type II) examination. The SOC 2 report was issued by an independent CPA firm, Coalfire Controls, LLC, and included an unqualified opinion that the design and implementation of the Company’s controls are appropriate relative to the Security, Availability and Confidentiality Trust Services Principle and Criteria.; The SOC 2 report provides assurance to OneTrust and its customers that the OneTrust has designed an effective system of security, availability, and confidentiality controls. OneTrust’s SOC 2 Type II Report also includes a mapping of security, availability, and confidentiality trust services criteria to ISO 27001:2013. OneTrust is happy to provide a copy of the SOC 2 Type II Report upon request under an NDA.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: OneTrust has a policy that establishes procedures on the proper management of IT production, including change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: OneTrust utilizes monthly vulnerability scanning for all environments, as well as source-code scanning/analysis and vulnerability-scanning on a per-release cadence. Microsoft Azure provides security review/patching services for our infrastructure, as well as critical security patches which are more proactively alerted and notified to OneTrust. For all released patches, OneTrust has daily reports from all systems listing critical patches and any identified vulnerabilities. In addition to these scheduled, re-occurring practices OneTrust employs ad-hoc, individual scans based on customer feedback, internal log assessment, or QA follow-up and confirmation of updates or hot-fixes. Penetration testing is conducted at least annually through an external third-party.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: OneTrust performs performance monitoring in-house using tools and our security and cloud ops teams.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: OneTrust has a policy that provides a framework for reporting incidents, events and weaknesses, defining responsibilities, response procedures and collection of evidence.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Oyster IMS is committed to support action to prevent climate change. Our Carbon Reduction Plan forms part of Oyster IMS’ actions towards Net Zero emissions, overseen by our Environmental, Social and Governance (ESG) Group. This Carbon Reduction Plan has been completed in accordance with PPN 06/21 and associated guidance and reporting standards for Carbon Reduction Plans.

  Covid-19 recovery

  Oyster IMS continued to service customers throughout the Covid-19 pandemic and has ensured that all activity has tried to have a positive effect on helping our customers recover as well. We have continued to provide 100% of our services on a hybrid basis but are increasingly moving back to more face-to-face meetings as and when this suits our clients.

  Tackling economic inequality

  To tackle inequality in employment, skills and pay at Oyster IMS we train our managers and all other employees about our equal opportunities policy to all employees that encourages equality, diversity, and inclusion. We carry out annual equal pay reviews with an aim to have a clear pay structure and ensure all employees are aware what they need to do if they want to take on higher-paid roles.

  Equal opportunity

  Oyster IMS is committed to encouraging equality, diversity, and inclusion among our workforce, and eliminating unlawful discrimination. The aim is for our workforce to be truly representative of all sections of our society, and for each employee to feel respected and able to give their best. We monitor the make-up of our workforce regarding information such as age, sex, ethnic background, sexual orientation, religion or belief, and disability as well as aiming to be an equal opportunities employer that reflects the expertise and diversity of our local community and ensure we source and attract a diverse pool of candidates.

  Wellbeing

  At Oyster IMS, we promote and develop work-life balance practices to ensure we maximise employment opportunities for all and continue to offer flexible working hours, home working opportunities, part-time opportunities to improve the range of opportunities we offer. We actively create a working environment free from bullying, harassment, victimisation, and unlawful discrimination, promoting dignity and respect for all and where individual differences and contributions of all employees are recognised and valued.

Pricing

• Price: £18,090 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 14 day trial

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at josef.elliott@oyster-ims.com. Tell them what format you need. It will help if you say what assistive technology you use.