ADAPTIVE COMMUNICATION SOLUTIONS LTD

Datto SaaS Defence for MS365

Datto SaaS Defense is a comprehensive threat protection solution for Microsoft 365 applications. SaaS Defense proactively identifies and protects against zero-day threats across the Microsoft 365 suite, including Exchange, OneDrive, SharePoint and Teams

Features

• Detects unknown malware threats at first encounter
• Proactive defence against malware
• Proactive defence against phishing and and business email compromise
• Protects across MS365 suite: Exchange, OneDrive, SharePoint, Teams
• Built from the ground-up
• Spam filtering
• Silent detection
• Robust reporting
• Quick deployment
• Add-on to Datto SaaS Protection

Benefits

• Stops zero-day threats rather than scanning for known threats
• Minimise time for detection
• Not just email - protects full MS365 suite
• Does not require manual interference or end-user disruption
• Reports to demonstrate value
• Get new users set up quickly
• Fully integrates with Datto SaaS Protection for comprehensive security

£2.25 a user a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at katiemurray@adaptivecomms.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

719067362669367

Contact

Katie Murray
01704540547
katiemurray@adaptivecomms.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: It is a threat solution for MS365 applications and is a bolt-on to Datto SaaS protection
• Cloud deployment model: Private cloud
• Service constraints: It requires a modern browser and will not work with personal versions of MS365 (i.e. home, family etc). It also cannot protect Microsoft 365 data located in GCC High Government Cloud or DOD Legacy K1 (Exchange kiosk) licenses.
• System requirements:
  • MS365 for Enterprise (OR)
  • MS365 Not-for-Profit licences (OR)
  • MS365 Government licences (G1, G3, G5) (OR)
  • MS365 Education Plans (A1, A3,A5) (OR)
  • Datto SaaS Protection required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: M-F Business Hours response SLA's are 60 minutes (30 minutes for critical faults). Emergency (chargeable) support is available outside of these hours with a 4-hour response SLA. These times are a maximum limit not our aim, we always aim to deliver fixes as quickly as possible. Our SLAs are the maximum wait time you should expect to receive in 95% of cases.Further details can be found here: https://adaptivecomms.co.uk/service-level-agreement/
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: For those with in-house IT Support teams, AdaptiveComms provides second-line assistance with this product to assist in the event that the features of SaaS Defense needs to be employed. Many of our customers also employ us as their IT support (separate service) but we will assist in set-up of the product to the extent that our client feels comfortable with. We can set up Datto SaaS Defense without having any direct access to either our clients MS365/Google accounts or the backed-up data. We provide each customer with a named account manager, backed up by a customer service team, helpdesk engineers for second-line and field based engineers for site support as required (site support is chargeable but it's requirement would be highly unlikely in this instance).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will set up the Datto SaaS Protection account for you (without the need to know client credentials) either by uploading client lists from a format such as excel or csv, or by setting up the service to auto-onboard new users. Datto SaaS Defense will then be applied if requested.
• Service documentation: No
• End-of-contract data extraction: Facilitation of customer control at the end of the contract is included within the contract cost. As data is a backup (and therefor a copy of existing information) there is no inherent requirement for users to extract their data upon ceasing the contract (although data recovery is a key function of the service so this data can be retrieved if required). The onus on the service is to ensure that the data held is destroyed and in this regard electronic media is securely wiped and sanitized to remove all data; and software. For up to sixty (60) days after the effective date of termination of a SaaS account, we will, upon written request, allow you to export or download a copy of Content as provided in the Product Specifications. After such period, we have no obligation to maintain or provide any Content and may thereafter delete or destroy all copies of the Content, unless legally prohibited. Threat Information may be deleted immediately upon termination of a SaaS Defense account. Depending on the Service Subscription, licenses applicable to the SaaS Account may remain.
• End-of-contract process: Facilitation of customer control at the end of the contract is included within the contract cost. Data will be held for the duration of the contract and only retained if the agreement is extended. This will only impact on the backup data and not the MS365 or Google Works information.; Upon cancelling SaaS Protection, Datto will no longer backup the data associated with the client and all backups Datto does have will be destroyed. The system will automatically send an email alert for the cancellation to the primary contact on the account.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: No
• Customisation available: Yes
• Description of customisation: On our clients behalf, AdaptiveComms can select if SaaS Defense is in Prevention or Monitoring mode.; In Prevention mode, the default operating mode, the application quarantines suspicious emails within seconds of reaching the intended recipient. If a document, located on OneDrive for example, includes a potential threat, the document is removed from the live environment so users cannot access it.; ; In Monitoring mode, the application identifies suspicious content but does not take any action. The content remains in its current location and the MSP determines the actions to take

Scaling

• Independence of resources: Datto has configured and implemented automated solutions for monitoring system capacity levels and thresholds for alerting as capacities are approached. It employs a geo-wide distribution with elastic capabilities. AdaptiveComms has a cross-trained support team with strong SLAs that we consistently meet well within our 95% target.

Analytics

• Service usage metrics: Yes
• Metrics types: We can create customized reports that provide a high-level view of the malicious email traffic affecting your users.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Kaseya

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: Datto encrypts all client data at-rest. Datto uses Transport Layer Security (TLS 1.2 or higher) for transmitting sensitive data over public networks.
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: As Datto SaaS Protection is a cloud-based backup and recovery solution it enables data backups from multiple SaaS platforms through a single user interface; backups run on demand or on a customer-defined schedule. Backup data is maintained on the Datto Cloud platform, separate from customers' SaaS providers' repositories. These systems receive and store backup data directly from the cloud SaaS services and allow customer administrators to restore data in the cloud services event of a disaster, export the data and also backup current data at periodic intervals.
• Data export formats: Other
• Other data export formats: The data is exported back to it's original format
• Data import formats: Other
• Other data import formats: MS365: Exchange, Tasks, Sharepoint, Teams, OneDrive

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Remote access to the Datto network is permitted using an encrypted tunnel (VPN) for employees, contractors, and third parties. A VPN connection and/or firewall rule is required to access internal services. For employees, automatic disconnect must be configured for remote access technologies after a specified period of inactivity. Remote access for third-party partners and contractors is granted upon authorization for the period needed and is immediately deactivated after use.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: An intrusion detection and prevention system is configured to continuously monitor and analyse network traffic and system activity, ban malicious IPs, and log all traffic. Role-based access control determines access rights and privileges. Access assignments are role-based and defined by management. An automated solution, Okta, is used to assign users to assigned account privileges based on management-approved roles. Datto utilizes an automated access control system, AD, for user account provisioning and role-based system access. Multifactor authentication is required for remote access by employees, administrators, and third-parties. The Okta MFA solution is utilized to protect the network from unauthorized remote access.

Availability and resilience

• Guaranteed availability: Datto does not provide a cloud uptime SLA; AdaptiveComms support SLA is as follows: M-F Business Hours response SLA's are 60 minutes (30 minutes for critical faults). Emergency (chargeable) support is available outside of these hours with a 4-hour response SLA. These times are a maximum limit not our aim, we always aim to deliver fixes as quickly as possible. Our SLAs are the maximum wait time you should expect to receive in 95% of cases. Further details can be found here: https://adaptivecomms.co.uk/service-level-agreement/ .
• Approach to resilience: This is available on request (subject to an NDA)
• Outage reporting: Datto Infrastructure status may be monitored at https://status.datto.com/. AdaptiveComms will email any customer contacts affected should we become aware of any outages.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Role-based access control is used to determine access rights and privileges. The Information Security Policy requires that system access privileges are assigned based on roles and responsibilities of each employee. Users must be assigned a unique ID before being allowed access to system components. Datto utilizes an automated access control system, AD, for user account provisioning and role-based system access. Periodic user access reviews are performed to evaluate and validate assigned user privileges. Terminated employees’ access to data and system must be revoked through account deprovisioning by the IT staff. Okta MFA required for access by employees, administrators, and third-parties.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Ref Datto: see report/ AdaptiveComms by Centre for Assessment Ltd
• ISO/IEC 27001 accreditation date: Ref Datto: see notes on SOC 2 report/ AdaptiveComms certified 14/08/23
• What the ISO/IEC 27001 doesn’t cover: Ref datto: see notes on SOC 2 report / Adaptive: We do not have any controls pertaining to source code, software development or associated testing as we do not undertake any software systems development as a company
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC2 Report covering internal operations. Can be provided under NDA

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Datto has a SOC 2 Report covering its internal operations for the Datto Cloud. Datto can provide SOC 2 reports associated with its USA colocation centres, under NDA, detailing physical security measures taken to protect the Datto Cloud. AdaptiveComms is working towards ISO/IEC 27001 expecting certification later this year.
• Information security policies and processes: Kaseya has a formally documented information security policy. The information security policy defines requirements of all employees, contractors, consultants, temporaries, interns, and other workers with respect to the protection and security of company and customer systems and information. The Chief Information Security Officer and Chief Technology Officer are responsible for the implementation, management, and enforcement of the information security policy. It is distributed to personnel upon hire and is available, via the company intranet, for all employees to access and reference. The Chief Information Security Officer updates the Information Security Policy on an annual cadence or upon significant changes to the environment.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Kaseya has documented SDLC and change management procedures, governing changes to infrastructure, as well as application and API development. Changes to infrastructure and services follow a Continuous Integration/Continuous Delivery model. ; ; The Change Control Policy includes requirements for authorization, testing, approval, and implementation. Changes are requested, tracked, and closed using an internal ticketing system for product, infrastructure, and customer support changes.; ; All planned and unplanned (emergency) changes are submitted and approved by the Director of Technology. Subsequent to approval, changes are scheduled and communicated to affected parties, including the date/time of the change, anticipated user impact, and downtime length, if any.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability scans of the SaaS Protection and RMM production environments are performed at least monthly. Issues identified in vulnerability scans and penetration test results are remediated and repeat scans and testing are performed to ensure that weaknesses have been corrected.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Datto monitors security and operations using network, infrastructure, and database monitoring tools. Agents are installed on all hosts to monitor network security and uptime, disk space, system resource usage, and alerts are sent to IT personnel for security events or usage issues. Critical events are logged and monitored at the infrastructure, application, and data layers. Logs are used for troubleshooting purposes.; Several third-party tools monitor performance and availability of the infrastructure. They collect and analyse logs of servers and applications. Logs are reviewed periodically based upon the risk associated with the event and retained in accordance with Data Retention Policy.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Users can feedback though a Defense Report Threat add-in application that they've identified an email as a threat that should have been quarantined, but wasn't. Or an email was quarantined but the end user verifies it was not a threat. This will be used by AdaptiveComms to feedback to Kaseya.; On a larger scale, Datto's Incident Response Policy includes procedures for incident preparation, detection and analysis, notification, containment, eradication and recovery, and post incident activity. ; Security incident are detected through network devices, IDS alerts, and logs allowing for containment of the incident and deeper analysis of the after effects.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Datto SaaS Defence for MS365 can contribute to fighting climate change by enabling remote work and reducing the need for physical infrastructure. By securing cloud-based communication and collaboration platforms, such a solution allows employees to work from anywhere, minimizing the carbon footprint associated with commuting and office energy consumption. Additionally, by preventing data breaches and cyberattacks, it helps avoid the environmental impact of recovering from security incidents, such as server downtime and data recovery processes.; ; As a supplier AdaptiveComms are taking the following steps to meet our environmental responsibilities: ; We pledge to be carbon neutral by 2030 guided by official carbon assessments; ; We plan to replace our entire vehicle fleet to electric by 2030; We have switched all our office lighting to efficient LEDs; ; We have reduced paper use by 90% by moving to online systems and energy-efficient electronic devices; ; We have switched to a renewable electricity energy supplier; ; We are committed to investing in carbon offset to reach our net-zero goal.

  Covid-19 recovery

  In the context of COVID-19 recovery, a comprehensive threat protection solution for Microsoft 365 plays a crucial role in ensuring business continuity and safeguarding sensitive information. By protecting against cyber threats such as phishing scams and malware attacks, it helps businesses maintain operational resilience in the face of evolving cybersecurity challenges. This, in turn, supports the recovery efforts by preventing disruptions to remote work and enabling secure communication and collaboration among employees.

  Tackling economic inequality

  By safeguarding businesses of all sizes from cyber threats, Datto SaaS Defence contributes to tackling economic inequality. By offering scalable security features and affordable subscription models, it ensures that even small businesses can access robust cybersecurity measures previously available only to larger enterprises. This helps level the playing field, empowering small businesses to compete effectively in the digital landscape without being unfairly hindered by the threat of cyberattacks.; ; Although we are not obligated to due to our size and revenue, we voluntarily offer a Modern Slavery and Human Trafficking statement pledging our commitment to prevent modern slavery and human trafficking in our business practices and supply chain, undertaking due diligence and seeking similar commitments when taking on new suppliers.; ; We have been involved in community projects to help people into employment including apprentice schemes, business forums, and educational outreach.

  Equal opportunity

  By providing advanced threat protection capabilities, a comprehensive solution for Microsoft 365 promotes equal opportunity by safeguarding the integrity of digital communication and collaboration platforms. This ensures that all users, regardless of their background or circumstances, can access these platforms securely and participate in remote work and virtual collaboration without fear of cyber threats compromising their privacy or productivity. In doing so, it fosters inclusivity and equal access to digital opportunities for individuals from diverse backgrounds.

  Wellbeing

  By preventing data breaches and protecting sensitive information, this solution helps create a secure work environment where employees can focus on their tasks without worrying about the potential consequences of cyber threats. This promotes peace of mind, job satisfaction, and overall wellbeing among employees, supporting a healthy and productive work culture.; ; At AdaptiveComms we have a culture built on hard work, respect, positivity and dedication and ensure that those tenets are reciprocated back to our staff through: ; Equality; ; Day off for birthday; ; Enhanced sick leave & maternity; ; Health top-up service; ; Food & drink provided in office; ; Enhanced holidays for length of service; ; Work-life balance; ; Employee-led think tanks.

Pricing

• Price: £2.25 a user a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at katiemurray@adaptivecomms.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.