ADAPTIVE COMMUNICATION SOLUTIONS LTD

Datto SAAS Protection

Cloud-based backup & recovery solution for application data including Google Apps, and M365 providing: • Protection from permanent cloud data loss due to insufficient native SaaS application recovery features, user error, malicious activity, SaaS application outages. • Ransomware recovery • Restore ex-employees’ data without paying for M365 or GSuite licenses.

Features

• Automated, continuous backups
• Different retention options
• Point-in-time restore & export
• Backup monitoring
• Back-up all critical data in MS365/Google Workspace
• Ransomware recovery
• Restore ex-employee data
• No need for AdaptiveComms to access data to setup
• Data at-rest encrypted
• MFA required for access

Benefits

• Flexibility of retention options to match client requirements
• Very quick and simple to restore data
• Monitoring allows for full visibility of events for auditing
• Potentially unlimited storage so data can be retrieved
• Restore data to point before ransomware attack occurs
• Hold ex-employee data without paying for MS365 licences
• Data encryption for protection in the event of loss/theft
• Protection from insufficient native SaaS application recovery features
• Considerable security measures means client data protected at all levels
• Restore data from one MS365 user account into another

£1.79 to £2.09 a user a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at katiemurray@adaptivecomms.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

729155459448166

Contact

Katie Murray
01704540547
katiemurray@adaptivecomms.co.uk

Service scope

• Service constraints: Datto SaaS Protection will not work with personal versions of MS365 (i.e. home, family etc). It also cannot backup Microsoft 365 data located in GCC High Government Cloud or DOD Legacy K1 (Exchange kiosk) licenses. Unsupported Google Workspace licences and user types currently include VFE (Vault Former Employees), Archived Users, Suspended Users, Legacy Free Edition, @GMail.com users. M365 does not back up shared and group documents. OneDrive backups do not capture Image Libraries.
• System requirements:
  • MS365 for Enterprise (OR)
  • MS365 Not-for-Profit licences (OR)
  • MS365 Government licences (G1, G3, G5) (OR)
  • MS365 Education Plans (A1, A3,A5) (OR)
  • Google Workspace Business Starter/Standard/Plus (OR)
  • Google Workspace Enterprise (OR)
  • Google Workspace for non-profits (Business/Enterprise) (OR)
  • Google Workspace for Education

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: M-F Business Hours response SLA's are 60 minutes (30 minutes for critical faults). Emergency (chargeable) support is available outside of these hours with a 4-hour response SLA. These times are a maximum limit not our aim, we always aim to deliver fixes as quickly as possible. Our SLAs are the maximum wait time you should expect to receive in 95% of cases.Further details can be found here: https://adaptivecomms.co.uk/service-level-agreement/
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: For those with in-house IT Support teams, AdaptiveComms provides second-line assistance with this product to assist in the event that the features of SaaS Protection needs to be employed. Many of our customers also employ us as their IT support (separate service) but we will assist in set-up of the product to the extent that our client feels comfortable with. We can set up Datto SaaS Protection without having any direct access to either our clients MS365/Google accounts or the backed-up data. We provide each customer with a named account manager, backed up by a customer service team, helpdesk engineers for second-line and field based engineers for site support as required (site support is chargeable but it's requirement would be highly unlikely in this instance).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will set up the Datto SaaS Protection account for you (without the need to know client credentials) either by uploading client lists from a format such as excel or csv, or by setting up the service to auto-onboard new users.
• Service documentation: No
• End-of-contract data extraction: Facilitation of customer control at the end of the contract is included within the contract cost. As data is a backup (and therefor a copy of existing information) there is no inherent requirement for users to extract their data upon ceasing the contract (although data recovery is a key function of the service so this data can be retrieved if required). The onus on the service is to ensure that the data held is destroyed and in this regard electronic media is securely wiped and sanitized to remove all data and software. For up to sixty (60) days after the effective date of termination of a SaaS account, we will, upon written request, allow you to export or download a copy of Content as provided in the Product Specifications. After such period, we have no obligation to maintain or provide any Content and may thereafter delete or destroy all copies of the Content, unless legally prohibited. Threat Information may be deleted immediately upon termination of a SaaS Defense account. Depending on the Service Subscription, licenses applicable to the SaaS Account may remain.
• End-of-contract process: Facilitation of customer control at the end of the contract is included within the contract cost. Data will be held for the duration of the contract and only retained if the agreement is extended. This will only impact on the backup data and not the MS365 or Google Works information. Upon cancelling SaaS Protection, Datto will no longer backup the data associated with the client and all backups Datto does have will be destroyed. The system will automatically send an email alert for the cancellation to the primary contact on the account.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Datto has configured and implemented automated solutions for monitoring system capacity levels and thresholds for alerting as capacities are approached. It employs a geo-wide distribution with elastic capabilities. AdaptiveComms has a cross-trained support team with strong SLAs that we consistently meet well within our 95% target.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Other
• Other metrics:
  • Daily success reports
  • User update status
  • Number of fully protected clients (last 24 hours),
  • Backup status for last 10 days
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Kaseya

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: Datto encrypts all client data at-rest. Datto uses Transport Layer Security (TLS 1.2 or higher) for transmitting sensitive data over public networks.
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • MS365: OneDrive, SharePoint, Contacts, Calendar, Tasks, Mail Services, Teams
  • Google Workspace: Gmail, Calendar, Contacts, and Shared Drive
• Backup controls: The backup schedule for is fully automated and runs three times daily for each service. Users cannot adjust the backup schedule.; ; The day's first backup run occurs between 12:00 AM and 8:00 AM (GMT).; The second run occurs between 8:00 AM and 4:00 PM (GMT).; The third occurs between 4:00 PM and 11:59 PM (GMT).
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Remote access to the Datto network is permitted using an encrypted tunnel (VPN) for employees, contractors, and third parties. A VPN connection and/or firewall rule is required to access internal services. For employees, automatic disconnect must be configured for remote access technologies after a specified period of inactivity. Remote access for third-party partners and contractors is granted upon authorization for the period needed and is immediately deactivated after use.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: An intrusion detection and prevention system is configured to continuously monitor and analyse network traffic and system activity, ban malicious IPs, and log all traffic. Role-based access control determines access rights and privileges. Access assignments are role-based and defined by management. An automated solution, Okta, is used to assign users to assigned account privileges based on management-approved roles. Datto utilizes an automated access control system, AD, for user account provisioning and role-based system access. Multifactor authentication is required for remote access by employees, administrators, and third-parties. The Okta MFA solution is utilized to protect the network from unauthorized remote access.

Availability and resilience

• Guaranteed availability: Datto does not provide a cloud uptime SLA; AdaptiveComms support SLA is as follows: M-F Business Hours response SLA's are 60 minutes (30 minutes for critical faults). Emergency (chargeable) support is available outside of these hours with a 4-hour response SLA. These times are a maximum limit not our aim, we always aim to deliver fixes as quickly as possible. Our SLAs are the maximum wait time you should expect to receive in 95% of cases. Further details can be found here: https://adaptivecomms.co.uk/service-level-agreement/ .
• Approach to resilience: This is available on request (subject to an NDA)
• Outage reporting: Datto Infrastructure status may be monitored at https://status.datto.com/. AdaptiveComms will email any customer contacts affected should we become aware of any outages.

Identity and authentication

• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Role-based access control is used to determine access rights and privileges. The Information Security Policy requires that system access privileges are assigned based on roles and responsibilities of each employee. Users must be assigned a unique ID before being allowed access to system components. Datto utilizes an automated access control system, AD, for user account provisioning and role-based system access. Periodic user access reviews are performed to evaluate and validate assigned user privileges. Terminated employees’ access to data and system must be revoked through account deprovisioning by the IT staff. Okta MFA required for access by employees, administrators, and third-parties.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Centre for Assessment Limited
• ISO/IEC 27001 accreditation date: 14/08/23
• What the ISO/IEC 27001 doesn’t cover: We do not have any controls pertaining to source code, software development or associated testing as we do not undertake any software systems development as a company
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Datto: SOC2 Report covering internal operations. Requires NDA

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Datto has a SOC 2 Report covering its internal operations for the Datto Cloud. Datto can provide SOC 2 reports associated with its USA colocation centres, under NDA, tdetailing physical security measures taken to protect the Datto Cloud. AdaptiveComms is working towards ISO/IEC 27001 expecting certification later this year.
• Information security policies and processes: Datto has a formally documented information security policy. The information security policy defines requirements of all employees, contractors, consultants, temporaries, interns, and other workers with respect to the protection and security of company and customer systems and information. The Chief Information Security Officer and Chief Technology Officer are responsible for the implementation, management, and enforcement of the information security policy. It is distributed to personnel upon hire and is available, via the company intranet, for all employees to access and reference. The Chief Information Security Officer updates the Information Security Policy on an annual cadence or upon significant changes to the environment.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Datto has documented SDLC and change management procedures, governing changes to infrastructure, as well as application and API development. Changes to infrastructure and services follow a Continuous Integration/Continuous Delivery model. The Change Control Policy includes requirements for authorization, testing, approval, and implementation. Changes are requested, tracked, and closed using an internal ticketing system for product, infrastructure, and customer support changes. All planned and unplanned (emergency) changes are submitted and approved by the Director of Technology. Subsequent to approval, changes are scheduled and communicated to affected parties, including the date/time of the change, anticipated user impact, and downtime length, if any.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability scans of the SaaS Protection and RMM production environments are performed at least monthly. Issues identified in vulnerability scans and penetration test results are remediated and repeat scans and testing are performed to ensure that weaknesses have been corrected.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Datto monitors security and operations using network, infrastructure, and database monitoring tools. Agents are installed on all hosts to monitor network security and uptime, disk space, system resource usage, and alerts are sent to IT personnel for security events or usage issues. Critical events are logged and monitored at the infrastructure, application, and data layers. Logs are used for troubleshooting purposes. Several third-party tools monitor performance and availability of the infrastructure. They collect and analyse logs of servers and applications. Logs are reviewed periodically based upon the risk associated with the event and retained in accordance with Data Retention Policy.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Incident Response Policy includes procedures for incident preparation, detection and analysis, notification, containment, eradication and recovery, and post incident activity. The Cyber-Security Incident Response Team comprises management and employees as well as external forensic professionals as needed. Security incident are detected through network devices, IDS alerts, and logs for suspicious events. Once detected, the initial analysis allows for containment of the incident and deeper analysis of the after effects. If the incident/breach impacts sensitive or personal data, notice is provided to customers affected. Post-mortem activities include "lessons learned" meetings with involved parties and policy updates.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Datto uses AWS within Europe who leverage leading cloud providers who meet the EU Code of Conduct for Energy Efficient datacentres.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Datto SaaS Protect for MS365 can contribute to fighting climate change by reducing the environmental impact of data storage and recovery processes. By securely storing data in the cloud and implementing efficient backup strategies, businesses can minimize the need for physical servers and storage devices, thereby decreasing energy consumption and carbon emissions associated with traditional data storage methods. Additionally, by enabling quick and reliable data recovery in the event of system failures or disasters, such a solution helps avoid the environmental consequences of data loss and the need for extensive recovery efforts.; ; As a supplier AdaptiveComms are taking the following steps to meet our environmental responsibilities: ; We pledge to be carbon neutral by 2030 guided by official carbon assessments; ; We plan to replace our entire vehicle fleet to electric by 2030; We have switched all our office lighting to efficient LEDs; ; We have reduced paper use by 90% by moving to online systems and energy-efficient electronic devices; ; We have switched to a renewable electricity energy supplier; ; We are committed to investing in carbon offset to reach our net-zero goal.

  Covid-19 recovery

  In the context of COVID-19 recovery, a comprehensive backup solution for Microsoft 365 plays a crucial role in ensuring business continuity and safeguarding sensitive information. By securely backing up critical data stored in Microsoft 365 applications such as Exchange Online, SharePoint, and OneDrive, businesses can mitigate the risk of data loss due to cyberattacks, human error, or system failures. This enables them to recover quickly from disruptions, maintain operational continuity, and support recovery efforts by ensuring the availability and integrity of essential business data.

  Tackling economic inequality

  A comprehensive backup solution for Microsoft 365 contributes to tackling economic inequality by safeguarding the digital assets of businesses of all sizes. By providing affordable and scalable backup options, such a solution ensures that even small businesses can access robust data protection measures previously available only to larger enterprises. This helps level the playing field, empowering small businesses to protect their valuable data assets and compete effectively in the digital marketplace without being hindered by the risk of data loss or cyber threats.; ; Although we are not obligated to due to our size and revenue, we voluntarily offer a Modern Slavery and Human Trafficking statement pledging our commitment to prevent modern slavery and human trafficking in our business practices and supply chain, undertaking due diligence and seeking similar commitments when taking on new suppliers.; ; We have been involved in community projects to help people into employment including apprentice schemes, business forums, and educational outreach.

  Equal opportunity

  By offering reliable data backup and recovery capabilities, a comprehensive backup solution for Microsoft 365 promotes equal opportunity by ensuring that all users have equal access to secure and resilient digital environments. Regardless of their background or circumstances, individuals can confidently leverage Microsoft 365 applications for remote work, collaboration, and productivity, knowing that their data is protected and recoverable in the event of unexpected incidents. This fosters inclusivity and equal access to digital opportunities, enabling individuals from diverse backgrounds to participate fully in the digital economy.

  Wellbeing

  Datto SaaS Protect for Microsoft 365 contributes to employee wellbeing by reducing stress and anxiety related to the potential loss of critical data. By automatically backing up data stored in Microsoft 365 applications, such a solution provides employees with peace of mind, knowing that their work-related information is securely protected and recoverable in case of emergencies. This promotes a healthy work environment where employees can focus on their tasks without worrying about the consequences of data loss or disruptions, leading to increased job satisfaction and overall wellbeing.; ; At AdaptiveComms we have a culture built on hard work, respect, positivity and dedication and ensure that those tenets are reciprocated back to our staff through: ; Equality; ; Day off for birthday; ; Enhanced sick leave & maternity; ; Health top-up service; ; Food & drink provided in office; ; Enhanced holidays for length of service; ; Work-life balance; ; Employee-led think tanks.

Pricing

• Price: £1.79 to £2.09 a user a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at katiemurray@adaptivecomms.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.