BECHTLE LIMITED

Microsoft 365 Copilot

Introducing Microsoft 365 Copilot — your copilot for work. It combines the power of large language models (LLMs) with your data in the Microsoft Graph and the Microsoft 365 apps to turn your words into the most powerful productivity tool on the planet.

Features

• Copilot in Word
• Copilot in Excel
• Copilot in Outlook
• AI Powered chat
• Enterprise grade Security, privacy and compliance
• Copilot for Team
• Per User licence

Benefits

• Improve productivity
• Increase and harness creativity
• Improve quality of work
• Save time with tasks
• Improve meeting efficiency
• Get helpful coaching and tips on customer engagement
• Multi-language support

£286.53 a licence a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector.uk@bechtle.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

825913716792708

Contact

Public Sector
01249 467900
publicsector.uk@bechtle.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Microsoft 365 Business and Enterprise Plans
• Cloud deployment model: Public cloud
• Service constraints: NA
• System requirements:
  • Microsoft Business or Enterprise plans required
  • Microsoft 365 Apps must be deployed
  • Users must have Microsoft Entra ID accounts
  • OneDrive user account
  • Copilot for Teams for PSTN calls need Teams Phone licence

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our standard support hours are 8am – 6pm Monday-Friday for non-critical issues, and a 24x7 service for critical issues, including the below:; »; <1-hour response time on critical issues; »; 4 Hour Critical issue SLA from Microsoft; »; 24-hour incident resolution for non-critical issues
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: P1: high: One or more services are not available or unusable, significant loss or degradation of services.; P2: Moderate: Service is available and usable, but with degradation of services but work and reasonably continue.; P3: Minimum: Limited or no significant service impact, substantially functioning with minor impact.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Bechtle can support with Copilot readiness assessments and Copliot workshops that cover topics such as: Art of the Possible with Copliot, Assess where it can be used and review use cases and Building a Plan for deployment or POC.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Microsoft guide here: https://learn.microsoft.com/en-us/microsoft-copilot-studio/personal-data-export
• End-of-contract process: Cost includes cost of Microsoft 365 Copilot, per user for an annual subscription. If this is not required to renew, costs will cease as per NCE terms.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: User experience may vary due to screen size
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: Can be customised through Copilot Studio, a low conversational AI platform that enables you to extend and customise Copilot for Microsoft 365 with plugins.

Scaling

• Independence of resources: Microsoft state that scaling is not an issue as it is highly scalable.

Analytics

• Service usage metrics: Yes
• Metrics types: Access via the Microsoft Admin centre; https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage?view=o365-worldwide
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Microsoft

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: For data at.rest, deploys BitLocker on servers holding all messaging data and content stored in SharePointOnline and OneDrive. BitLocker-volume encryption addresses threats of data theft or exposure from lost,stolen,or inappropriately decommissioned computers-disks.We use file-level-encryption.Meeting participants are encrypted by AESencryption.OneDrive-SharePoint use file-level encryption to encrypt data at rest. Office delivers a unique encryption key,every file stored is encrypted with its own key.Files are distributed across multiple Storage containers with separate credentials,rather than storing them in a single database.Spreading encrypted files across storage locations,encrypting the map of file locations itself,and physically separating master encryption keys from both content and the file map.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: https://learn.microsoft.com/en-us/microsoft-copilot-studio/personal-data-export
• Data export formats: CSV
• Data import formats: Other
• Other data import formats:
  • PDF, GIF, HTML, ASPX
  • Support.microsoft.com/en-gb/topic/file-formats-supported-by-copilot

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: https://learn.microsoft.com/en-us/copilot/privacy-and-protections
• Data protection within supplier network: Other
• Other protection within supplier network: https://learn.microsoft.com/en-us/copilot/privacy-and-protections

Availability and resilience

• Guaranteed availability: https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1&year=2023
• Approach to resilience: https://learn.microsoft.com/en-us/compliance/assurance/assurance-resiliency-and-continuity
• Outage reporting: https://status.cloud.microsoft/; https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/service-health-and-continuity

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: https://learn.microsoft.com/en-us/microsoft-365/solutions/groups-teams-access-governance?view=o365-worldwide; https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 07/03/2023
• What the ISO/IEC 27001 doesn’t cover: Cannot locate for Microsoft
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 26/02/2024
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-csa-star-certification
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • FIPS 140-2, FEDRAMP, SOC 1, SOC 2
  • ISO 27001, ISO 27018
  • EU-U.S. Privacy Shield, Cyber Essentials Plus
  • NIST 800-171, HIPAA/HITECH. ISB 1596

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Microsoft Cloud Security Policy is available via the Service Trust Platform aka.ms/stp

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: They are consistent with established regulatory guidelines including ISO 27001,SOC 1/SOC 2,NIST 800-53. OSA a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft.OSA combines this knowledge with the experience of running thousands of servers in datacenters around the world.OSA minimizes risk by ensuring that ongoing operational activities follow rigorous security guidelines and by validating that guidelines are being followed effectively. • Ensuring OSA inputs are up-to-date and relevant. • Developing and applying centralized review processes to consolidate requirements to establish the OSA baseline requirements. • Engaging and implementing new requirements and baselines.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: In support of the Information Security Policy,Office runs multiple layers of antivirus software to ensure protection from common malicious software.Servers within the environment run anti-virus-software that scans files uploaded and downloaded for viruses.All mails coming into the service run through the ExchangeOnlineProtection engine,which uses multiple antivirus and antispam engines to capture known and new threats against the system.Microsoft has its own Security Response Center.Office implements technologies to routinely scan the environment for vulnerabilities. Additionally,365 contracts with external penetration testers.Identified vulnerabilities are tracked,verified for remediation.Regular vulnerability and penetration assessments are performed to identify vulnerabilities.MSRC regularly monitors external security vulnerability awareness sites.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Office 365 employs sophisticated software-defined service instrumentation and monitoring that integrates at the component or server level, the datacenter edge, our network backbone, Internet exchange sites, and at the real or simulated user level, providing visibility when a service disruption is occurring and pinpointing its cause. Proactive monitoring continuously measures the performance of key subsystems of the Office 365 services platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: https://learn.microsoft.com/en-us/compliance/assurance/assurance-incident-management

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  xpand Opportunity: Microsoft believes economic growth and opportunity must reach every person, organization, community, and country. This starts with ensuring everyone has the skills to thrive in a digital, AI-enabled economy, and extends to empowering nonprofits, entrepreneurs, and other organizations to digitally transform and address society’s biggest challenges1.; https://www.microsoft.com/en-us/corporate-responsibility

Pricing

• Price: £286.53 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector.uk@bechtle.com. Tell them what format you need. It will help if you say what assistive technology you use.