ZIVVER

Zivver - Secure Email Platform

Zivver automates email security, allowing organisations to avoid data leaks and ensure compliant communications. Providing thousands of organisations worldwide with a native email security tool that combines; contextual AI-powered human error prevention, best-in-class AES 256-bit email encryption, recipient verification, email revocation, verified proof of delivery, 5TB file exchange and eSignatures.

Features

• Real-time email scanning and automatic detection of sensitive information
• DLP policies automatically encrypt emails and attachments with zero-access encryption
• Machine learning error prevention rules automatically recognises incorrect recipients
• Real-time colour coded alerts, intelligent user guidance before clicking send
• Revoke email access after sending or set email expiration policies
• User-friendly recipient access via Multi-factor authentication options, no account required
• Seamless email client integration (Outlook plugin, OWA add-in, Gmail add-in)
• Large file transfers, digital eSignatures, legal proof of email delivery
• Dashboard Insights identify risk, track user adoption, review user compliance
• Multi-platform support (desktop support, web browser, mobile support, email gateway)

Benefits

• Help employees apply right-sized security to increase information governance compliance
• Misaddressed email alerts prevent data leaks due to employee errors
• Prevent unauthorised email access, ensuring confidentiality with best-in-class email encryption
• Replace fax and digitise paper-based processes to significantly reduce costs
• Enhance data security practices, improve employee productivity, without disrupting workflows
• Meet GDPR compliance requirements, ICO guidance and NCSC encryption guidelines
• Real-time education and employee security awareness training, mitigating human errors
• No recipient account creation required, simplify secure email communication
• Increase efficiency with existing source systems integration (CRM, DMS)
• Track data governance compliance and monitor security policy effectiveness

£10 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@zivver.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

915565226532238

Contact

Public Sector Team
+44 20 3285 6300
publicsector@zivver.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Microsoft Outlook (full client) via a plug-in, Outlook Web Access (OWA) via an add-in, Gmail via a Chrome extension and mobile apps for iOS and Android. Zivver Encryption and DLP Gateway products integrate with Microsoft Exchange via smtp connectors and mail flow rules.
• Cloud deployment model: Private cloud
• Service constraints: Each Zivver product has a number of technical requirements that a customer's infrastructure has to meet in order for the product to be able to function properly. The full list of Zivver's Minimal technical Requirements can be found in the service definition document or the key requirements listed below.
• System requirements:
  • Microsoft Windows 10 or higher
  • Microsoft Outlook 2016 or higher or Office 365
  • Microsoft .NET 4.8 or higher
  • HTTPS-connection (via port 443) with TLS v1.2 or higher
  • Latest stable version of browsers (Edge, Chrome, Firefox, Safari)
  • If using SSO, IdP must support at least SAML v2.0

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Depending on priority (business impact * severity) assessment, the following response times are followed by Zivver support. These service levels entail the entire product portfolio of Zivver. P0 = 15 minutes P1 = 30 minutes, P2 = 4 hours, P3 = Best effort, target: 8 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard Business Hours (Monday – Friday, from 07:30 – 16:30 GMT+1).; ; P0 Incident: (15 minutes response - 24/7 Availability); Incidents whereby the Zivver service is completely unavailable, affects all users and there are no workarounds possible. Both a reply and a notification on zivver.info count as a response in this case.; ; P1 Incident: (30 minutes response - Zivver business hours); Incidents whereby app.Zivver.com is not responsive and there are no workarounds possible. Notification of downtime on Zivver.info counts as a response in this case.; ; P2 Incident: (4 hours response - Zivver business Hours); Incidents whereby parts of the Zivver SaaS platform are not responsive, and working is difficult but still possible.; ; P3 Incident: (Best Effort, Target 8 hours - Zivver business hours); Questions or incidents whereby users experience slight inconvenience but can continue working with Zivver secure email.; ; This support is within the scope of the SaaS licensing. ; ; There is a customer success manager (Single Point of Contact) assigned to the organisation for escalations.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Zivver's implementation process is based on our best practices with clients and provides tailored advice during the process, which comprises the following 6 stages:; Discovery: you discuss the project with your dedicated Zivver project manager; Design: a workshop where use-cases, functional requirements and technical requirements are discussed and we draft a policy on secure communication.; Build: where we test and configure Zivver in your organisation; Validation: the configured solution will be tested by pilot users using user acceptance scripts based on defined use-cases. ; Deployment: rolling out Zivver to all users so they can start sending secure emails; Active: evaluate the process with your dedicated project manager from Zivver and conclude the project; ; The engagement is conducted remotely, but the design phase and (user) training activities can take place onsite if required.; The training is normally conducted through a training webinar of ~90 minutes. Depending on the use case, additional user material is provided free of charge to facilitate the adoption of Zivver; ; The requisite number of hours for implementation, along with the necessity for onsite visits, will be collaboratively determined with the buyer. These services will be priced in accordance with the hourly rates specified in the Rate Card.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • MP4
  • Word
  • .html
  • PowerPoint
  • PDF
• End-of-contract data extraction: Email encryption and File transfer Data can be extracted when required by downloading unencrypted copies of Zivver messages as eml files. All policies and notifications in any front end will be cancelled. No further data at all will be shared with the Zivver Platform.
• End-of-contract process: A customer has their own dedicated Customer Success Manager (CSM) who checks in on a regular basis. When the customer nears the end of their contract, the CSM will discuss with the customer whether they wish to renew their contract or not. If the customer wishes to end their contract Zivver will, at the request of the customer, destroy or supply all information that is still present in the Zivver service. The customer also has the functionality to export all data unencrypted themselves once they cancel their contract, and have the ability to do this up to 60 days after the contract has ended. Zivver offers this download/export by means of an explicit TLS SFTP connection. This allows the organization to use its own SFTP tool of choice to export the new messages and files at time intervals that suit them (for example every night).

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Both our desktop, web and mobile applications all support the sending and receiving of secure messages and large files.; Whilst composing messages using the desktop Outlook plugin, AI based rules check message content, attachments and recipients against policy to prevent data leaks and provide real-time recommendations and/or activate appropriate security measures. When using Outlook for mobile or other mobile email applications, message, attachment content and recipient checks are possible Zivver's DLP or Encryption Gateway products, where Zivver messages can be sent based on message and attachment content.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Users can access the Zivver service via an Outlook plugin, OWA add-in, Gmail Extension, web and mobile application. Users are able to send sensitive information and large files of up to 5TB with zero-access encryption with one simple click. Whilst composing messages, AI based rules check message content, attachments and recipients against policy to prevent data leaks and provide real-time recommendations and/or activate appropriate security measures. They can also read, revoke and view the open status of secure messages.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: Zivver aims to follow WCAG 2.2 A and AA standards as closely as we can. We work with expert groups and test our products with users who use assistive technologies, including feedback from healthcare customers to help those who are partially sighted or visually impaired.
• API: Yes
• What users can and can't do using the API: Zivver is fully API-based, which means every function of Zivver is accessible via the API . However, our APIs are not yet publicly available. Our professional services team will work with customers if there is a use case for custom API integrations into systems/applications.; ; Examples include sending e-mail messages to the Zivver platform, synchronising recipient information for verification from source systems, uploading encrypted files, real-time scanning of content, creating/modifying/deleting accounts, sending encrypted messages using third party applications and retrieving policies applicable to the user.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Zivver admins can log in to the web app admin panel in order to customise the solution to meet your data handling requirements. This includes user onboarding and offboarding, custom branding of notification emails (logos and texts), domain set-up (including SPF/DKIM), sub user groups with own branding, enabling and setting severity level of out of the box business rules, enabling and setting severity levels of custom business rules created by a Zivver Technical Consultant and exposed to your Zivver org, domain whitelists/blacklists, organisational default message expiration settings, audit Logs, add-in organisation forced settings and conversation starters for external users to initiate sending secure messages to the organization.; ; To understand which customisations require an additionally priced add-on please see the pricing document.

Scaling

• Independence of resources: Zivver is a full SaaS solution with auto-scaling capabilities that adjust server resources based on user demand. Traffic and requests are load balanced across multiple virtual servers. The main application is hosted on AWS ECS, ensuring a scalable and highly available architecture. Multiple instances are distributed over three availability zones for high resilience.

Analytics

• Service usage metrics: Yes
• Metrics types: Zivver Insights provides a variety of frequently used dashboards and flexible data export capabilities to assess how well Zivver is protecting against email data leaks and determine where you can make continuous improvements. These metrics are also available at the level of individual employees and everything can be customized with filters. You can export the raw underlying data to create your own reports.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: Zivver applies Zero Access AES-256 symmetric encryption to all messages. Zivver does not store the secret or decryption (private) keys, meaning the contents of secure messages are inaccessible to Zivver and third parties, ensuring nobody but the sender and intended recipient of the message can decrypt the message and read its content.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: It is possible to download unencrypted copies of Zivver messages via an explicit TLS SFTP connection as .EML files.; ; Admins can optionally enable a feature to allow users to save an unencrypted copy of sent/received/opened Zivver messages to Outlook for archiving and indexing purposes.
• Data export formats: Other
• Other data export formats:
  • ZIP
  • EML
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • CSV can be imported into system configurations
  • All formats supported when attaching files to a Zivver message

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The availability of the Zivver service (back-end) is measured as all hours of the year (365*24) minus total hours of downtime per year - excluding scheduled maintenance which was previously communicated to the customer.; ; Credits: Uptime was >99,0%, but <99,8% : Customers receive a free 1-month extension of their Zivver contract. Uptime was <99,0% : Customers receive a free 2-month extension of their Zivver contract. P0 response time was >1 hour: Customers receive a free 1-month extension of their Zivver contract.
• Approach to resilience: Zivver continuously works to guarantee the availability of user data. All our user data is securely stored in our Virtual Private Cloud, which is spread across multiple ISO27001 and SOC II certified data centres. The main application is hosted using AWS ECS to provide a highly available and scalable architecture. Multiple instances of the application are typically available at any time, distributed over three availability zones to ensure high levels of resilience. In the unlikely event of one availability zone becoming unavailable, we can instantly switch to the other zone and ensure continuity. We have point in time recovery for 30 days, meaning we can recover our data to any point in time in the last 30 days. Additionally a daily snapshot is made and copied to an alternative site. This backup is kept safely for 30 days as well, mitigating the risk of unintended data loss and allowing us to comply with an organisations stringent recovery time and recovery point objectives. Recovery procedures are tested annually and the outcome discussed with the management team.
• Outage reporting: Where relevant, email alerts are used and/or the emergency contact of the customer (if so agreed upon and assigned during the implementation) would be directly informed by telephone. Customers can at any time view the status of various elements of the Zivver infrastructure and applications via our online, publicly available status page.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: To keep user data secure, Zivver enforces strong authentication for account access. Users can login to their account using their password and an SMS code or time-based one time password (e.g. using Google Authenticator).; Managing user accounts and keeping control over user access is simplified through SCIM and the so-called Sync tool, through which accounts in Zivver are automatically kept in sync with accounts in the customer’s Active Directory.; The Zivver product can be integrated with the customers organisation’s Single-Sign-On solution through the SAML 2.0 protocol. This makes user login experience easier and eliminating the need to remember another password.
• Access restrictions in management interfaces and support channels: Zivver administrative accounts are only allocated to key personnel.; Zivver employees or suppliers never have access to messages or attachments sent via Zivver. Access to other user and customer data, like the email address and name, is limited on a need-to-know basis. Access is always approved by a member of the leadership team and the Information Security Officer (ISO). Access to data is based on a least privilege principle. Access is role based and reviewed monthly. Access is terminated on the last working day. The process is automated via the HR systems and checked frequently by the Security Team.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QSCert
• ISO/IEC 27001 accreditation date: 22/09/2023
• What the ISO/IEC 27001 doesn’t cover: A.11.1.5 Working in secure areas and A.11.1.6 Delivery and loading areas as these are not applicable for Zivver.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 22/09/2023
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • NEN 7510:2017
  • SOC 2 Type I and II
  • Privacy Verified
  • DCB0129 Clinical Risk Management
  • NHS Data Security and Protection Toolkit (DSPT)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC II Type 1 & 2, Cyber Essentials Plus, CSA STAR, Privacy Verified, NHS DSP Toolkit
• Information security policies and processes: Our information security management system (ISMS) is managed by our Information Security Officer and approved by management. It is based on the ISO27001 and SOC 2 Framework. Zivver maintains a dedicated security incident management procedure and includes a standardized ‘plan, do, check, act cycle’ that guarantees continuous improvement. If an incident is reported it is registered in the security incident register by the security team. The security team determines the incident subtype, impact and urgency of the incident based on internal guidelines and assigns the incident to an incident owner. The incident investigated and appropriate mitigation actions are taken. There are external and internal audits. We conduct monthly checks and share a monthly report that include incident reports to the Board about the security posture of Zivver. Twice a year there is a security board meeting with the CISO, CEO, CTO and COO. All employees need to sign the Data Security Policy before their start date + annually when the policies are updated. The Data Security Policy includes that non-compliance could result into disciplinary measures, including dismissal or the immediate termination of their assignment at Zivver.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Zivver has defined processes and procedures for Change and Configuration Management. The Platform team is responsible for coordinating and scheduling of changes. Configuration Management is managed by automation tools that track the states of desired configurations and report on deviations, in addition with audit logs.; Changes are either authorized by the product manager or senior members of the tech team. All changes are subject to a peer review and a test before they are released to production. Zivver have SOC2 - Type 1 and Type 2 reports available upon request.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Zivver monitors security updates for its components through ops.zivver.com and conducts daily scans to identify new vulnerabilities, which are then assessed by the security team. Every six months, external experts perform a security review and penetration test, a practice in place since 2016 with a CHECK approved provider. No critical or high risks were identified in the latest report, available under NDA. Zivver also encourages pen tests by clients and actively engages global security researchers through its vulnerability disclosure program to address potential security weaknesses.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: All Zivver services are continuously monitored to ensure that abnormalities are quickly investigated and acted upon. Additionally, logging is in place and configuration changes are kept for version control.; Via our Intrusion Detection System we monitor security events. A security event sets off an alert which are picked up immediately by our security team. The team investigates the alerts and determines if it a valid alert or not. If valid the alert is picked up immediately via the security incident procedure and an incident with the highest priority. This includes mitigating the impact of the incident and proper escalation.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Zivver has standard and tested security incident response procedures. The procedures make sure we take the required steps. For every incident we identify the root cause and possible improvement actions, such as changing/updating policies and procedures or adding additional checks. Zivver has implemented threat detection tooling that covers its entire ecosystem. Alerts are picked up without delay by a security engineer. Threat alerts can escalate into the security incident procedure if needed.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Zivver actively combats climate change through multiple environmental initiatives. We have recently completed our move to a more sustainable and energy-efficient office, incorporating greenery and refurbished furniture to reduce waste and create a healthier workspace. This commitment extends to comprehensive CO2 emission self-assessments conducted annually with the help of Trace, a provider of CO2 offset programs, allowing Zivver to monitor and manage its carbon footprint effectively.; ; Additionally, Zivver participates in verified carbon offset initiatives, such as tree planting through its partner, Sumthing, which contributes to global reforestation and ecological health. The company also promotes recycling by donating end-of-life electronic hardware to IT4Kids which aids in reducing electronic waste.; ; Zivver’s platform offers sustainable digital communication alternatives, significantly reducing paper use and encouraging other organisations to lessen their environmental impact. Through these efforts, Zivver not only mitigates its own environmental footprint but also influences broader industry practices towards greater sustainability.

  Covid-19 recovery

  Zivver has proactively supported long-term recovery efforts from the COVID-19 pandemic by leveraging its platform to facilitate secure communication of health data, such as PCR and antigen results and test-and-trace information. The company's adherence to the DCB0129 standard ensures clinical safety and the secure handling of patient data, supporting the resilience and efficiency of healthcare delivery systems.

  Tackling economic inequality

  Through substantial contributions to charitable organisations such as the Linda Foundation and Sheltersuit, Zivver contributions support underprivileged families and provides emergency shelter for the homeless. Additionally, through initiatives like donating end-of-life hardware to IT4Kids, our impact is extended as part of their mission is to also provide children with opportunities to play sports (who otherwise have none) due to financial or physical barriers.

  Equal opportunity

  Zivver is committed to promoting equal opportunities through its inclusive recruitment policy, which emphasises hiring talent from diverse backgrounds to foster workforce equality. Each contracted employee receives a yearly self-development budget of £1000 that gives them the opportunity to develop their personal and professional growth, this helps to address skills shortages and careers advancement.

  Wellbeing

  Zivver enhances well-being by adopting progressive policies that benefit both its employees and the wider community. The company offers unlimited holiday and a "Working from Anywhere" policy, enabling staff to work globally, which supports work-life balance and overall mental health. Additionally, Zivver provides private health insurance to its employees, ensuring they have access to quality healthcare. These initiatives are complemented by Zivver’s commitment to local green space projects that improve environmental sustainability and air quality, and its substantial contributions to charities focused on societal health and emergency assistance. Together, these efforts illustrate Zivver's comprehensive approach to promoting well-being across all levels of its operations.

Pricing

• Price: £10 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Free guest accounts are available to send and receive encrypted emails and large files from our Web App.
• Link to free trial: https://app.Zivver.com/signup

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsector@zivver.com. Tell them what format you need. It will help if you say what assistive technology you use.