Somerford Associates Limited

SoSafe Human Risk Management - Security Awareness Training

SoSafe offers effective awareness training for companies. With our interactive E-Learning Platform and customised Phishing Simulation, we continuously educate our customers, employees and raise awareness of
cyber security, data protection and compliance.

Features

• Personalised Learning
• Cyber Security lessons
• Gamification
• Customisable Phishing simulations
• Risk Assessment survey
• Phishing reporting button
• Sofie Rapid Awareness
• Expert Analytics
• Cyber Awareness materials

Benefits

• Personalised learning modules to the individual
• Interactive learning. Gamified lessons focused on behavioral-based CSAT
• Increased engagement & adoption through gamification & challenge rewards
• Pre-designed phishing emails for training & assessing users awareness
• Customised workplace habits survey for individual learning cycles
• Report suspected phishing attempts. Integrated into preferred email client
• MS Teams based bot that promptly send alerts to employees
• Detailed analysis dashboard. Displays specific user characteristics data
• Additional digital material for internal awareness initiatives, e.g. posters, screensavers

£21.79 a user a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

926078767457513

Contact

Penny Harrison
07897075103
penny.harrison@somerfordassociates.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Integrate with mail service (Outlook, Google workspace) for reporting, phishing simulations & real threats
• Cloud deployment model: Public cloud
• Service constraints: SoSafe's services operate with minimal constraints, ensuring uninterrupted access and support for our clients. While we strive to maintain optimal performance for our SaaS platform through periodic maintenance, these activities are meticulously planned to minimise disruption and communicated in advance to our users. We are committed to providing a seamless experience, guaranteeing consistent service delivery and comprehensive assistance to meet the diverse needs of our customers.
• System requirements:
  • Compatible web browser (Chrome, Firefox, Safari, Edge, etc.)
  • Reliable internet connection with adequate bandwidth for streaming.
  • Up-to-date operating system (Windows, macOS, Linux, etc.)
  • Standard office productivity software (Microsoft Office, Google Workspace, etc.)
  • Sufficient storage space for data caching and temporary files
  • Compliance with local data protection regulations (GDPR, HIPAA, etc.)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: SoSafe provides email support as part of our standard service offering. Response times are outlined in our SLAs and vary based on the priority of your support request. For general inquiries, we aim to respond within two (2) business days, while disruptions to services are addressed within one (1) business day. Support during weekends may have slightly longer response times. Access to our knowledge base articles supplements our support resources, ensuring comprehensive assistance for our users. We also offer priority support options and access to Customer Success Managers for strategic consultation on security awareness and platform usage.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: SoSafe offers multiple support levels tailored to meet the diverse needs of our customers.; Basic Support: Included in the base subscription cost, providing email support during regular business hours.; Enterprise Support: A comprehensive support package including priority support, full service implementation, faster response times and prioritisation over tickets, and access to a dedicated customer manager.; Costs for these support levels vary based on the scope of services and the size of the organisation. Please refer to our pricing page or contact our sales team for detailed pricing information.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: SoSafe facilitates the onboarding process to help users seamlessly start using our service. Our implementation team assists customers with various aspects of implementation, including user provisioning, Single Sign-On (SSO), Multi-Factor Authentication (MFA), campaign orchestration & creation, whitelisting, etc. We aim to complete the implementation within 20 days to expedite the transition to our platform.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: When the contract ends, users can extract their data according to SoSafe's data retention and deletion policies. Customer master data is stored for 10 years as per legal requirements. Archiving of customer data occurs three months after license expiration, ensuring data quality for potential subsequent licenses. A reminder is sent four weeks before archiving to download reports/certificates. Proper data destruction is conducted following ISO27001 standards, with a deletion report provided upon request. All details of SoSafe's data retention and deletion policies can be found on: ; https://sosafe-awareness.com/security-trust/
• End-of-contract process: SoSafe includes end-of-contract process in the contract price with no additional costs. This means that all features, services, and support outlined in the contract are provided at the agreed-upon price without any hidden fees or supplementary charges.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: SoSafe offers an e-learning platform for end-users and an administration platform for administrators.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: N/A
• API: No
• Customisation available: Yes
• Description of customisation: SoSafe offers the possibility to customize our service to match our clients specific requirements. Admins can customise aspects such as SoSafe e-learning and phishing content, tailoring them to align with their organisational needs. This customisation can involve incorporating placeholders or making content modification or creation requests to adapt the content accordingly. Those requests will be handle by our Professional Services team.

Scaling

• Independence of resources: SoSafe follows best practices for cloud software deployment. It ensures that cloud services run in independent containers, following auto-scaling capabilities and weak dependencies to cope with peak demand. SoSafe also has infrastructure monitoring in place to warn our engineers and support agents about potential issues, so that an agent can react before any situation is perceived.

Analytics

• Service usage metrics: Yes
• Metrics types: SoSafe provides comprehensive service usage metrics tailored to meet client needs. These include e-learning metrics; completion rates or registration rates, allowing clients to assess the effectiveness and engagement of their training initiatives. We offer phishing metrics, including click, interaction, learning & reporting rates, enabling clients to gauge the effectiveness of their CSAT campaigns. We provide a comprehensive security score for each client and industry benchmarks. Our CSAT metrics encompass various aspects of user satisfaction, providing valuable insights for continuous improvement and optimization of our services to meet client expectations. These are reported on the admin platform or through smart connectors.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: SoSafe

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Other
• Other data at rest protection approach: All personally identifiable Client and user data (e.g., user email addresses) are encrypted when stored in; protected databases (authorisation system, password policy with the aforementioned attributes, SSH certificate,; access only possible via the internal IP area). Block storage encryption is used for data at rest using AWS; SYMMETRIC_DEFAULT_Policy. This represents AES-256-GCM symmetric algorithm which is an industry standard; for secure encryption. Data encrypted under AES-256-GCM is protected now and in the future as it is considered; quantum resistant
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: SoSafe admins can easily export their data using our service through various methods. Admins have the option to export metrics directly from their admin platform to PDF or Excel formats (xlsx or csv). This feature provides flexibility in accessing and analyzing data according to their preferences. Additionally, SoSafe is actively developing connectors to automate data export to third-party applications (One Drive for example, and other BI tools to come), further streamlining the process for users.
• Data export formats:
  • CSV
  • Other
• Data import formats:
  • CSV
  • Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: All data transfers (both between the Client and the Contractor as well as between all employees of the; Contractor) are encrypted in accordance with the recommendations for encryption from BSI. With the; integration of AWS, we apply the recommended ELBSecurityPolicy-2016-08 from AWS predefined SSL security; policies. This includes TLS 1.2 with SHA 256, ECDHE key exchange and ECDSA for authentication with AES 128 for; encryption as a minimum requirement. Network access requires a VPN connection. Communication with; service endpoints require a secure connection.
• Data protection within supplier network: Other
• Other protection within supplier network: The application is hosted externally and is a SaaS (Software as a Service) solution. The company AWS manages; the hosting solely on certified servers in Germany, Frankfurt a.M. in accordance with ISO27001 (further; certifications found here). All our subcontractors are hosting their services on servers in the EU (European; Union). We have carefully selected providers from a technical, legal, and information security perspective and; review them in accordance with GDPR Article 28 (4) sentence 1.

Availability and resilience

• Guaranteed availability: Our SLA is available on request
• Approach to resilience: Except as stated otherwise in the Feature Matrix, SoSafe shall provide each respective Awareness Building Service with an Availability of 99%. ; ; The SoSafe service is designed to be resilient by ensuring the continuity of operations and processes in the event of disruptions. It aims to maintain critical operations and services during and after disruptive events, minimize impact, and safeguard assets, employees, and reputation. The service is structured to identify potential threats and vulnerabilities through a Business Impact Analysis (BIA) and to develop continuity and recovery strategies to mitigate risks. SoSafe also provides Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) to restore critical IT systems and infrastructure following a disruptive event, aiming to minimize data loss, downtime, and business impact. The service includes a communication strategy, exercising, testing, and reviewing the BIA, BCP, and DRP, and a process for handling exceptions and violations. ; ; SLA available on request
• Outage reporting: SoSafe has a public status page that customers can subscribe to get informed and track any ongoing major or minor outage. When a customer subscribes to the dashboard it will be informed about any activity that happens.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
• Access restrictions in management interfaces and support channels: SoSafe restricts access in management interfaces and support channels by implementing a Secure Filesharing option within the SoSafe Manager for sharing documents, ensuring that documents are not shared via email. Additionally, SoSafe uses a Secure Filesharing option within the SoSafe Manager for sharing benchmarking reports and results of the initial phase with corresponding contacts. This approach ensures that access to sensitive information is controlled and secure, preventing unauthorised access to management interfaces and support channels.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Other
• Description of management access authentication: Authentication Middleware: SoSafe uses authentication middleware for management access. ; ; Single Sign-On (SSO): SoSafe provides the option to use SSO via Microsoft Entra ID, Google, or Okta. ; ; Secure Filesharing: Documents and data are shared via the Secure Filesharing within the SoSafe Manager, ensuring that sensitive information is protected and only accessible to authorized individuals.; ; Data Processing Agreement: SoSafe regulates the access and processing of data through a separate Data Processing Agreement.; ; MFA (Multi-Factor Authentication): ; ; SCIM Connection: SoSafe supports SCIM (System for Cross-domain Identity Management) connections with Microsoft Entra ID, Okta, or Google Workspace for automatic user provisioning and management.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DEKRA
• ISO/IEC 27001 accreditation date: 20/12/2022
• What the ISO/IEC 27001 doesn’t cover: Anything not related to product development & support of solutions for cyber security awareness training & human risk management.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: TISAX

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: SoSafe has multiple policies including the 'data protection policy' and 'information and security management' policies which are communicated and shared with all employees and relevant stakeholders. These are audited as part of our ISO 27001 certification. The policy is approved by the senior leadership team and updated on an annual basis. All policies are made available in our employee handbook on a HR portal. Employees are required to formally accept these policies annually and acceptance is audited.; The CEO covers the role of DPO and holds responsibility data protection and information security. Responsibilities are defined, documented, accepted and reviewed regularly. Internal audits are conducted regularly in line with our ISMS and non-compliances and/or risks logged in our risk register. This is audited annually as part of our ISO 27001 certification.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: SoSafe is committed to ensuring the security and reliability of its platforms. With a documented secure development policy that is communicated to and accepted by all developers, adherence is closely monitored through various tools that check code quality and security issues. Changes in the development lifecycle are handled with SoSafe's change management process, ensuring a smooth transition. The platforms are continuously tested and monitored to ensure no security or operational impacts. SoSafe also tests all new systems and upgrades against a pre-defined set of acceptance criteria and functional/non-functional requirements before release, guaranteeing the highest level of quality.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: SoSafe runs continuous vulnerability scans across all assets. Any medium-level vulnerabilities or higher are remediated within 24 hours, with any low-level issues that are not-risk accepted addressed within 2 weeks.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: SoSafe's protective monitoring approach to operational security involves the identification of potential compromises through baselining & use of intrusion detection and prevention systems (IDPS). When a potential compromise is identified, SoSafe responds promptly by escalating the incident to the Security Incident Response Team (SIRT), activating the Security Incident Response Team Incident Manager. The response time to incidents varies based on the severity, with critical severity incidents requiring immediate notification to the Security team and activation of the Security Incident Response Team. SoSafe's response time to incidents ranges from 30 minutes to 24 hours, depending on the severity of the incident.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a well defined incident management process that get's kicked off automatically based on an alert, or manually base on a support ticket. Whenever a situation occurs an incident commander is defined, and that person is responsible for communications (through our status page) and on all coordination required to successfully solve the incident. The incident commander creates a virtual war room where all required intervenient are gathered. They will then coordinate the situation based on a simplified version of ITIL.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  SoSafe is a Member of Leaders for Climate Action.; SoSafe publishes an annual ESG report on the Worldfavor platform.; SoSafe offer a SaaS solution only, with minimal environmental impact.

  Equal opportunity

  SoSafe is an equal opportunity employer & measures its workforce diversity. This is represented by strong representation from minority ethnic, female & LGBTQ+ members across the Board, senior leadership & total workforce. Over a third of the employee headcount identifies as female (for example). ; ; Furthermore, ongoing diversity & inclusion training is allied to recruitment programs designed to ensure that SoSafe recruits new staff from diverse backgrounds. All SoSafe offices are designed to offer an inclusive environment (breastfeeding spaces, disabled access, unisex bathrooms etc).

  Wellbeing

  SoSafe has policy or a strategy in place to provide support to staff around mental health and wellbeing. SoSafe also supports staff with financial support, study leave or flexible working opportunities as well as above average PTO offering & guaranteeing that all staff are paid at least the living wage.

Pricing

• Price: £21.79 a user a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.