Sheetloom

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud

Private cloud
Service constraints: None
System requirements: None

User support

Email or online ticketing support: Email or online ticketing
Support response times: Standard support normally within 4 business hours.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: L1: Tier/Level 1(T1/L1)
Initial support level responsible for basic customer issues. Gathering information to
determine the issue by analysing the symptoms and figuring out the underlying problem.
L2: Tier/Level 2(T2/L2)
This is a more in-depth technical support level than Tier I containing experienced and more
knowledgeable personnel on a particular product or service.
L3 Tier/Level 3(T3/L3)
Individuals are experts in their fields and are responsible for not only assisting both Tier I and
Tier II personnel, but with the research and development of solutions to new or unknown
issues.
Severity Definitions
1- Critical: Proven Error of the Product in a production environment. The Product Software
is unusable, resulting in a critical impact on the operation. No workaround is available.
2- Serious: The Product will operate but due to an Error, its operation is severely restricted.
No workaround is available.
3- Moderate: The Product will operate with limitations due to an Error that is not critical to
the overall operation. For example, a workaround forces a user and/or a systems
operator to use a time consuming procedure to operate the system; or removes a nonessential
feature.
4- Due to an Error, the Product can be used with only slight inconvenience.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: User documentation on website
Video tutorials and feature guides
Online training covering the basics of set up and use of the service.
Assistance for clients deploying the application into their own AWS environment
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Both generated spreadsheets and generated history are accessible from AWS S3.
End-of-contract process: No termination charge, pay per use model.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None
Service interface: Yes
User support accessibility: WCAG 2.1 A
Description of service interface: User interface through graphical menus, and input panels using mouse and keyboard. No option to use microphone or camera.
Accessibility standards: WCAG 2.1 A
Accessibility testing: None, planned.
API: No
Customisation available: Yes
Description of customisation: An AWS Cloud Formation version which users can adapt to their own needs, install on their own AWS environment, and integrate more fully with other operational systems.

Scaling

Independence of resources: System scales horizontally via AWS Lambda.
Users with Sheetloom deployed in their own AWS environment will not be affected by external users.

Analytics

Service usage metrics: Yes
Metrics types: User activity and access reports.
Reporting types: Real-time dashboards

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: Yes
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least every 6 months
Penetration testing approach: In-house
Protecting data at rest: Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding

Other
Other data at rest protection approach: The default is SSE-S3 where AWS manages the encryption keys. It’s the simplest to use and provides 256-bit encryption on all the files stored.

If the Customer wishes to maintain the keys themselves then they can use SSE-KMS for more control. This approach is where the Customer uses AWS Key Management Service (KMS) to manage their encryption keys. It offers more granular control over keys at the cost of maintaining and rotating keys.
Data sanitisation process: No
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: All data created by or uploaded into Sheetloom in any form (but typically csv or xlsx) is accessible to download.
Data export formats: CSV

Other
Other data export formats: PDF/A
Data import formats: CSV

Other
Other data import formats: All SQL databases

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Legacy SSL and TLS (under version 1.2)

Other
Other protection between networks: Will vary according to customer configuration.

Can also be encrypted prior to transfer
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: 99%. If 99% not met, we would negotiate a refund separately.
Approach to resilience: We are utilising AWS best practice in relation to resilience. AWS S3 is used as the backing store for all vulnerable data. S3 is designed for 11 9´s durability.
Outage reporting: AWS Cloudwatch alerts can be created

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Username or password

Other
Other user authentication: IP address is whitelisted.
2FA is an option if customer requires.
Access restrictions in management interfaces and support channels: Access to management interfaces and support channels is restricted through a combination of username and passwords, multifactor authentication, firewalling, IP restrictions, the use of bastion hosts as appropriate.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Username or password

Other
Description of management access authentication: IP Address whitelisting

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 1 month and 6 months
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: Between 1 month and 6 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: Cyber Essentials Certification
Information security policies and processes: Sheetloom follows AWS best practice on security https://aws.amazon.com/security/.
We have a range of technical and organisational measures to ensure data security and protection. These cover Access, Roles and Responsibilities, Resource/asset management, Access Control & Authentication, Workstation & Device Security, Network/Communications Security, Back-up, mobile/portable device security, and physical security of our premises. Staff training and awareness is ongoing, staff / contractors must sign confidentiality and privacy statements and read and sign company security policy. Sanctions are applicable for non-compliance. Our reporting structure if a security breach happens or is suspected: staff are trained to and required to immediately flag to DPO and CEO and lock down or isolate the breach where feasible; DPO/CEO will take immediate action including isolation or lock down of affected systems, notification to affected parties, implementation of business continuity and disaster recovery. Risk impact reviews are conducted when a new data category is processed, or system implemented, and security measures adapted as necessary. Category logs, training logs, access logs, and breach logs are maintained, reviewed and signed off periodically by the assigned DPO and CEO.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All code is under version control using git.
Jenkins is used to build releases. An automated test framework is used for integration testing. Changes are tracked via JIRA. Cloudformation is used to deploy via AWS Marketplace
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Solution may be deployed into customer's AWS VPC via AWS Cloud Formation or they may subscribe to Millersoft version;
External access is configured via customer and GUI is locked down via AWS security groups/firewalls.
SSH access is also locked down via security group and PEM file.
The access is as secure as the customer´s network.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Regular penetration testing
Awareness towards open source software defects (eg Python vulnerabilities)
All logs go to AWS Cloudwatch for auditing, monitoring and alerting.
Incident management type: Supplier-defined controls
Incident management approach: When a breach or suspected breach occurs staff our process requires staff to immediately report this to the DPO/CEO, raising a breach incident form and taking what actions are available to them to isolate or lock the system according to the severity of the breach. The DPO/CEO will assess the breach and implement appropriate measures to contain, and resolve and notify affected parties to the extent required. The nature of the breach, cause, impacts, actions to remedy it and timescale, outcome and further recommendations are recorded in breach incident log which is monitored by CEO and DPO.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: Yes
Connected networks: Other
Other public sector networks: Potentially all public sector networks based on client connectivity needs

Social Value

Tackling economic inequality

We believe that our social mission to assist young people into employment is compatible with the guidelines laid out in the Governments Social Value theme of tacking economic inequality (MAC 2.2). Wherever it has the opportunity to do so, Millersoft has and continues to offer placements, internships and employment to technology students from the deprived local area studying in local colleges and universities with whom we hold relations. Its method is to provide initial training and inductions to suitable internees before assigning them to live projects, where they are monitored, supported, challenged, and encouraged by experienced senior consultants and developers. As an organisation that values fresh and radical ideas to find new products and solutions to solve existing problems, internees are also encouraged to share their thoughts and ideas in a stimulating and collaborative environment, and often asked to implement, test and deploy them into real world projects. Regular development reviews are held with internees and progress objectives adapted accordingly. Internees, as is the case with all staff, receive regular training in the latest technologies which may cover Cloud Technologies (staff are trained to be Amazon Web Service Engineers and Architects), data processing tools, database management, project management, security. In most cases internees become full time employees at Millersoft once they graduate and are already well equipped to take on more responsibility and autonomy within the company.

Pricing

Price: £10 a licence a month
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Full access for 30 days

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Sheetloom

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents