CDW Limited

CDW OneTrust Governance, Risk, Compliance Technology

Ensuring data quality, usability, and integrity are key factors in building trust in your organization. Strengthen your data stewardship by driving business value and complying with the latest privacy regulations and security frameworks, all within one unified platform.

Features

• IT & Security Risk Management
• Enterprise & Operational Risk Management
• Incident Management
• Vendor Risk Management
• Policy Management
• Ethics & Compliance
• Audit Management
• Privacy Management
• Awareness Training

Benefits

• Benchmark your business against the GDPR
• Use pre-made templates and automate (PIA’s, DPIA’s, PbD automation)
• Manage your rules of processing activities under the GDPR
• Manage your Data Subject Access Requests
• Manage your privacy and security incidents
• Cookie consent and consent management
• Build privacy first relationships with consent and preference management
• Automate your vendor risk management program
• Become a privacy centric organisation
• Centrally, track monitor and update policies, notices and discloses

£18,090 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

983129673987264

Contact

Andy Wood
0161 837 7744
tenders@uk.cdw.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: OneTrust is the category-defining enterprise platform to operationalize trust. More than 12,000 customers, including half of the Fortune Global 500, use OneTrust to make trust a competitive differentiator, implementing central agile workflows across privacy, security, data governance, data protection, third-party risk, ethics and compliance, and ESG programs.
• Cloud deployment model: Hybrid cloud
• Service constraints: Environments are scheduled for maintenance according to their hosting location's 10:00 P.M. to 2:00 A.M local time to minimize any potential impacts to clients. Notifications prior to a maintenance window are provided through my.onetrust.com. The minimum notice timeframe is 24 hours. Users will see a small popup window when logging into the application when a maintenance window has been scheduled.; OneTrust provides ongoing support and maintenance through our in-house team of privacy-certified Implementation and Support Consultants, through email, phone, and our online support portal where support tickets can be submitted at any time.
• System requirements: No new software or hardware is required for cloud implementations.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Issues are categorized into Severity categories (1 – 4) based on service impact. Severity levels are tied to SLAs and associated response times, based on the tier of support services purchased by the customer. Severity 1 issues, defined as the production system being down, in whole or in part with no viable workarounds, or a security breach, follow a 24 x 7 escalation workflow to ensure off-hour response to such critical issues occur outside of business hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: OneTrust offers several support tiers ranging from Basic to Enterprise. Basic support offers over the phone/ticketed support through the My OneTrust support portal. Enterprise support offers a dedicated Technical Account Manager. All support services are provided by an in-house technical support team.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Online training is provided via self-paced and instructor led courses. also provides ongoing training for our solution through our online Support Portal, where we post updates on new features, helpful support articles on completing various actions within each product modules, and FAQs.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Excel
  • Word
• End-of-contract data extraction: Exit clause is included in the agreed upon terms and conditions through our data portability clause.
• End-of-contract process: In the event of contract termination, a copy of customer data is provided to the customer and all remaining data on OneTrust systems is deleted within ninety days of contract termination; Microsoft Azure follows NIST 800-88 data destruction policies.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: OneTrust is built on response-web standards and can conform to devices of varying screen sizes.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Yes, any user can use the application with little to no training required. It has a point and click UI that is extremely easy to use.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: All changes are tested in a staging environment prior to being pushed to production.
• API: Yes
• What users can and can't do using the API: OneTrust uses REST-based APIs to pull data into the OneTrust application. All API calls require an OAuth bearer token to prove that the user is logged in and has been granted access to the resource being accessed.
• API documentation: Yes
• API documentation formats:
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: OneTrust defines project responsibilities, milestones, and client expectations through our Statement of Work (SOW) documents, either standard implementations or customized if specific implementation requirements are needed.

Scaling

• Independence of resources: OneTrust guarantees a high availability of our overall platform through our SLA of 99.95% during any given calendar month. [Client Name] can attach OneTrust's SLA to the contract by purchasing Enterprise Licensing or Support. OneTrust's also offers a SLA for our Website Scanning and Cookie Compliance module of 100% during any given calendar month.

Analytics

• Service usage metrics: Yes
• Metrics types: N/A
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: OneTrust

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: All customer data is encrypted in transit with TLS 1.2 and at rest and in storage with Azure Transparent Data Encryption AES-256.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Built-in importing/exporting capabilities for incorporating and extracting your data into a machine-readable format.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • Excel
  • PDF
  • Word
• Data import formats: Other
• Other data import formats:
  • Excel
  • PDF
  • Word

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: All customer data is encrypted in transit with TLS 1.2 and at rest and in storage with Azure Transparent Data Encryption AES-256.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: OneTrust leverages Cloudflare as our Web Application Firewall to provide perimeter security protection measures.

Availability and resilience

• Guaranteed availability: OneTrust guarantees a high availability of our overall platform through our SLA of 99.95% during any given calendar month. [Client Name] can attach OneTrust's SLA to the contract by purchasing Enterprise Licensing or Support. OneTrust's also offers a SLA for our Website Scanning and Cookie Compliance module of 100% during any given calendar month.
• Approach to resilience: All backups stored at the secondary data centre in the same geographic location as the chosen primary data centre by the customer.
• Outage reporting: Planned outage are communicated via email and through our my.onetrust.com portal.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Access to production environments that store personal data is limited to authorized employees who have a need-to-know based on the principle of least privilege, and such is determined on a case-by-case basis. Our IT/Security Lead is responsible for managing access rights in production environments, and Microsoft Azure is used for auditing these rights. Access to a customer’s production environment is only performed after receiving a support request from the customer and is necessary to troubleshoot the issue; access is then requested and must be approved before moving further
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Coalfire
• ISO/IEC 27001 accreditation date: 15/02/2022
• What the ISO/IEC 27001 doesn’t cover: The certificate can be found here for additional information: https://www.coalfirecertification.com/Certificates/OneTrust-ISO-27001-Certificate-Award_2-15-2022.pdf
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: No
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: Whilst OneTrust is not certified with CSA Star, our cloud-hosting application Microsoft Azure is certified. OneTrust has also completed a CAIQ to show how we align to the standards of the CSA Star which we can share with [Client Name] upon request. Please see this link for further details: https://cloudsecurityalliance.org/star/registry/microsoft
• PCI certification: Yes
• Who accredited the PCI DSS certification: Not provided
• PCI DSS accreditation date: 05 April 2021
• What the PCI DSS doesn’t cover: The OneTrust Privacy, Security, and Governance Platform has received a Report on Compliance for the PCI DSS v3.2.1 effective 05 April 2021. All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby OneTrust, LLC has demonstrated full compliance with the PCI DSS.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO27001
  • ISO27701
  • SOC11TYPE2
  • PCI

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: NeTrust has a policy to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements; ensure that information security is implemented and operated in accordance with the organizational policies and procedures; and to provide a framework for the proper identification of, and compliance with, applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: OneTrust has a change control process in place to control changes to all critical company information resources. All changes are tracked and communicated to relevant parties. Yes, OneTrust has a policy that establishes procedures on the proper management of IT production, including change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: OneTrust utilizes monthly vulnerability scanning for all environments, as well as source code scanning/analysis and vulnerability scanning on a per-release cadence. Microsoft Azure provides security review/patching services for our infrastructure, as well as critical security patches which are more proactively alerted and notified to OneTrust.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: If it becomes aware of a security incident, OneTrust shall inform the client without undue delay and shall provide reasonable information and cooperation to the client to fulfill any data incident reporting obligations it may have under applicable data protection law. OneTrust shall further take such reasonably necessary measures and actions to mitigate the effects of the data incident and shall keep the client informed of all material developments in connection with the data incident.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: OneTrust has a policy that provides a framework for reporting incidents, events and weaknesses, defining responsibilities, response procedures and collection of evidence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  CDW is committed to fighting climate change and protecting the environment. CDW has made a commitment to achieve Net Zero emissions by 2040, 10 years earlier than mandated by the UK government. To achieve this, CDW has implemented (and continues to implement) initiatives to reduce our emissions and carbon footprint, all of which are underpinned by CDW’s ISO14001 certified Environmental Management System (EMS) and our beGreen program.; ; CDW’s distribution centre and our flagship offices hold ISO 14001 environmental management certifications, with our UK distribution centre also holding REGO energy certifications. In parallel with our EMS and beGreen program, CDW has invested in and implemented a range of initiatives to help tackle our contribution towards climate change across our operational activities. These initiatives include (but are not limited to):; ; -Solar panel usage. As a result, in 2021, we were able to achieve 100% renewable energy sourcing for CDW-owned buildings.; -Energy-efficient lighting solutions, including indoor and outdoor LED lighting.; -Motion sensor lighting and conveyor systems that turn off in response to inactivity.; -Water consumption solutions, including rainwater harvesting efforts.; -“Smart” HVAC systems that adjust according to business hours and seasonal temperatures.; -A ‘Pin to Print’ program enabling enhanced print queue management to reduce wasted print jobs; -A goal to achieve 100% renewable energy sourcing for electricity by 2027. In 2021, 98% of electricity consumed in the UK was from renewable sources.; ; Additionally, at our distribution centres, we have recycled:; ; -2,966 tons of packaging material; -9,794 tons of cardboard; -636 tons of paper; -Thousands of wood and plastic pallets; ; Furthermore, at a coworker level, CDW has established a ‘WE GET Our Environment’ Business Resource Group and an Environment Committee with the purpose of increasing awareness of the environmental and social strategy, and to empower coworkers to get involved in environmental initiatives.

  Equal opportunity

  CDW is committed to creating a working environment for coworkers dedicated to inclusion, diversity and equal opportunities, as detailed in our CDW Way Code, which teaches all CDW coworkers to:; ; -Always do their best to make everyone at CDW feel welcome; -Treat other coworkers with respect and dignity; -Maintain an inclusive workplace in which all coworkers can demonstrate their full potential; -Respect the unique attributes and perspectives of every coworker; ; CDW provides equal treatment and opportunity without regard to:; ; -Race; -Skin colour; -Religion; -National origin; -Gender; -Sexual orientation; -Gender identity; -Disability; -Age; ; Our commitment to equality is underpinned by six Business Resource Groups (BRGs). BRGs ensure all coworkers have a voice, build awareness, and provide support to similar groups in their communities. The BRGs include:; ; -Armed Forces Network; -Black Coworker Network; -Disability Support Network; -PRIDE+; -United Support Network; -Women’s International Network; ; CDW coworkers are empowered to reach their highest potential, and we are focused on providing them with a wide variety of tools and development opportunities to help them achieve their career aspirations at CDW, regardless of origin, background or situation. Within our learning culture, all coworkers are surrounded by comprehensive resources and support, ongoing education and skills training, and robust advancement opportunities. We offer a variety of programs to help current and future leaders build diverse teams and to help diverse coworkers develop their leadership skills so they can continue to advance in the organisation.; ; Our commitment to equal opportunities and diversity is demonstrable across our organisation. As an example, CDW’s CEO and President, Chris Leahy, is female and CDW’s Executive Committee consists of 50% female and 50% male coworkers, with 42% coming from multi ethnic backgrounds.; ; CDW is also committed to reducing the gender pay gap and produces an annual gender pay gap report - https://www.uk.cdw.com/site-tools/pay-gap-report/.

  Wellbeing

  CDW is committed to providing coworkers and their families with the knowledge necessary to make the best health and wellness choices for themselves and their families. ; ; Our approach to wellness is designed to help coworkers be safe, healthy and successful. We understand that managing work and personal life is a balancing act of shifting priorities and so we offer a variety of benefits that supports a coworker’s physical, financial, emotional and social ; wellbeing, including access to telemedicine, a suite of family benefits and a variety of wellness incentives and programs.; ; CDW provides coworkers with an Employee Assistance Program, which offers confidential, individualised coaching to help coworkers achieve personal or professional goals. It also features enhancements for crisis care, 24/7 phone support and an emergency referral system.; ; Ongoing coworker engagement is fostered through regular communications events, including: ; ; -Monthly wellness e-newsletters promoting benefits available to coworkers; -Workshops and activities focused on timely topics; -Various campaigns to raise awareness for meaningful topics throughout the year, including mental health, emotional wellbeing and heart-mind gratitude; ; As a further example of our commitment, in response to the COVID-19 pandemic, our Coworker Services team implemented “coworker calls” - informal, but regular check-ins to ensure all coworkers are caring for their mental health and receiving the support they need.; ; CDW also established ‘The CDW Community’, an initiative set up to provide coworkers with activities that they could participate in to keep them physically and mentally active, and to give them a platform for social engagement with other coworkers during a time where many were feeling isolated.; ; Following its success during COVID, the CDW Community initiative has remained operational as we exit the pandemic, continuing to provide CDW coworkers with activities and resources centric to physical and mental wellbeing, as well as sessions to support a healthy family life.

Pricing

• Price: £18,090 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Please reach out to your dedicated AE for additional information regarding OneTrust optional User Acceptance Testing (UAT) environment.
• Link to free trial: Please reach out to your dedicated AE for additional information.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.