FlyingBinary Ltd

G Suite (formerly Google Apps)

Featuring full web-based architecture, real-time document editing and multi-device access, G Suite service resides in the FlyingBinary collaboration suite, simplifying email, document and calendar integration and management. The Google engine ensures that data is instantly available anywhere, and huge storage allowances eliminate the overhead of quota management.

Features

• Fully redundant, distributed storage in multiple locations
• Concurrent access on multiple devices
• Real-time document editing and collaboration
• Full web-based architecture for all applications
• Service updates delivered incrementally and include training
• Huge storage allowances for every user account
• Policy based email retention, with advanced audit and admin functions
• Integrated voice and video messaging and calls
• Integrated instant messaging to improve realtime collaboration

Benefits

• Multiple data locations eliminate data loss due to outage
• All data is accessible on whatever device you're using
• All team members see the same, current document version
• Web architecture eliminates client software, simplifying deployment and management
• Incremental update minimises retraining and migration costs
• Huge storage eliminates the overhead of quota management
• Email retention facilitates legal discovery and audit
• Zero overhead account management improves flexibility
• Real-time multiuser editing enhances user collaboration
• Enterprise ready to simplify large scale roll out

£4.60 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Framework

G-Cloud 12

Service ID

113516618423976

Contact

Dr Jacqui Taylor
+44 77 899 668 02
jacqui.taylor@flyingbinary.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The service is only available over the public internet, not within public sector networks.
• System requirements: A desktop or mobile web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support service is provided 24x7 directly by Google. Standard support case response time is within 8 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support service is provided 24x7 directly by Google. We can additionally offer onsite support at extra cost. The support service is provided for issues, incidents and service requests. We will also respond to questions about how to use the service, but we reserve the right to direct clients to our training services if users are clearly not equipped to use the service competently.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: There are four types of onboarding help available, which may be used in combination: online help; key contact getting started assistance; additional onboarding assistance; service training courses. Key contact getting started assistance is included within the cost of the service. It is usually conducted as an interactive web screenshare session, but may also be provided as a pre-recorded video session with a follow up teleconference, or as an onsite session. Onsite sessions outside the M25 area will incur an additional cost. Online help is available to all client users of the service and is included within the cost. Additional onboarding assistance and service training courses are both provided via the companion Cloud Support service.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The service has built-in tools that allow user data extraction. These tools are available at any time, not just at contract end, and may be used for any data extraction purpose required. There are no restrictions: all user data may be extracted from the service for any reason, at any time. User data extraction does not require supplier intervention, but clients may choose to limit this functionality to client super users or administrators. There is no limit to the number or size of data extractions performed. The companion Cloud Support service offers additional assistance with data extraction, at an additional cost.
• End-of-contract process: Prior to the end of contract/contract renewal date, we discuss the forward plan with the client key contact. In the event of contract end, we work with the key contact to ensure that all user data and collateral is retrieved or extracted before the contract end date. Although there are standard data extraction tools built in to the service, there may be a requirement for special data migration to the client's chosen new service. In that instance, we can work with the new supplier to migrate data to maximum benefit for the client, such work would be performed within the companion Cloud Support service and incur an additional charge. In the event that the client is unable to extract all required data before the contract end date, it is often possible to extend the duration of the data extraction features of the service for an additional period; or to extend the full service for an additional period; so that the client does not suffer unnecessary unavailability.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All standard features of the desktop service are available on mobile devices. The presentation and navigation of features is reformatted to provide a mobile-friendly experience for smaller screen sizes. Some design and administration features may be more difficult, or not available on mobile devices.
• Service interface: Yes
• Description of service interface: The service employs a modern, simple, browser-based, easy-to-use interface to provide a unified approach for users to interact with the service. Choosing browser-based over an installed application simplifies security, enterprise deployment and ensures that the service is evergreen without costly software upgrades. See answers to other questions concerning browser specifics. All standard user features are available via desktop or mobile web browsers. Mobile browsers are optimised to work with touch input, while desktop browsers support accessibility tools and software.
• Accessibility standards: None or don’t know
• Description of accessibility: Google Apps are tested against Google Accessibility Requirements (GAR), which is a combination of US Section 508, WCAG, and US Communications and Video Accessibility Act (CVAA). Google therefore doesn't claim conformance against WCAG specifically, but instead issues Voluntary Product Accessibility Templates (VPAT), that describe all the areas where the product supports the detail of Section 508. All the primary apps: Gmail, Drive, Docs, Sheets, Slides and Forms either support or support with minor exceptions, the provisions of Section 508 applicable to each application.
• Accessibility testing: A central team internal to Google performs all the accessibility testing to make sure it stays consistent. The testing consists of both automated and manual testing. Google Apps are tested against Google Accessibility Requirements (GAR), which is a combination of US Section 508, WCAG, and US Communications and Video Accessibility Act (CVAA). Individual products also perform testing at different phases in the development cycle, depending on that product's needs. There is also an external team of a few thousand people outside Google who additional perform ongoing accessibility testing with Google applications.
• API: Yes
• What users can and can't do using the API: Google provides a comprehensive set of APIs and SDKs that allow automation of practically every function of Gmail, Drive, Docs, Sheets, Slides and Forms using several common languages and frameworks, such as .NET, Android, Go, Google Apps Script, iOS, Java, JavaScript, Node.js, PHP, Python and Ruby. In addition to app-specific APIs, there are also APIs for management functions such as Admin Settings, Enterprise Licenses, Calendar Resources, Data Transfer, Directory Admin, Groups Settings and Reports.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Client Administrators have access to the Admin Console, where settings and configuration for all Google Apps can be managed. The Admin Console controls both under-the-hood functions like spam handling, mail routing and retention, and default document sharing as well as user-visible functions like document templates, colour themes, delegation and shared resources. The Console also provides management control for more than 50 additional Google services included within G Suite, including for example YouTube, Maps, Google Analytics, Blogger, Groups and the Google Developers Console. All the application modules include on/off controls so you can enable or disable each application for your whole organisation or for specific departments or teams.

Scaling

• Independence of resources: Google's infrastructure is designed and managed so that no services can be impacted from failure of any single component, from a physical hard disk to an entire data centre. With millions of users and billions of transactions per day, Google's global infrastructure is designed to ensure that resources are made available to any user, irrespective of their current demand. Google's Site Reliability Engineering discipline ensures that applications and infrastructure work together for maximum reliability and performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Real-time dashboards are accessible by client Administrators via the Admin Console. These dashboards provide information on user activity, number and type of applications accessed and used, and license and storage allocation consumption. There are also dashboards covering specific security activities, admin actions, user logins and audit functions. Report results are downloadable as CSV data for further analysis in other tools.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Google Inc

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There are tools built in to the service that allow users to export their data. User data export does not require supplier intervention, but clients may choose to limit this functionality to client super users or administrators. Users may specifiy any subset, or all, of the data that is relevent to the current export requirement. Once the data subset has been selected, invoking the export function creates a CSV file corresponding to the selection. This CSV file is then downloaded to the user computer for the required purpose.
• Data export formats:
  • ODF
  • Other
• Other data export formats:
  • Open document formats and pdf for documents, spreadsheets and presentations
  • Rich text format and plain text for text documents
  • JPEG, PNG, PDF and SVG for drawings
  • MBOX format for mail
  • ICalendar for calendars
  • GeoJSON for map saved places
• Data import formats:
  • ODF
  • Other
• Other data import formats:
  • Open document formats for documents, spreadsheets and presentations
  • Rich text format and plain text for text documents
  • MBOX format for mail
  • ICalendar for calendars
  • GeoJSON for map saved places

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: Other
• Other protection within supplier network: User data is broken into subfile chunks and encrypted with a per-chunk encryption key that is 128-bit or stronger Advanced Encryption Standard (AES). Data in transit within the network remains encrypted unless requested by the user, when it is decrypted and the chunks are reassembled into the original user data form.

Availability and resilience

• Guaranteed availability: G Suite offers a 99.9% Service Level Agreement (SLA) for covered services, including Gmail, Drive, Docs, Sheets, Slides, and in recent years we’ve exceeded this promise. In 2013, Gmail achieved 99.978% availability. Furthermore, Google Apps Suite has no scheduled downtime or maintenance windows. Availability is measured 24x7 on a monthly basis. If any service fails the availability SLA, additional days of service are added to the service term at no charge to the customer. For failures in the range 99.9% - 99.0% 3 days credit; 99.0% - 95.0% 7 days; below 95% 15 days; to a maximum of 15 days in any service month.
• Approach to resilience: Google's application and network architecture is designed for maximum reliability and uptime. Google's computing platform assumes ongoing hardware failure, and it uses robust software failover to withstand disruption. All Google systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Google's clustered active servers so that, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers to ensure protection from data center failures. Google has a business continuity plan for its data centers and production operations. This plan accounts for major disasters such as earthquakes and public health crises, and it assumes people and services may be unavailable for up to 30 days. This plan is designed to enable continued delivery of our services to our customers.
• Outage reporting: G Suite performance status is reported via an online real-time dashboard. The information presented in the dashboard is also available as an RSS feed.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: There are two type of management access, for client super users and for supplier administrators. Client management access is limited to designated user accounts that have super user or admin status. Supplier management access is limited to designated user accounts. Supplier management user accounts use two factor authentication.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: EY CertifyPoint
• ISO/IEC 27001 accreditation date: 15 April 2019
• What the ISO/IEC 27001 doesn’t cover: Some applications are not covered, for example YouTube, Drawings, Google AdWords.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO/IEC 27017:2015 by EY CertifyPoint on 15/04/2019
  • ISO/IEC 27018:2019 by EY CertifyPoint on 17/04/2020
  • SOC 3 audit by EY CertifyPoint 01/05/2020
  • Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Our security governance is meshed with our corporate governance, with our CEO having final responsibility for G-Cloud services and governance policies and our CTO having day-to-day responsibility for policy implementation. Our policies cover people, processes, technology and information assets, at board, management and operational levels. We review our policies and update our practices in light of new regulation, standards and best practice to ensure we are able to counter current and emerging threats.
• Information security policies and processes: Our information security policy follows guidance in ISO27001, is owned by our CEO and implemented by our CTO. The top level Information Security Policy is supported by Architecture, Operations and Client Access policies. The policy states security objectives and establishes principles to ensure current and continued adherance and continual improvement. The policy set is integral to staff induction and all staff are required to agree and accept that information security governance is a core working principle. Operational checklists enforce security practices at the day to day level, and activities cannot be signed off without verified completion. The checklists also contain sections for feedback and challenge so that we actively improve. All staff are expected to challenge, because if we don't, bad actors will. Standard reporting flows from operational analyst or team lead to manager to CTO, but any staff member can invoke exceptional reporting directly to management or board, to ensure that important issues receive appropriate attention. Internal reviews ensure that all information security processes are working smoothly and as designed. If exceptions are found, we perform root cause analysis to understand if/how we need to change working practice to support our information security objectives.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Service hardware components are managed by our data centre suppliers. Component lifecycle management is accredited to ISO27001, including storage overwrite and secure destruction. Service software is assembled from existing software components (proprietary and open source), is obtained only from the official repository, and security checked before use. No custom software is used. The service deployment checklist records all versions and change dates. Planned infrastructure or software changes are reviewed for new or changed features or capabilities, and internal software library dependencies. If needed, configurations are changed to disable unnecessary new features or mitigate any additional security exposure.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We monitor vulnerability feeds, vendor and security researcher blogs to understand emerging threats. We then make an assessment to confirm any potential to affect service, and if so, determine severity and likelihood. Based on our assessments, we create a mitigation plan that may include a change to operation practice, a planned upgrade or an emergency upgrade. Operational changes and emergency upgrades are carried out as soon as reasonably practical following assessment and planning. Planned upgrades are accommodated within the normal upgrade or patching cycle.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: System event monitoring is used to facilitate the identification, classification and analysis of potential security incidents. Any security-related incident is classified as a severely service affecting incident, is escalated accordingly and actioned immediately. Different techniques and processes are employed to mitigate and recover service integrity, depending on the nature of the incursion. Further details are available on request.
• Incident management type: Supplier-defined controls
• Incident management approach: All service incidents follow a standard process. A triage step classifies to: common event not service affecting; service affecting; severely service affecting. Common events are handled by following a routine process. Events affecting service severely are immediately escalated to acquire necessary resource and management support. All other incidents are handled by the respective support team. Clients can report incidents by email to the support team. Update reports and communications are issued for all client-reported and service affecting incidents. When service affecting incidents are resolved, root cause analysis is performed to determine mitigating actions.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £4.60 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: All G Suite features are available for a 30 day free trial with no commitment. Alternatively, a free personal G Suite account can be created with no time limit to explore standard personal (non-enterprise) functions.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF