SaaSGuard Govern

SaaS Management platform that: Automates regular SaaS discovery, deriving the balance between risk and reward of using SaaS (SaaS Balance); Presents an ongoing view of SaaS Balance, offering counsel on deciding SaaS usage policies ; Provides a conduit for collaboration between business/governance teams to better gain net benefit from SaaS.


  • Probes: Automated collection of SaaS usage data from systems estate
  • Analyser: Automated, inspection of usage to determine SaaS penetration
  • Appraiser: Collaborative interaction with third party risk management marketplaces
  • Appraiser: Automated scrutiny of factors to derive SaaS risk
  • Ledger: Automated generation of risk-adjusted view of SaaS balance
  • Dashboard: Automated presentation of risk adjusted benefit for SaaS employed
  • Counsellor: Collaborative process to refine risk-adjusted benefit for specific SaaS
  • Compendium: Collaborative targeting of SaaS sanctioned by the organisation


  • Optimise SaaS Balance for Service, Data and IT Asset management
  • Increases the risk-adjusted benefit of adopting SaaS
  • Increases effectiveness and reduces cost of SaaS risk mitigation
  • Probes: Reduces cost of SaaS discovery via SaaS usage
  • Analyser: Provides a more complete view of SaaS penetration
  • Appraiser: Reduces cost and improves understanding of SaaS risk factors
  • Ledger: Provides more effective collaboration to manage SaaS Balance
  • Dashboard: Provides a more effective view of risk-adjusted SaaS benefit
  • Counsellor: More effective way of risk-adjusting SaaS adoption
  • Compendium: More complete mechanism to discover risk-adjusted SaaS


£3.60 to £16.42 a person a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 1 8 4 7 4 0 4 6 8 8 5 3 7 9


Ampliphae Trevor Graham
Telephone: 02032890121

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
The SaaSGuard Govern service requires the deployment of data collection probes in order to collate the information required for its analysis. The appropriate type and number of probes is buyer-dependent.
Where one or more network probes is to be deployed, it is necessary that the buyer has technical capability and authority to connect the probe(s) in the appropriate network locations.
System requirements
  • Integration to Buyer identity data, for example Active Directory
  • Authorised users require Microsoft AD account to access the Service

User support

Email or online ticketing support
Email or online ticketing
Support response times
Questions can be submitted through our website or via email, and will be responded to during Business Hours (9am-5pm UK time, Mon-Fri excluding Public Holidays). Target response time for questions is 1-3 business days depending on the priority
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Registered Ampliphae customers have access to our online support knowledgebase and incident handling website. Incidents can be raised 24x7 via the our website, and will be responded to during Business Hours (Mon-Fri 9am-5-pm UK time, excluding Public Holidays). Incidents will be prioritised, with target response and resolution times dependent upon impact and priority.
Additional support options including telephone, out of hours, and on-site assistance are available at additional cost, charged according to the SFIA rate card supplied. "
Support available to third parties

Onboarding and offboarding

Getting started
At Ampliphae we want our customers to get the most out of using our service from the beginning, and as such we provide a comprehensive set of planning and onboarding services.
Prior to deployment our customer success team will engage with the buyer technical team to gain an understanding of the buyer's infrastructure, and with our deployment guide, help to size and scope the deployment.
We provide a simple self-deployment process for the buyer technical team to get up and running quickly, and we have a suite of documentation to enable customers to deploy and start using the product effectively.
If required we can provide telephone support to assist with self-install, on-site installation and deployment services at extra cost.
At additional cost, Ampliphae consultants can design a bespoke service offering for the buyer, for example: helping to assess their SaaS environment and processes, interpreting the insights provided by the Ampliphae application, assisting with development of appropriate processes and a target operating model for management of SaaS, and training staff in safe and effective use of SaaS.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data can be extracted in PDF or Excel format using the application reporting user interface.
Data can be extracted using Microsoft PowerBI.
End-of-contract process
Ampliphae will remove access to all Ampliphae Platform applications.
Ampliphae will securely delete all customer data from the Ampliphae Platform.
All physical probes can be returned to Ampliphae for secure wiping and destruction of all buyer data.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The Ampliphae dashboards are accessed via a web browser, are fully adaptive and can be accessed from mobile devices as well as tablets and desktop machines. Look and feel and operations adapt to the smaller screen sizes.
Service interface
Description of service interface
The Ampliphae administrative interface enables the customer to self-serve for key administrative tasks, for example adding or removing service users or control of data collection probes.
Accessibility standards
None or don’t know
Description of accessibility
Not applicable
Accessibility testing
Customisation available


Independence of resources
Ampliphae's application and dashboards are served from Microsoft's public Azure cloud service, which is inherently elastically scalable to any forseeable demand level, and so system performance will be unaffected by other users.


Service usage metrics
Metrics types
Key service metrics available include:
- number and month-on-month trends of SaaS applications in use
- number of SaaS Application users
- breakdown of SaaS applications by approval status
- breakdown of SaaS Application users by department or location
- traffic volumes transferred for SaaS Applications
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
Data in Azure is stored in Azure Storage and the Azure SQL (PaaS) Database.
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption(FIPS 140-2 compliant).
Transparent Data Encryption (TDE) encrypts Azure SQL Server data using real-time I/O encryption/decryption of data/log files using a database encryption key (DEK), a symmetric key, secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects.
Microsoft Azure Cloud is compliant with ISO 27001, CSA CCM.
All data collected is stored in encrypted storage, with keys held securely within the Ampliphae platform.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
The raw analysis data held within the Ampliphae system is not human-readable and cannot be exported in a usable form. The results of the analyses carried out can be exported via PDF reports, which are customisable by the end-user through PowerBI integration. Certain subsets of the analysed data can exported to Excel format for use outside the platform.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Microsoft PowerBI
  • Microsoft Excel
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Data for analysis is collected via one or more Ampliphae probes, which can be deployed as software or hardware. In either case, raw data collected from within the buyer's network must be transferred to the Microsoft Azure Cloud for further analysis, collation and display to the administrative users.
For Ampliphae hardware probes on buyer premises, all raw data collected and cached for analysis is stored in encrypted storage, with decryption keys held securely within the Ampliphae Cloud platform.
The Ampliphae platform and applications are accessed by buyer administrative users via a web-browser, using secure connections.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Buyer data transmitted to Ampliphae is held only within Microsoft Azure Cloud, not within the Ampliphae corporate network. Microsoft Azure Cloud (PaaS and IaaS) has many layers of protection for client data, including encryption of data transiting between Azure components, and it is compliant with ISO 27001, 27017 and 27018. Ampliphae's use of the Microsoft Azure IaaS and PaaS offerings is aligned with the Microsoft blueprint for UK OFFICIAL data classification, which is a shared responsibility model.

Availability and resilience

Guaranteed availability
The Ampliphae application is cloud-hosted in Microsoft's Azure cloud datacentres which are engineered for 99.999% availability. The Ampliphae service will be generally available for use in managing SaaS on a 24x7 basis, and any planned outages will be notified in advance. In the event of failure of the cloud application, up to and including loss of a complete Microsoft Azure availability zone, service will be manually restored with a target maximum restoration time of 2 working days.
Approach to resilience
The Ampliphae cloud platform is made highly available by leveraging Microsoft Azure PaaS capabilities. Microsoft Azure datacentres are engineered to very high levels of availability (details available from Microsoft on request). The Ampliphae application and data is backed up across Microsoft Azure UK datacentres and in the unlikely event of complete loss of the primary Microsoft Azure datacentre, the system can be manually restored to an alternate UK zone from geo-redundant backups.

The Ampliphae system also includes a deployment of data collection probes. Where physical network probes are utilised, the deployment can be made resilient in line with the buyer's existing network architecture, by deploying additional probes at additional cost. The data collection design will be agreed with the buyer during the onboarding process to ensure that the level of resilience meets buyer requirements.
Outage reporting
Outages and other service-affecting events for Microsoft Azure are reported online via Microsoft's web site. Outages to the Ampliphae service are notified via email distribution list and/or via announcement on the Ampliphae website.

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Other
Other user authentication
Users of the Cloud platform are authenticated using federation with Microsoft Azure AD authentication, under the buyer's control. Optionally the buyer can configure multi-factor authentication for their Microsoft accounts.
Access restrictions in management interfaces and support channels
Ampliphae uses federated Microsoft Azure AD for user authentication and role-based access control. Access to management interfaces and support channels is enabled only where appropriate permissions have been granted to an individual user.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Other
Description of management access authentication
Management Users of the Cloud platform are authenticated using federation with Microsoft Azure AD authentication, under the buyer's control. Optionally the buyer can configure multi-factor authentication for their Microsoft accounts.

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials
Information security policies and processes
Ampliphae has an extensive set of security policies, including Information Security, Data Protection and Physical Security. An Information Security Coordinator role has been appointed with specific responsibilities for security governance, and the Information Security Response Team includes a sponsor at Board level.
Ampliphae is certified to Cyber Essentials and is currently working towards ISO 27001 certification.
Ampliphae operates an Information Security Management System which has been constructed to align with the requirements of ISO/IEC 27001:2005. Compliance audit internally on an annual basis. Non-conformances are recorded within our corporate risk management log and resolved appropriately. The Operations Lead and CEO are notified of any non-conformances and the action taken to resolve them.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All Ampliphae software assets are stored and developed using commercial configuration management and software development tools, within a software development process that includes change management procedures.
All software changes and deployment of software to production is tightly controlled, and authorised by Ampliphae's change control board. Version control on all software components allows audit tracking of software changes and deployments into production environments. Customer data is protected and preserved when the application is upgraded.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Ampliphae can be made aware of vulnerabilities through a number of routes, including partner alerts via email (for example from Microsoft) or by published alerts from (for example) the NIST National Vulnerability Database. The Ampliphae test team run weekly security audits of the third party packages that are used in the product to check for known vulnerabilities. This check is also performed as part of the normal software CI/CD process. When vulnerabilities which may affect Ampliphae products are notified, the issues are logged in our internal ticket system and managed appropriately, with security patches deployed if required.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Ampliphae's use of Microsoft Azure IaaS and PaaS offerings is compliant with the Microsoft blueprint for UK OFFICIAL data classification - which specifies a series of protective monitoring processes. Further information on the extensive protective monitoring can be obtained from Microsoft or Ampliphae.
Incident management type
Supplier-defined controls
Incident management approach
Ampliphae uses an ITIL-based process for Incident Management which can be summarised as:
- Incident is identified and logged in our ticket management tool
- Support Team perform initial triage/investigation and diagnosis/resolution where possible
- If required, Support Team escalate for further investigation and diagnosis/resolution
- Incident is Resolved and then transitions to Closed
The customer will be kept informed by ticket updates, email or telephone throughout.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£3.60 to £16.42 a person a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.