Novosco Ltd

Ampliphae Cloud Governance and Analytics

Simple, affordable SaaS discovery, control, and compliance. Quickly find the SaaS applications used in your organisation, monitor adoption, see who uses which services, and migrate users from non-compliant services to approved ones. Easy-to-deploy, affordable discovery, security and compliance. Find shadowIT, control SaaS costs, and data-compliance risks.


  • SaaS Application Discovery
  • SaaS Application Data Governance
  • Audit of cloud and SaaS usage
  • Individual user SaaS dashboard
  • Web browser SaaS Control plugin
  • Compliance reporting
  • GDPR reporting for SaaS applications
  • SaaS Adoption Analytics and Reporting
  • Network traffic analytics
  • Security assessment and risk reporting


  • Helps organisation find all the cloud SaaS application in use.
  • Highlights data governance non-compliance from SaaS applications
  • Helps with NIS and GDPR assessment and remediation.
  • Prevent data leakages and comply with GDPR, NIS,and PCI.
  • Control cloud application spend and risk.
  • Document and manage all SaaS vendor relationships.
  • Empower and coach employees around SaaS risk.


£6.00 to £36.00 per person per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

1 6 8 8 1 8 4 8 1 4 2 6 4 6 9


Novosco Ltd

Andrew Knight

028 90454433

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints None
System requirements
  • Physical or virtual probe deployment within network.
  • Network connectivity to Microsoft Azure Cloud

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Priority 1 response within 60 minutes. Priority 2 response within 120 minutes. Priority 3 response within 240 minutes. Priority 4 response within 480 minutes.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Novosco will provide a Service Desk function between 08:00-18:00 on Business Days. The Client may log incidents via the portal on a 24x7 basis with resolution during the Service Hours. Target response times are:
P1 - 60 minutes
P2 - 120 minutes
P3 - 240 minutes
P4 - 480 minutes

The Service Desk acts as the single point of contact via web, mail, or phone. All users of the Novosco solution receive a standardised service level. The Novosco solution is managed by a Service Delivery Manager, that is available to all customer representatives. Novosco can also provide a Cloud Architect to assist with the on-boarding/off-boarding of the service as required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Onboarding services are available: - Deployment design consultancy, designing and documenting an appropriate monitoring configuration (additional cost, day rates) - Deployment (additional cost, day rates) - Built-in help and self-guided product tours - User documentation - Onsite training or webinar-based online training. Customisable content including deployment, basic product operations, SaaS and Cloud policy authoring and implementation. (additional cost, day rates) - Custom integrations to existing client systems (additional cost, day rates) - If any additional services are required (e.g. policy authoring, system administration, custom report development, etc.) these can be supplied at additional cost.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Information held within the Ampliphae system can be extracted via reporting, or extracted via BI integration.
End-of-contract process At the end of the contract, Ampliphae will remove access to the SaaS dashboard and all associated features and services, and will delete all data that has been uploaded from the monitoring probes for that client. At additional cost (day rates) Ampliphae will assist with decommissioning the physical or virtual probes located on client premises, the secure destruction of any data stored on those probes, and the recycling of any probe hardware in an environmentally responsible manner.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Ampliphae web dashboards are fully adaptive and will work on mobile devices as well as tablets and desktop machines. Look and feel will adapt to the smaller screen sizes.
Service interface No
What users can and can't do using the API All product data and features are optionally available via a combination of REST APIs and Business Intelligence integrations.
API documentation No
API sandbox or test environment No
Customisation available Yes
Description of customisation Custom reporting is available through Power BI integration.


Independence of resources Ampliphae's application and dashboards are served from Microsoft's public Azure cloud service, which is inherently elastically scalable to any forseeable demand level, and so system performance will be unaffected by other users.


Service usage metrics Yes
Metrics types A wide variety of service usage metrics, including number of monitored devices and users, SaaS services in use, etc. are available via the product dashboard.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Reseller providing extra support
Organisation whose services are being resold Ampliphae

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The raw analysis data held within the Ampliphae system is not human-readable and cannot be exported in a usable form. The results of the analyses carried out can be exported via pdf reports, which are customisable by the end-user through BI integration.
Data export formats Other
Other data export formats PDF reports
Data import formats Other
Other data import formats All data directly monitored by the Ampliphae probes, not uploaded

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability No formal SLA.
Approach to resilience Microsoft Azure maintains UK National Cyber Security Centre (NCSC) approved data centres in UK South and UK West in order to provide resilience and availability for customer services. Upon customer request, Ampliphae will reserve capacity in an alternate site (location agreed with the customer) and leverage Microsoft's Azure's Site Recovery service and configure Microsoft's Azure Site Recovery such that Microsoft's Azure will start and stop the customer's services in a seamless transition to the alternate processing site.
Outage reporting Outages and other service-affecting events for Microsoft Azure are reported online via Microsoft's web site. Outages to the Ampliphae service are notified via email distribution list and/or via announcement on the Ampliphae website.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Ampliphae uses Microsoft AD for user authentication and role-based access control. Access to management interfaces and support channels is enabled only where appropriate permissions have been granted to an individual user.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certifcation Europe
ISO/IEC 27001 accreditation date 08/09/2017
What the ISO/IEC 27001 doesn’t cover Any customer provided elements of the platform.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 24/05/16
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover Any customer provided elements of the solution.
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Ampliphae’s cloud platform is exclusively hosted on Microsoft Azure’s platform and is composed of Azure resources deployed in Microsoft Azure’s UK South and/or UK West regions. As such, Ampliphae’s services inherit the governance assurances of Microsoft Azure’s cloud platform.

Novosco operates an Information Security Management System which complies with the requirements of ISO/IEC 27001:2005. Compliance is externally audited annually. Non-conformances are recorded within the Service Desk toolset. The Operational Manager and Director of Services are notified of any non-conformances and the action taken to resolve them.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Novosco operate a Change and Configuration Management process that is aligned with ITIL best practice and ISO/IEC 20000 ensuring the following objectives are met:
• All changes are assessed for impact, cost and benefit and risk;
• Only authorised changes are implemented;
• All parties affected are aware of proposed changes;
• Changes are planned and co-ordinated, have release and deployment plans and there are tested back-out plans;
• Users are informed of forthcoming changes;
• Changes are implemented with minimum impact to the business; and
• Adequate controls are in place for emergency and unplanned changes.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The Security Manager monitors public sources for operating system and application vulnerabilities, to assess their applicability. The vulnerability management policy includes processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which Novosco becomes aware, prioritisation of security patches, testing of security patches, application of security patches, and the reporting and audit mechanism detailing the efficacy of the patching policy.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Novosco holds ISO/IEC 27001:2013 certification and has undergone assessment against the CSA Cloud Controls Matrix v3.0. These standards incorporate all of the operational service management processes used to support this product set. Novosco has deployed the Logic Monitor service for protective monitoring at the Hypervisor level. Novosco use Intrusion Protection Systems (IPS) or Intrusion Detection Systems (IDS) to support the secure operation of the service. Potential compromises are addressed according to vendor recommendation, software update, configuration change, or workaround. Incidents are responded to in accordance with P1 service levels.
Incident management type Supplier-defined controls
Incident management approach Novosco’s approach to incident management is aligned to ITILv3. The incident lifecycle includes:
• Incident detection, recording and classification; • Investigation and diagnosis;
• Resolution and recovery; and
• Incident closure Incidents can be logged via phone, web, or email. The

Service Desk analyst will take the details of the incident and classify it. Each incident will be given a unique reference number and users will be able to track the progress of the incident through a portal using the reference number. Incident reporting is included in the monthly service report from the Service Delivery Manager.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)


Price £6.00 to £36.00 per person per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑