Sopra Steria Ltd

Sopra Steria Secure Digital Data Interchange

The challenge of secure data sharing and data exchange is often cited as one of the blockers to digital transformation. Our ‘Digital Data Interchange’ SaaS offering has been designed to address the challenges of sharing data and exchanging information securely, simply and cost effectively, at scale.


  • Securely share any messages and data with your partner organisations
  • Unlimited messages
  • Built on secure public cloud; UK hosted. Accredited to OFFICIAL-SENSITIVE
  • Secure, guaranteed delivery of messages to multiple destinations
  • Continuous development and continuous integration as standard for custom configuration
  • Access to the full range of Sopra Steria expert practitioners
  • ITIL compliant service, highly available, resilient, and secure
  • Ability to connect via any compatible network including internet/ PSN
  • Industry leading integration and cloud technologies including API/container architecture
  • Available in England, Scotland, Wales and Northern Ireland


  • Proven provider: experience delivering high availability services (99.95%+)
  • Transparent, cost effective, consumption based pricing model
  • Configurable: highly adaptable to meet your message needs
  • Scalable to any required capacity / number of messages
  • Flexible: integrate applications to meet your users’ needs
  • Simple: common standards make connecting your partner organisations straightforward
  • 24/7 support option
  • Connectivity: exchange data with internal and external partner organisations


£0.00 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 7 2 5 9 3 9 6 2 0 9 1 0 0 2


Sopra Steria Ltd Chris Horne
Telephone: 07954 834 818

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
The standard service has the following limitations. Customisations are available and can be agreed as part of the configuration of the service to meet your needs:

• The service is designed to handle messages that are predominantly less than 10MB.
• The service’s standard monthly reports will be produced.
• The messages are processed in the order they are received.
• The service can connect to AWS services such as S3 buckets and SQS. The customer must provide their own tenancy for those services if they wish to use them.
• The service will handle standard message processing.
System requirements
  • Internet connection
  • Connect via REST, SOAP (with WSDL), SFTP
  • Connect via JMS 1.1, AMQP 1.0
  • Connect via AWS services, including S3, SNS, SQS, Lambda5
  • Message can be encrypted via TLS 1.2
  • Other services can be offered on request

User support

Email or online ticketing support
Email or online ticketing
Support response times
We aim to respond to questions within 4 working hours (M-F 09:00-17:00 excluding English bank holidays).
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
The service levels for the standard service are outlined below. These can be customised to meet a Customer’s requirements but may incur an additional charge.

The support hours for the service are 09:00 to 17:00 (UK time), Monday to Friday (excluding English bank holidays). Incidents of any priority can be raised via the service portal on a 24x7 basis and will be processed during the support hours. During support hours the service desk can be called for Priority 1 (P1) incidents.

As a chargeable option Customers can request 24x7 support for P1

The target resolution time for incidents is as follows:

• Priority 1 = 4 working hours
• Priority 2 = 8 working hours
• Priority 3 = 2 working days
• Priority 4 = 5 working days

English banks holidays are excluded from the support hours except for P1 incidents if the 24x7 service has been selected.

The availability target for the service is 99.95% excluding any maintenance periods.

There will be an Account Manager and other technical resources will be available as required.
Support available to third parties

Onboarding and offboarding

Getting started
Documentation will be provided to users on how to request the on-boarding of a new end-point or data exchange. Sopra Steria will manage the on-boarding of a new customer, end point or data exchange.
The tools used, APIs, connectors, schema definitions, communication protocols will be highlighted and used to facilitate the on-boarding process.
Service documentation
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats
MS Word
End-of-contract data extraction
The service does not hold any customer data on a permanent basis. Log files can be requested from Sopra Steria at the end of the contract as part of the off-boarding process.
End-of-contract process
At the end of the contract the end points will be removed from the service ensuring that no further messages can be sent to, or received from, any of the end points. Residual customer data will be purged.

Using the service

Web browser interface
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
The REST API is built from scratch to match the requirements of the users using their Open API definition and JSON schemas. These can be imported into the Data Exchange and integrated into the mediation engine or exchange. Changes are made by user supplying new versions of their API that are then imported.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
Within the standard service new endpoints and message exchanges can be on-boarded and deployed using interface definition and schemas supplied by the customer typically using the Open API or WSDL for a SOAP service. Further customisations including routing rules, content transformations and alternative endpoints are available based on customers’ additional specific requirements.


Independence of resources
The service provides auto horizontal scaling based on demand ensuring sufficient cloud resources are provisioned as required. Each customer’s workload is separated so that the cloud capacity for each customer can be scaled independently to match the requirement. This will ensure the demand for one customer does not impact on another.


Service usage metrics
Metrics types
Our service will provide a standard metrics package that provides details of:
• Message Exchange Performance
• Message source and destination summary
• Number of messages managed
• Exchange performance (throughput time summary)
• Available via email and CSV format
• Service Management reporting
• Standard monthly reporting including incident response and resolution
• Service cost reporting
• Live incident details available via the Cherwell Portal

Additional reporting can be made available to meet individual customer requirements subject to additional charges.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The service does not hold any customer data on a permanent basis. Log files can be requested from Sopra Steria at the end of the contract.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The Secure Data Exchange as a Service has an availability target of 99.95%.
Approach to resilience
Available on Request
Outage reporting
As described above, our solution is highly resilient to help assure continuous availability. Active monitoring and alerting enables our support teams to identify issues early and take action, wherever possible, avoiding actual outage.

In the event that there is a service outage, customers will be advised immediately via email and/or SMS issued by the Sopra Steria Service Desk. Our Major Incident Management team will engage and will coordinate communications throughout the incident lifecycle. Regular updates will be issued in order to keep stakeholders apprised of the current situation and to advise when the incident is resolved and the service restored.

Following the resolution of the incident itself, as part of standard major incident management process, detailed root cause analysis will be carried out. The results of the analysis and any action taken to avoid recurrence will be published to stakeholders as part of monthly Service Management reporting.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Security groups control access to each part of the Cherwell IT Service Management tool and portal, with each group being provided the level of access require to do their job, ranging from portal access to the administrators. This is a multi-tenant platform and has controls so that users can only access the instance relating to their organisation.
API access is via username/password and API key.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
18 December 2017 - 18 December 2020
What the ISO/IEC 27001 doesn’t cover
All the services provided by this service are covered by our ISO/IEC 27001 certification.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
The security governance of Sopra Steria is managed by our board and information security team. The Sopra Steria security governance uses a series of flowdown polices, business rules, processes and guidelines and are documented as follows:

• Corporate Security Policy
• Information Systems Acceptable Usage Policy
• Application Security Business Rules
• Cryptography Business Rules
• Information Classification and Handling Business Rules

Logical Access Control Business Rules
• Network Security Business Rules

Physical and Environmental Security Business Rules
• Security Monitoring and Reporting Business Rules
• Use of non-Corporate Computer Devices Business Rules
• Vulnerability Management Business Rules
• Information Risk Framework
• Information Security Management System Framework
• Email Account Investigation Process
• Firewall Change Process
• Patch Management Process
• Privilege Access Management Process
• Security Incident Management Process
• Supplier Security Assurance Process
• Third Party Access Security Process
• Information Asset Disposal Process
• Forensic Handling of Incident Data Guidelines
• Remote Working with Corporate Systems Guidelines
• Security Incident Classification Guidelines
• Security Threat Intelligence Guideline
• Secure Media Handling and Cloud Storage Guidelines

All members of staff received annual training and internal security team conduct regular audits to ensure that policies are complied with.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Like all of our standard Service Management processes, our approaches to both Configuration and Change Management are built on and conformant with ITIL best practice, ISO/IEC20000 Service Management and ISO/IEC27001 Security Management standards. We use Cherwell change management functionality to track through the change lifecycle from inception to release and review. Every change is actively assessed for any potential impact on the services including security impact. Our configuration management approach is fully integrated into all other key Service Management processes including Change, Event, Incident and Problem Management. We use the Cherwell CMDB functionality to monitor and control all configuration items.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We have a defined vulnerability management process that enables us to identify and manage and potential vulnerabilities on our systems. Our corporate policy CP-E04-BR-003 UK Vulnerability Management Business Rules details how we receive and manage threat information and then how those threats are managed against our risk management processes.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The protective monitoring of our systems is by our internal Security Operations Centre that monitor our entire corporate network and provide detailed event analysis when required. In the event of a security event we have a detailed incident management process that is activated and the event is managed according to severity following internal assessment. As we have our own SOC our incident response time is immediate.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our Incident Management process is standard, repeatable and conformant with ITIL best practice, ISO/IEC20000 Service Management and ISO/IEC27001 Security Management standards. We use Cherwell functionality to track incidents right through their lifecycle. Customer superusers report incidents via the self-service Cherwell Portal. High priority incidents are reported by phone to the Service Desk. Incidents are routed directly to resolver groups covering different aspects of the service e.g. cloud or applications teams. Updates/reports on individual incidents are available through the portal. Major Incident reports /updates are pushed through email/SMS to key stakeholders. Monthly reports also provide incident summaries, detail and service performance.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£0.00 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.