Khipu Networks Limited

Secure Cloud SaaS Environments: Prevent data leakage, ensure compliance & protection from Threats

Palo Alto Networks cloud-based Aperture service is designed to safely enable the use of common SaaS environments. Through easy to use controls we can enforce data protection policies inside SaaS environments protecting against data leakage, inappropriate SaaS use, incorrect sharing of data and protecting against malware both known and unknown.


  • SaaS platform security
  • Threat prevention against viruses & malware
  • Dynamic analysis and detection of unknown malware
  • Complete network visibility of supported SaaS applications, threats and content
  • Control over the unauthorised file transfer
  • Automatic classification of Health, Financial and Medical Data
  • Granular Policy based security based on data/sharing, with automated actions
  • Workflow/incidents to be assigned to investigators/admins within the application
  • External logging supported
  • Detailed visualisation of incidents


  • Reduce risk of external attacks by identifying/blocking zero-day malware
  • Blocking Known viruses and malware in your SaaS environments
  • Automatic shutdown or quarantine of files shared incorrectly
  • Near real-time enforcement of policy via API
  • Starts with 250+ users
  • Supports most major SaaS applications
  • Safely enable usage of SaaS environments even for sensitive data
  • Prevents user error for exposing sensitive data publicly
  • Service updates itself automatically


£23.8 per user per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Khipu Networks Limited

Imai Pragadish


Service scope

Service scope
Service constraints Aperture supports 21 major SaaS Apps / IaaS / PaaS Vendors. Please refer to the provided URL link for further information: More are being added each month.

It is a cloud based service hosted in Frankfurt. The service has been built with privacy in mind, though it scans live data none of the live data is written to disk. Instead only metadata is written to disk which is then used to build the reports and enforce policy. The metadata stored in our EY datacentre is encrypted.
System requirements
  • Minimum of 250 users
  • The authentication email domains which are internal to their environment

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Khipu can tailor support packages for end users on response times, where we provide faster response times on support calls relating to mission critical systems, for example. If the end user has a support contract with Khipu which also entitles them to weekend support, response times would not differ. Response times can vary from 30 minutes, to 4 hours, depending on the severity of the Support call logged.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Khipu’s ethos is to provide ‘outstanding’ technical and after sales support to its customers, during and after a project implementation. To prove this, we have a number of exceptional customer references should end-users wish to speak with them. With all of our supplied solutions, we provide maintenance and support services.

All of the proposed equipment will be supported and maintained by Khipu based upon the appropriate level of cover as required by each individual end user. The following is included within our available support/maintenance services;

• 9am to 5pm Monday to Friday, or 24x7x365(366) Telephone, Email and Remote Access Support
• “Pro-Active” Monitoring, Alerting and Support “KARMA”
• Advanced hardware replacement (with or without an engineer)
• Upgrades / Software Releases (major and minor)
• Quarterly Health Checks
• Co-Managed Services; “adds/moves/changes/deletes” via end-user Helpdesk tickets

Khipu would also assign a technical account manager to every end-user, who would be responsible for ensuring that SLA's are met should end-users call upon the agreed support service.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started For the delivery of the service, Khipu follows our Scope of Work process which has the following stages:

• Stage 1 – Service scope
• Stage 2 – Implementation
• Stage 3 – Report correlation

This process is Khipu’s way of providing an effective service to implement your solution efficiently and to a high standard in accordance with our ISO accreditations. Initially, we setup a call is to discuss the implementation of your service, what will take place, and any pre-requisites that will be needed. This will also give end-users the opportunity to speak to one of our fully qualified engineers to discuss all aspects of the service and any questions you may have. A Scope of Work document is then created based upon the discussion.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Word
  • Visio
End-of-contract data extraction User data is never stored inside the Aperture environment. Only meta-data about the user data is stored. When the contract ends, this data is deleted.
End-of-contract process The end user can continue to use the service that had been provided, however support services would cease and therefore the end user would not be able to contact our Support Helpdesk in the event of a hardware or software issue. The end user will however be notified 90 days in advance of their contract expiring and will be given a quotation with the option to extend the service (pre-paid).

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available Yes
Scaling type Manual
Independence of resources Each service that Khipu provide to its customers are separate dedicated services which have guaranteed performance levels unaffected by other users/customers.
Usage notifications Yes
Usage reporting
  • Email
  • SMS
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Palo Alto Networks

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Virtual Machines
  • Databases
Backup controls Users are not able to determine what is backed up. The solution is run as a service, with the service being backed-up.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The advanced endpoint protection service is run at an agreed time with the customer, this is on a 24*7*365(6) schedule. The service has a targeted 99.9% availability on a quarterly basis, excluding scheduled maintenance windows.

Should Khipu not meet the guaranteed levels of availability, service credits are issued in the form of “service tokens”. A service token entitles the user to call upon the professional services of Khipu Networks for work outside of their standard maintenance contract. Service credits are issued and discussed during quarterly service review meetings, based upon the number of failures in the prior quarter. Up to 5 service credits are capped per quarter for each end-user.
Approach to resilience This information is available upon request.
Outage reporting The service reports any outages via email alerts and telephone calls.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access to the management platform is controlled by dual factor authentication and is only available to a small set of personal.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance
ISO/IEC 27001 accreditation date Original Approval: 6th May 2010, Current Expiry: 5th May 2019
What the ISO/IEC 27001 doesn’t cover All areas of Khipu's business is covered under ISO27001 certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Khipu adhere to ISO policies and procedures. We are certified to ISO9001 (Quality Management) and ISO27001 (Information Security Management).

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes to the configuration of the service are managed through a change control process. This looks at, technical suitability, security risks and impact to service. This provides an audit trail and ensures all aspects of the change are considered.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We work closely with the manufacturers of the services deployed, to ensure that any reported/disclosed vulnerabilities are patched in the next maintenance window. In the event of a major flaw, an emergency change process would be invoked to patch the service within 48Hrs. In the event of multiple vulnerabilities, they are addressed in severity order (highest first), until all mitigated.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are detected via various means, monitoring tools, manual checks, service degradation, reported issues along with regular vulnerability assessments. In the event of a suspected compromise, they are acted upon with a high priority until they are proven benign or corrective action need to be taken to mitigate against the compromise. These procedures are inline with our ISO27001 processes.
Incident management type Supplier-defined controls
Incident management approach As part of our support/managed service procedures, the customer is provided with full details of how to log a support call. This includes all logging methods (i.e. email, call, web) and the information required so that the servicedesk team can respond accordingly. Once the call has been logged, depending on its severity level (major issue = service affecting, minor issue = query), it is then managed by the team under the supervision of the servicedesk manager. All service affecting calls are escalated accordingly to the 2nd/ 3rd line teams including the assigned account and technical manager. Escalations procedures are provided.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £23.8 per user per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Khipu provide a 30 day free trial of the service that is tailored to the end-users requirements in order for them to test the service accordingly against their success criteria.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑