SSLP GROUP LTD

ePayslip portal

Secure storage and access for employee documents, such as payslips, P60s, P45s, P11Ds, employee pension Automatic Enrolment letters, contracts of employment, terms and conditions of employment and employee handbooks.

Secure file transfer and secure file storage and access.

Secure document portals.

Secure email.

Features

• Secure employee access from any device - 24/7/365 access
• Multi-factor authentication
• Enterprise encryption of data in transit and in storage
• ISO27001 accredited supplier
• Cyber Essentials accredited supplier
• Branded document portal web pages and email notifications
• Each data fields encrypted with unique Data Encryption Keys (DEKs)
• Each DEK encrypted with its own Master Encryption Key (MEKs)
• MEKs hosted in separate data centers to hosting of DEKs
• All access attempts are logged and logs are encrypted

Benefits

• Payslips and other employee information available through a secure portal
• Any document can be stored securely in the portal
• Any document can be accessed securely via the portal
• 24/7/365 access to documents stored in the portal
• Documents can be digitally approved in the portal
• Portal documents can be downloaded to a local drive
• Any Internet smart device can enable access to the portal
• Employees do not have to request copy documents from payroll
• Employer can send communications to employee via the portal
• Employer can use Secure File Transfer and Secure Email

£0.60 to £1.20 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at lg@sslpost.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

302707134078813

Contact

Louise Goody
07516500676
lg@sslpost.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Any payroll software;; ; Any software that sends batch PDF documents;; ; Plug-in for MS Outlook and MS Outlook 365 to send secure files.
• Cloud deployment model: Private cloud
• Service constraints: Any planned maintenance is notified to all clients at least 48 hours before the planned maintenance starts.; ; Service levels are included as part of our service level agreement
• System requirements:
  • Sender must use SSLPost's Secure Send file transfer software
  • Sender must open port 443 to send documents over https
  • Sender must support using TLS vs 1.2 or higher
  • Sender must enable any proxy server to reach SSLPost endpoint(s)
  • Documents must always use the same unique reference ID
  • Recipients are indentified by their unique reference ID
  • Unique reference IDs cannot be re-used more than once

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 24 hours Monday to Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: We provide a 99.95% service level uptime agreement.; ; Support queries are answered within 24 hours Monday to Friday or weekends if severe.; ; Critical support issues are reviewed by an account manager as soon as they are received.; ; Our service level agreement defines first, second and third level support issues and their resolution timescales
• Support available to third parties: No

Onboarding and offboarding

• Getting started: User documentation is provided on our website.; ; Online training is provided on the day of implementation.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: On conclusion or termination of a contract, data extraction is requested in writing by the data controller. Data is transferred to data controller via secure file transfer. Data extractions for data subjects are then performed by the data controller on request from the data subject via written request.; ; Data would be extracted as a CSV file and sent to the data controller in an encrypted file.
• End-of-contract process: When the contract terminates we may be asked to delete the data. This is requested in writing from the data controller. There is no charge for data deletion. Live data is deleted within 5 working days with backups completing their deletion cycle within 90 days from the live deletion.; ; If data access is required after termination of the contract and deletion is not required then we would agree an access and storage fee with the client.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: Yes
• Compatible operating systems: Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: For a recipient of a secure document there is no difference if the recipient is using a mobile or desktop to access and view their documents.; ; For a sender to send batch documents they must install our Secure File Transfer software on a Windows desktop or Windows network server.; ; For a sender to send one off documents there is no difference if the recipient is using a mobile or desktop to send encrypted files.
• Service interface: Yes
• Description of service interface: Batch documents must be loaded and sent using our client side Secure Send software (which is a proprietary form sftp software). ; Secure Send must be able to open port 443 on the Sender's outbound mail server and allow files to be sent over htpps using TLS version 1.2 or higher.; The Sender's outbound mail server must be able to make a secure connection with SSLPost's server endpoints.; ; For single documents the Sender can use the web application or a MS Outlook plug-in
• Accessibility standards: None or don’t know
• Description of accessibility: Service is accessible via an embedded web link in a notification email
• Accessibility testing: None
• API: No
• Customisation available: Yes
• Description of customisation: Clients can use their own logo and pantone colours on the application's web pages and on email notifications sent to recipients.; ; The customisation has to be done by SSLPost

Scaling

• Independence of resources: Infinite scaling through Amazon Web Services and Google Cloud

Analytics

• Service usage metrics: Yes
• Metrics types: Uptime for Service Level Agreements
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Encryption of all digital media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: For batch files we provide client side software called Secure Send. The client side software can be installed on a Windows desktop, laptop or network server.; The user can drag and drop a batch file into Secure Send, which will split the batch file into individual documents and stream them individually to the SSLPost end point servers securely by opening port 443 on the client's outbound mail server and streaming over https using TLS vs 1.2 or higher.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • Word
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • Word
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service Level Agreement - 99.95% uptime; ; Values of contracts are not material to warrant refunds.
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All administrative access requires authentication and authorisation. Access channels are protected with industry-standard encryption such as RSA, AES and EC. Infrastructure access endpoints use VPN and SSH. Access failures are monitored and proactively blocked. Where possible two-factor authentication is used. All successful and failed access attempts are logged and stored centrally.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: The Certification Group
• ISO/IEC 27001 accreditation date: Next due 15/09/2020 last audit 13/09/2019
• What the ISO/IEC 27001 doesn’t cover: Credit card payments are excluded from the statement of applicability as we do not handle them.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: The business processes are controlled by a full information management security system (ISMS) and PIMS for GDPR and data protection purposes. All policies and processes comply with the statement of applicability (SOA) for ISO27001 and GDPR/DPA data protection and privacy requirements.; These systems require extensive reporting and compliance policies, procedures and processes which are documented within our intranet. All SMT are members of the ISMS team.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Change management follows the Change Management policies, procedures and processes laid down in the ISMS ISO27001 standard. Changes are risk assessed, monitored, managed and authorised through the ticket system according to the policy. All changes applied to infrastructure are managed with either configuration-as-code or infrastructure-as-code tooling. All source code and platform configuration is managed in distributed version control systems.; The production application stack is deployed as immutable, container-based packages.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Infrastructure and web applications undergo industry-standard vulnerability scan every day - discovered vulnerabilities are managed in vulnerability management software. All patches are installed as soon as possible or delayed until low-traffic maintenance window if the patch installation would impact end-user service availability.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: IT infrastructure is monitored both externally and using monitoring agents. Health and performance metrics are collected constantly, stored and available for inspection when. Detected incidents result in automated alerts.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Under ISO27001 a full policy, procedure and process is defined within the ISMS for incident monitoring and management. Staff have access to flowcharts that detail the steps required in the event of an incident being reported internally or externally, broken down by type (breach/external attack/suspected breach/fire/flood/outage etc). The flowcharts can be provided on request.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £0.60 to £1.20 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Single user, non-branded portal for sending and receiving individual files or documents.; ; Batch file processing is not included.; ; 3 month trial

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at lg@sslpost.com. Tell them what format you need. It will help if you say what assistive technology you use.