G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with SAI Global Limited are still valid.
SAI Global Limited

SAI360 - Behaviour Based Safety - FastStart

SAI360 provides the framework for creating Safety Observations specific to the nature of the observation, such as process-specific by department or location, task-specific by activity or job hazard analysis, or focus-specific by the company’s current focus topic. Observations are used to identify desired behaviours as well as improvement opportunities.

Features

  • Centralised record of Observations
  • Easy to use search and find capabilities
  • Tailor the system to unique needs

Benefits

  • Identify trends associated with at-risk behaviour and encourage desired behaviours
  • Identify opportunities to promote safety before adverse events occur
  • Include all personnel in making a safe working culture
  • Encourage desired behaviours

Pricing

£25,000 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@6947a154-4216-4bf6-8efe-3c4eb175dadc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

7 3 0 1 2 6 2 9 0 5 9 1 5 9 3

Contact

SAI Global Limited <removed>
Telephone: <removed>
Email: <removed>@6947a154-4216-4bf6-8efe-3c4eb175dadc.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
SAI360 is a web-based application and as such is available at all times, given availability of required network connectivity. Any planned system downtime (for maintenance, upgrades, etc.) will be communicated well in advance.
System requirements
Access to a standard web browser for online use

User support

Email or online ticketing support
Email or online ticketing
Support response times
SAI360 support team are available Monday to Friday between 8.00-5.00pm GMT. Response times are defined by the priority of the ticket.

As a global business additional support options are available for clients that require additional support at a cost.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
SAI Global offers Support and Maintenance as part of the licencing fee.
Our helpdesk is located in UK, and our Support staff are in turn supported by Development, QA, Senior Consultants and Technical Consultants if required.

For the hosted solution, availability is 99% of business hours.

Our standard response times are the following, based on a best endeavour basis: Times for workarounds and fixes reflect a best effort. These times are provided for product software defects and are the lead times until these defects can be remedied by corrections to the software provided.

Support tickets are most commonly logged via the Helpdesk Portal or email, with escalations and urgent issues commonly being logged by telephone. As supporting evidence is generally essential for troubleshooting, phone lodgement is the least effective and will generally require email or portal follow up and updates.
All emails sent to our support system will either initiate creation of a ticket, or be automatically added to the existing ticket (based simply on the ticket number being present in the email header). All support staff from you organisation will have access to all tickets logged by your team.
Support available to third parties
No

Onboarding and offboarding

Getting started
Implementation team training.
SAI Global provides end-user training in a train-the-trainer format, allowing Company to self-train the end-users and be flexible in training. This is done in a classroom setting.
Service documentation
No
End-of-contract data extraction
Service provider can assist to extract and provide in any type of text-driven file format
End-of-contract process
All client data is deleted upon contract cancellation. Verification is provided upon request.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None as service is accessed using web browser.
Service interface
No
API
No
Customisation available
Yes
Description of customisation
User Administration Configuration

Scaling

Independence of resources
Our applications and their supporting infrastructure are designed and deployed, from inception, as a Software-as-a-Services (SaaS) solution.

The hosted environment is continuously monitored for resource utilization. For emergency situations, the hosting department has ‘standby’ capacity ready to be deployed to address any capacity issues.

Inbound traffic is managed by redundant front-end network-based load balancers. Load is distributed across multiple server farms to ensure optimal performance and a consistent end user experience. Network Load Balancing provides scalability and high availability to enterprise-wide services.

Analytics

Service usage metrics
Yes
Metrics types
We are able to create service usage metrics on request. These can be tailored to the clients specifications and regularly scheduled.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Data within the database (with the exception of passwords) is not encrypted. Instead, data is secured by a combination of normal SQL security measures and secure access to the SAI Global Platform. In an SAI Global hosted environment, SSL and commercial grade firewalls are employed to ensure security.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
CSV
Data export formats
  • CSV
  • Other
Other data export formats
Any other type of text-driven file format
Data import formats
  • CSV
  • Other
Other data import formats
Any other type of text-driven file format

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
SAI Global uses a multi-tiered perimeter defense infrastructure ensuring the greatest possible protection from unauthorized access or malicious activities. Measures include a most-restrictive firewall policy, network and pattern-matching intrusion detection and prevention systems as well as an extensive and current anti-virus infrastructure.

Availability and resilience

Guaranteed availability
SAI Global will have at least 99% uptime during which the Products will be available for Customer’s use under the Agreement, as measured yearly, excluding scheduled downtime (as described below).

a. Unscheduled Downtime. We will notify Customer within one hour of any known and verified unscheduled downtime of Services, and update the status to Customer periodically until the Service is back up. SAI Global will immediately notify Customer when the Service is restored.

b. Scheduled Downtime. This may include scheduled maintenance, upgrades of hardware or software, or upgrades to increase security or storage capacity. The primary window used regularly for scheduled maintenance is from Saturday at 10:00 PM to Sunday at 10:00 AM. Most scheduled maintenance is conducted in a few hours. In addition, Wednesday morning from 12:00 AM (midnight) to 6:00 AM may be used in the case of emergencies to implement a fix, upgrade or security patch. The Customer will be notified of scheduled down time, expected to be over one hour, in advance.
Approach to resilience
A full Disaster Recovery replica is maintained in a secondary site on a separate flood plain. Virtual machines are replicated from the primary data center, and databases kept at near real time state by using log shipping. Typically, recovery time is less than 4 hours, with a recovery point of less than 2. (The reality is likely to be much lower)
Outage reporting
Our Hosted Systems are broadly monitored for availability from multiple physical locations. Visual and auditory alerts are generated within 1 minute of a service fault and email alerts generated within 2 minutes. Immediate action is undertaken to restore impaired services. All service affecting events are logged and analysed by both Development and Hosting resources to ensure that the event is fully understood and steps are taken to mitigate future exposure to the event.

Identity and authentication

User authentication needed
Yes
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Authorisation to data is configurable within a highly granular role-based security model than can restrict access to all or part of a process, to individual records, to certain fields (e.g. sensitive user information) or to certain artefacts (e.g. medical certificates) attached to a record. Role based security is extended through attributes including location, department or other relevant criteria.

Application access is protected by a username/password over SSL, which can be configured to a third-party authentication mechanism.

Audit logs are available to an administrator that provides details of record view, update, create and all system operations on records.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
SIRIM QAS International
ISO/IEC 27001 accreditation date
15/08/2018
What the ISO/IEC 27001 doesn’t cover
All services outside the hosted application environment
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO 31000
Information security policies and processes
Our SaaS application is managed under the ISO27001 framework, the completeness of, and compliance with which was examined and certified by the external auditor SIRIM QAS International in August 2018.

The security of our customers data and information is one of our highest priorities. We put in place Non-disclosure agreements (NDAs) with our customers for all customer information. No information can be used without specific approval of our clients. Under our ISO 27001:2013 certification we have policies in place for Confidentiality, Data Security, and Classification of data. All data has an owner and a classification. This includes electronic as well as paper based information. All data is protected whether in transit or as rest. All customer data has the highest classification for security. Breach of this policy will result in disciplinary action. Depending on the severity of the breach, this may include:-
• An informal warning from a manager
• A formal verbal or written warning for misconduct
• Dismissal for gross misconduct
• Criminal proceedings
• Civil proceedings to recover damages

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
SAI Global has both a Change Management Policy and Procedure. These are logged into an internal ITSM systems, however, based on priority levels, etc, will be discussed with an SAI Global Client Account Manager.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Internal Vulnerability Scanning is undertaken for all corporate and customer facing systems on a weekly basis. Information Security monitors vulnerabilities and reports to Asset owners for remediation. External systems are vulnerability tested on an annual basis or after a significant infrastructure change. Plans are in place to increase the external testing to monthly using automated processes as an extension of the internal scans. The annual Independent external tests will be retained.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
IPS, IDS, web filtering, Internet facing DLP, Websense DLP for Web traffic, log correlation event monitoring. SAI Global employs a “most-restrictive” policy in regards to all network device policies and access controls. Firewall, IDP, IDS, DLP rules are continually reviewed and monitored for suspicious events. Device configuration is standardized and heavily documented. Adjustments to configurations and policies are reflected in the associated system or device documentation.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
SAI Global has a rigorous incident management process for security events. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. SAI Global's security incident management program is structured around the ISO 27002 and NIST guidance on handling incidents.
Testing of incident response plans is performed for key areas. To help ensure the swift resolution of security incidents, the SAI Global security team is available 24/7 to all employees.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£25,000 a unit
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@6947a154-4216-4bf6-8efe-3c4eb175dadc.com. Tell them what format you need. It will help if you say what assistive technology you use.