SAI Global Limited

SAI360 - Behaviour Based Safety - FastStart

SAI360 provides the framework for creating Safety Observations specific to the nature of the observation, such as process-specific by department or location, task-specific by activity or job hazard analysis, or focus-specific by the company’s current focus topic. Observations are used to identify desired behaviours as well as improvement opportunities.


  • Centralised record of Observations
  • Easy to use search and find capabilities
  • Tailor the system to unique needs


  • Identify trends associated with at-risk behaviour and encourage desired behaviours
  • Identify opportunities to promote safety before adverse events occur
  • Include all personnel in making a safe working culture
  • Encourage desired behaviours


£25000 per unit

Service documents


G-Cloud 11

Service ID

7 3 0 1 2 6 2 9 0 5 9 1 5 9 3


SAI Global Limited

Kate Evans

07768 971129

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints SAI360 is a web-based application and as such is available at all times, given availability of required network connectivity. Any planned system downtime (for maintenance, upgrades, etc.) will be communicated well in advance.
System requirements Access to a standard web browser for online use

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SAI360 support team are available Monday to Friday between 8.00-5.00pm GMT. Response times are defined by the priority of the ticket.

As a global business additional support options are available for clients that require additional support at a cost.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels SAI Global offers Support and Maintenance as part of the licencing fee.
Our helpdesk is located in UK, and our Support staff are in turn supported by Development, QA, Senior Consultants and Technical Consultants if required.

For the hosted solution, availability is 99% of business hours.

Our standard response times are the following, based on a best endeavour basis: Times for workarounds and fixes reflect a best effort. These times are provided for product software defects and are the lead times until these defects can be remedied by corrections to the software provided.

Support tickets are most commonly logged via the Helpdesk Portal or email, with escalations and urgent issues commonly being logged by telephone. As supporting evidence is generally essential for troubleshooting, phone lodgement is the least effective and will generally require email or portal follow up and updates.
All emails sent to our support system will either initiate creation of a ticket, or be automatically added to the existing ticket (based simply on the ticket number being present in the email header). All support staff from you organisation will have access to all tickets logged by your team.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Implementation team training.
SAI Global provides end-user training in a train-the-trainer format, allowing Company to self-train the end-users and be flexible in training. This is done in a classroom setting.
Service documentation No
End-of-contract data extraction Service provider can assist to extract and provide in any type of text-driven file format
End-of-contract process All client data is deleted upon contract cancellation. Verification is provided upon request.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None as service is accessed using web browser.
Service interface No
Customisation available Yes
Description of customisation User Administration Configuration


Independence of resources Our applications and their supporting infrastructure are designed and deployed, from inception, as a Software-as-a-Services (SaaS) solution.

The hosted environment is continuously monitored for resource utilization. For emergency situations, the hosting department has ‘standby’ capacity ready to be deployed to address any capacity issues.

Inbound traffic is managed by redundant front-end network-based load balancers. Load is distributed across multiple server farms to ensure optimal performance and a consistent end user experience. Network Load Balancing provides scalability and high availability to enterprise-wide services.


Service usage metrics Yes
Metrics types We are able to create service usage metrics on request. These can be tailored to the clients specifications and regularly scheduled.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Data within the database (with the exception of passwords) is not encrypted. Instead, data is secured by a combination of normal SQL security measures and secure access to the SAI Global Platform. In an SAI Global hosted environment, SSL and commercial grade firewalls are employed to ensure security.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach CSV
Data export formats
  • CSV
  • Other
Other data export formats Any other type of text-driven file format
Data import formats
  • CSV
  • Other
Other data import formats Any other type of text-driven file format

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network SAI Global uses a multi-tiered perimeter defense infrastructure ensuring the greatest possible protection from unauthorized access or malicious activities. Measures include a most-restrictive firewall policy, network and pattern-matching intrusion detection and prevention systems as well as an extensive and current anti-virus infrastructure.

Availability and resilience

Availability and resilience
Guaranteed availability SAI Global will have at least 99% uptime during which the Products will be available for Customer’s use under the Agreement, as measured yearly, excluding scheduled downtime (as described below).

a. Unscheduled Downtime. We will notify Customer within one hour of any known and verified unscheduled downtime of Services, and update the status to Customer periodically until the Service is back up. SAI Global will immediately notify Customer when the Service is restored.

b. Scheduled Downtime. This may include scheduled maintenance, upgrades of hardware or software, or upgrades to increase security or storage capacity. The primary window used regularly for scheduled maintenance is from Saturday at 10:00 PM to Sunday at 10:00 AM. Most scheduled maintenance is conducted in a few hours. In addition, Wednesday morning from 12:00 AM (midnight) to 6:00 AM may be used in the case of emergencies to implement a fix, upgrade or security patch. The Customer will be notified of scheduled down time, expected to be over one hour, in advance.
Approach to resilience A full Disaster Recovery replica is maintained in a secondary site on a separate flood plain. Virtual machines are replicated from the primary data center, and databases kept at near real time state by using log shipping. Typically, recovery time is less than 4 hours, with a recovery point of less than 2. (The reality is likely to be much lower)
Outage reporting Our Hosted Systems are broadly monitored for availability from multiple physical locations. Visual and auditory alerts are generated within 1 minute of a service fault and email alerts generated within 2 minutes. Immediate action is undertaken to restore impaired services. All service affecting events are logged and analysed by both Development and Hosting resources to ensure that the event is fully understood and steps are taken to mitigate future exposure to the event.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Authorisation to data is configurable within a highly granular role-based security model than can restrict access to all or part of a process, to individual records, to certain fields (e.g. sensitive user information) or to certain artefacts (e.g. medical certificates) attached to a record. Role based security is extended through attributes including location, department or other relevant criteria.

Application access is protected by a username/password over SSL, which can be configured to a third-party authentication mechanism.

Audit logs are available to an administrator that provides details of record view, update, create and all system operations on records.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SIRIM QAS International
ISO/IEC 27001 accreditation date 15/08/2018
What the ISO/IEC 27001 doesn’t cover All services outside the hosted application environment
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards ISO 31000
Information security policies and processes Our SaaS application is managed under the ISO27001 framework, the completeness of, and compliance with which was examined and certified by the external auditor SIRIM QAS International in August 2018.

The security of our customers data and information is one of our highest priorities. We put in place Non-disclosure agreements (NDAs) with our customers for all customer information. No information can be used without specific approval of our clients. Under our ISO 27001:2013 certification we have policies in place for Confidentiality, Data Security, and Classification of data. All data has an owner and a classification. This includes electronic as well as paper based information. All data is protected whether in transit or as rest. All customer data has the highest classification for security. Breach of this policy will result in disciplinary action. Depending on the severity of the breach, this may include:-
• An informal warning from a manager
• A formal verbal or written warning for misconduct
• Dismissal for gross misconduct
• Criminal proceedings
• Civil proceedings to recover damages

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach SAI Global has both a Change Management Policy and Procedure. These are logged into an internal ITSM systems, however, based on priority levels, etc, will be discussed with an SAI Global Client Account Manager.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Internal Vulnerability Scanning is undertaken for all corporate and customer facing systems on a weekly basis. Information Security monitors vulnerabilities and reports to Asset owners for remediation. External systems are vulnerability tested on an annual basis or after a significant infrastructure change. Plans are in place to increase the external testing to monthly using automated processes as an extension of the internal scans. The annual Independent external tests will be retained.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach IPS, IDS, web filtering, Internet facing DLP, Websense DLP for Web traffic, log correlation event monitoring. SAI Global employs a “most-restrictive” policy in regards to all network device policies and access controls. Firewall, IDP, IDS, DLP rules are continually reviewed and monitored for suspicious events. Device configuration is standardized and heavily documented. Adjustments to configurations and policies are reflected in the associated system or device documentation.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach SAI Global has a rigorous incident management process for security events. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. SAI Global's security incident management program is structured around the ISO 27002 and NIST guidance on handling incidents.
Testing of incident response plans is performed for key areas. To help ensure the swift resolution of security incidents, the SAI Global security team is available 24/7 to all employees.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25000 per unit
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑