SAI360 provides the framework for creating Safety Observations specific to the nature of the observation, such as process-specific by department or location, task-specific by activity or job hazard analysis, or focus-specific by the company’s current focus topic. Observations are used to identify desired behaviours as well as improvement opportunities.
- Centralised record of Observations
- Easy to use search and find capabilities
- Tailor the system to unique needs
- Identify trends associated with at-risk behaviour and encourage desired behaviours
- Identify opportunities to promote safety before adverse events occur
- Include all personnel in making a safe working culture
- Encourage desired behaviours
£25000 per unit
SAI Global Limited
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||SAI360 is a web-based application and as such is available at all times, given availability of required network connectivity. Any planned system downtime (for maintenance, upgrades, etc.) will be communicated well in advance.|
|System requirements||Access to a standard web browser for online use|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
SAI360 support team are available Monday to Friday between 8.00-5.00pm GMT. Response times are defined by the priority of the ticket.
As a global business additional support options are available for clients that require additional support at a cost.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
SAI Global offers Support and Maintenance as part of the licencing fee.
Our helpdesk is located in UK, and our Support staff are in turn supported by Development, QA, Senior Consultants and Technical Consultants if required.
For the hosted solution, availability is 99% of business hours.
Our standard response times are the following, based on a best endeavour basis: Times for workarounds and fixes reflect a best effort. These times are provided for product software defects and are the lead times until these defects can be remedied by corrections to the software provided.
Support tickets are most commonly logged via the Helpdesk Portal or email, with escalations and urgent issues commonly being logged by telephone. As supporting evidence is generally essential for troubleshooting, phone lodgement is the least effective and will generally require email or portal follow up and updates.
All emails sent to our support system will either initiate creation of a ticket, or be automatically added to the existing ticket (based simply on the ticket number being present in the email header). All support staff from you organisation will have access to all tickets logged by your team.
|Support available to third parties||No|
Onboarding and offboarding
Implementation team training.
SAI Global provides end-user training in a train-the-trainer format, allowing Company to self-train the end-users and be flexible in training. This is done in a classroom setting.
|End-of-contract data extraction||Service provider can assist to extract and provide in any type of text-driven file format|
|End-of-contract process||All client data is deleted upon contract cancellation. Verification is provided upon request.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None as service is accessed using web browser.|
|Description of customisation||User Administration Configuration|
|Independence of resources||
Our applications and their supporting infrastructure are designed and deployed, from inception, as a Software-as-a-Services (SaaS) solution.
The hosted environment is continuously monitored for resource utilization. For emergency situations, the hosting department has ‘standby’ capacity ready to be deployed to address any capacity issues.
Inbound traffic is managed by redundant front-end network-based load balancers. Load is distributed across multiple server farms to ensure optimal performance and a consistent end user experience. Network Load Balancing provides scalability and high availability to enterprise-wide services.
|Service usage metrics||Yes|
|Metrics types||We are able to create service usage metrics on request. These can be tailored to the clients specifications and regularly scheduled.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||Data within the database (with the exception of passwords) is not encrypted. Instead, data is secured by a combination of normal SQL security measures and secure access to the SAI Global Platform. In an SAI Global hosted environment, SSL and commercial grade firewalls are employed to ensure security.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||CSV|
|Data export formats||
|Other data export formats||Any other type of text-driven file format|
|Data import formats||
|Other data import formats||Any other type of text-driven file format|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
|Other protection within supplier network||SAI Global uses a multi-tiered perimeter defense infrastructure ensuring the greatest possible protection from unauthorized access or malicious activities. Measures include a most-restrictive firewall policy, network and pattern-matching intrusion detection and prevention systems as well as an extensive and current anti-virus infrastructure.|
Availability and resilience
SAI Global will have at least 99% uptime during which the Products will be available for Customer’s use under the Agreement, as measured yearly, excluding scheduled downtime (as described below).
a. Unscheduled Downtime. We will notify Customer within one hour of any known and verified unscheduled downtime of Services, and update the status to Customer periodically until the Service is back up. SAI Global will immediately notify Customer when the Service is restored.
b. Scheduled Downtime. This may include scheduled maintenance, upgrades of hardware or software, or upgrades to increase security or storage capacity. The primary window used regularly for scheduled maintenance is from Saturday at 10:00 PM to Sunday at 10:00 AM. Most scheduled maintenance is conducted in a few hours. In addition, Wednesday morning from 12:00 AM (midnight) to 6:00 AM may be used in the case of emergencies to implement a fix, upgrade or security patch. The Customer will be notified of scheduled down time, expected to be over one hour, in advance.
|Approach to resilience||A full Disaster Recovery replica is maintained in a secondary site on a separate flood plain. Virtual machines are replicated from the primary data center, and databases kept at near real time state by using log shipping. Typically, recovery time is less than 4 hours, with a recovery point of less than 2. (The reality is likely to be much lower)|
|Outage reporting||Our Hosted Systems are broadly monitored for availability from multiple physical locations. Visual and auditory alerts are generated within 1 minute of a service fault and email alerts generated within 2 minutes. Immediate action is undertaken to restore impaired services. All service affecting events are logged and analysed by both Development and Hosting resources to ensure that the event is fully understood and steps are taken to mitigate future exposure to the event.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||2-factor authentication|
|Access restrictions in management interfaces and support channels||
Authorisation to data is configurable within a highly granular role-based security model than can restrict access to all or part of a process, to individual records, to certain fields (e.g. sensitive user information) or to certain artefacts (e.g. medical certificates) attached to a record. Role based security is extended through attributes including location, department or other relevant criteria.
Application access is protected by a username/password over SSL, which can be configured to a third-party authentication mechanism.
Audit logs are available to an administrator that provides details of record view, update, create and all system operations on records.
|Access restriction testing frequency||At least once a year|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||SIRIM QAS International|
|ISO/IEC 27001 accreditation date||15/08/2018|
|What the ISO/IEC 27001 doesn’t cover||All services outside the hosted application environment|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||ISO 31000|
|Information security policies and processes||
Our SaaS application is managed under the ISO27001 framework, the completeness of, and compliance with which was examined and certified by the external auditor SIRIM QAS International in August 2018.
The security of our customers data and information is one of our highest priorities. We put in place Non-disclosure agreements (NDAs) with our customers for all customer information. No information can be used without specific approval of our clients. Under our ISO 27001:2013 certification we have policies in place for Confidentiality, Data Security, and Classification of data. All data has an owner and a classification. This includes electronic as well as paper based information. All data is protected whether in transit or as rest. All customer data has the highest classification for security. Breach of this policy will result in disciplinary action. Depending on the severity of the breach, this may include:-
• An informal warning from a manager
• A formal verbal or written warning for misconduct
• Dismissal for gross misconduct
• Criminal proceedings
• Civil proceedings to recover damages
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||SAI Global has both a Change Management Policy and Procedure. These are logged into an internal ITSM systems, however, based on priority levels, etc, will be discussed with an SAI Global Client Account Manager.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Internal Vulnerability Scanning is undertaken for all corporate and customer facing systems on a weekly basis. Information Security monitors vulnerabilities and reports to Asset owners for remediation. External systems are vulnerability tested on an annual basis or after a significant infrastructure change. Plans are in place to increase the external testing to monthly using automated processes as an extension of the internal scans. The annual Independent external tests will be retained.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||IPS, IDS, web filtering, Internet facing DLP, Websense DLP for Web traffic, log correlation event monitoring. SAI Global employs a “most-restrictive” policy in regards to all network device policies and access controls. Firewall, IDP, IDS, DLP rules are continually reviewed and monitored for suspicious events. Device configuration is standardized and heavily documented. Adjustments to configurations and policies are reflected in the associated system or device documentation.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
SAI Global has a rigorous incident management process for security events. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. SAI Global's security incident management program is structured around the ISO 27002 and NIST guidance on handling incidents.
Testing of incident response plans is performed for key areas. To help ensure the swift resolution of security incidents, the SAI Global security team is available 24/7 to all employees.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£25000 per unit|
|Discount for educational organisations||No|
|Free trial available||No|