Six Degrees Technology Group Limited

GDPR Data Scanning

The Risk Intelligence Scan provides a point in time scan of unstructured data within an organisation. This includes but is not limited to Word documents, Excel documents, Notepad documents and Outlook PST and OST files. Risk Intelligence provides a scanning technology to assist in the GDPR Data Mapping exercise.


  • Scans for Personal Identifiable Information (PII)
  • The scan itself looks at unstructured data only
  • Report provides typical cost if fined for all unsecured data
  • Risk and the critical status of each Information Collection analysed
  • One off scan and ongoing managed service options
  • Performing vulnerability assessment scans that adhere to industry standards
  • A risk analysis and recommendations report
  • Scoping and prioritising remediation activities


  • Highlights where existing data is currently located
  • Scan specifically related to PII
  • Helps readiness to meet the compliance aims for GDPR
  • Information security controls
  • Corporate governance


£600 per instance

  • Education pricing available

Service documents

G-Cloud 10


Six Degrees Technology Group Limited

Andrew Mellish

07825 795 381

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Community cloud
Service constraints No
System requirements
  • The scan itself looks at unstructured data only
  • Multiple formats including: txt, html, doc, pst, xls, xml, ost...

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Public Sector Cloud has a 30 minutes first response SLA for Priority 1 incidents logged via our service desk. This is 1 hour for Priority 2 incidents.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AAA
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Full support of services are provided as standard via the Public Sector Service Desk. The Service Desk is open Mon-Fri 07:00-19:00 and is manned by 1st/2nd line support engineers. The service desk has direct escalation to the operations team where full 3rd line support is provided. Full out of hours support is also provided for all P1 and P2 incidents with clear escalation paths. 6DG also provide additional support services such as O/S and application monitoring, server support, patch management, managed backup, and managed DR services. Pricing is provided either per server or as a flat service fee depending on the size of the environment. All customers are allocated a service delivery manager who is responsible for ensuring the smooth delivery of the service, acts as an escalation point for all incidents, and provides full monthly service reporting.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Provide onsite and telephone / WebEx based training although the service is carried out by 6DG
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All data is sent to users following each scan. There is no additional off boarding or data extraction required. We do not hold client data.
End-of-contract process The contract is split into 3:

* Evaluation = To evaluate the solution, it is recommended that the tool is installed on one of each type of device that needs to be scanned and any file stores that are potential targets are identified and then a subset of folders is used.
*Full Roll Out = Should the evaluation prove to be successful and useful to ‘the customer’, a complete rollout of the Risk Intelligence tool to the estate should be completed.
* Continuous Risk Intelligence = If ‘the customer’ wishes to continue with the Risk Intelligence scan, the tool can be scheduled to run monthly, quarterly, bi-yearly or yearly scans. Each scan then produces an automated report that can be sent direct to ‘the customer’ IT personnel.

Using the service

Using the service
Web browser interface No
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service N/A
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Limited
What users can and can't do using the API All actions that you can perform by the GUI can be achieved via API
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Buyers can customise the service insomuch as to specifically run on their environment and scan the different types of devices throughout the organisation, including physical servers and storage devices, virtual services, cloud based infrastructure, desktops, laptops, and mobile devices.


Independence of resources The service is designed to run discretely in the background and not impact with users. The service is provided individually to each organisation so the requirements of one will not impact another.


Service usage metrics Yes
Metrics types A series of reports is available from detailed local scan reports to network overview reports.

The reports are generated using the redacted information sent from each device, the information is correlated and then presented in an actionable and easy to read report. The report provides a complete insight into the unprotected PII that has been found, it then provides a financial liability amount based on the unprotected data found.

The report then presents the detailed information identifying the file location, file name, file hash and the permissions on each file. Any PII information is available in a “drill down” format.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All data is sent to users following each scan. There is no additional off boarding or data extraction required. We do not hold client data.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • HTML
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 6DG offer a 99.99% availability SLA
Approach to resilience Not relevant for this service. However, for the 6DG cloud, All components have been built in fully resilient pairs. With fully resilient networking links between all components and to external third parties, including multiple ISPs. For host availability SDG use VMware’s HA failover for redundancy.
Outage reporting Not relevant for this service. However, for the 6DG cloud all infrastructure is monitored on the network 24/7. Should there be an outage monitoring alerts are sent to the Public Sector operations team via e-mail and SMS.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels Only authorised contacts are granted access rights to this service, allowing them to connect to the securely to manage their service. The Service Desk for support will only accept requests from authorised contacts. Communication with anybody at 6DG will need to be pre-approved by a known individual in writing. Management of the infrastructure is via dedicated connectivity and out of band of customer data and customer networks
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 19/11/2015 – last surveillance visit from LRQA: 22/03/2018
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • PSN

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes All ISO 27001:2013 controls and associated policies are in place. Enhanced weekly and also quarterly external approved scanning vendor (ASV) vulnerability scanning. Carrenza also comply with our PSN CoCo which is aligned to our security principles that allows us to deliver our customers PSN Secure and Protect. 6DG operate a rolling internal audit programme to ensure continuity of compliance to our various accreditations , as well as internal technical auditing of our systems through the use of various integrity checks. This is ensures that there is always a fully justified and documented Change Request for any modification of our secure systems.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All non-standard changes must be pre-authorised by going through a peer, senior and CAB approval process. Standard changes are created in template form and are approved in CAB before being implement into Change controls.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Not relevant for this service, but for the 6DG cloud; 6DG (Public Sector) run an internal vulnerability test once a week. All reported vulnerabilities that are reported are categorised into priority depending on the severity and a case is logged with the operation team who will fix the vulnerability under the time frames dictated by Public sector patching policy. This conforms to the PCI-DSS standard.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach 6DG (public sector) have a protective monitoring system where all logs are centralised and checked on a daily basis for security breaches using several key search filters. Alerts are sent out for high risk activity and are pro-actively responded to by the operations and security teams. This conforms to the PCI-DSS standard.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach 6DG operate an ITIL aligned incident management process with associated procedures for security related incidents. The process has a clearly defined governance framework, including roles & responsibilities, clear policies and associated KPIs. This process conforms to PCI-DSS.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • New NHS Network (N3)
  • Joint Academic Network (JANET)


Price £600 per instance
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑