CySure Ltd

GDPR VOSO (Virtual Online Security Officer)

Cysure has mapped the security component of GDPR into VOSO (Virtual Online Security Officer) that breaks down the regulation into a set of discrete actions providing an easy to follow, staged approach to compliance with GDPR regulatory requirements.


  • Virtual Online Security Officer
  • Inbuilt CE, IASME and GDPR compliant security policies/plans
  • Contains all on-line security training videos for continual staff training
  • Compliance dashboard displays your progress against selected standard
  • Compliance history and audit trail
  • In-built security events issue training videos, plan reviews, vulnerability scans
  • Remote monitoring of all networked devices to ensure compliance
  • Asset mapping, vulnerability scanning and patching
  • Network and device secure configuration
  • Access management and control, password management


  • VOSO reduces requirement for cybersecurity consultants/compliance officers
  • A fraction of the cost of its human counterpart
  • Continual cybersecurity process that maintains a cybersecure posture
  • Ensures compliance with CE, IASME and GDPR requirments and certification
  • Provides dashboard for board oversight of cybersecurity and regulatory compliance
  • Mitigates the risk of law suits and regulatory fines
  • Reduced remediation and insurance costs
  • Continual training of the workforce to offset social media campaigns
  • VOSO contains all policies required for cybersecurity regulatory compliance


£1 per person per month

  • Free trial available

Service documents

G-Cloud 10


CySure Ltd

Nicholas Denning

0203 9003300

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Virtual Private Network
Remote cyber-security monitoring
Remote user access control and management and password administration
Malware and firewall management
Vulnerability mapping, scanning and patch managment
Remote network and device secure configuration
On and offsite backup
Cloud deployment model Public cloud
Service constraints We have planned maintenance windows during which time we update the solution. these are generally out of working hours.
System requirements Up to date and supported browser.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 hours Monday to Friday 9 - 5.30pm

Within 12 Hours at weekends
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Help available through website
Initiate a chat window
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels We provide a level 1 support to users who need help using the system as is, level 2 support for users wishing to update the configuration and level 3 support for effort to identify and resolve bugs that generally requires a release of the system.

We provide a single level of support for use of the system.
We do not provide a named account manager or support engineer as a standard facility though provide an equivalent for large customers who identify a single point of contact for interaction with their organisation.
However customers using our system often find that they reach the limits of their knowledge and skill and require assistance services. We can provide onsite consultancy for process consultation and certification, either from Cysure or by introduction of third parties who are already users of VOSO.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Registration is an automated process that includes entering details that then on-board the organization. There are on-line help and videos at each section.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users can produce time series reports and certification documents as well as download any data input documents.
End-of-contract process Cybersecurity is a continual process. Should a user decide to cancel the service they give 30 days notice. They have 30 days to down load any reports and certifications held in the system. Their account is then disabled.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no differences apart from the ability to complete certain tasks may be impacted by the screen size of the device. Mobile devices may be used to view status and track progress and in some cases complete tasks but it is primarily designed to be used on a workstation. Our support is reasonable on tablets. We will continue to develop in this area to support phones.
Accessibility standards None or don’t know
Description of accessibility We have not made any specific provision to meet WCAG
Accessibility testing None.
What users can and can't do using the API Our API is currently focused on providing integration with other vendor products deployed by users so that a single view of the truth is possible from our dashboard.
Our system is web based and as such exposes all services through an API. Ensuring no abuse of this is a key element of our security testing.
We do not current publish this API to users and will not expose it until there is a specific business requirement for users to access it.
API documentation No
API sandbox or test environment Yes
Customisation available Yes
Description of customisation A key element of our solution is the knowledge base, events that can occur and the description of the activities that should be undertaken on a regular or ad-hoc basis to deliver an appropriate level of cyber protection. Users are able to load details of new content and to modify the tasks that we provide. A key element of our development plan is to expose the content loading and editing capbilities.


Independence of resources Our solution runs on AWS in a single multi-tenanted instance employing a strong security model to enable partitioning of data and the ability for an organisation to expose under tight control certain subsets of data. (Actually we have an instance in the US for that market, and a separate instance in the UK for the EU market). To that extend users are not partitioned. However we have carefully designed our locking model to minimise interaction between customers. Our model is to exploit AWS monitoring and scalability tools to ensure that as demand grows we can assign additional resources.


Service usage metrics Yes
Metrics types We have the provision to record all service calls made to the system. This is primarily for the purposes of a security audit trail. System administrators can modify the filters to record summaries of calls by users or calls by service. Details of service usage is available to a system administrator and on screen. In the future we expect to extend this to include KPIs
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach All our data at rest is encrypted by: encrypting the AWS machines before we deploy them. Encrypting the database tables in our MySql database and encrypting the S3 backups using AWS encryption keys service.

On specific occasions we download production data for investigation. When this takes place the download to an encrypted drive, the download is logged and deletion of the data is recorded in the log.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Documents and other artefacts can be downloaded from the system using the interactive interface.
Data can be output using reports via the report generator as documents.
Users can export their data in its entirety in CSV files on a table by table basis with details of the table definitions provided. We envisage this will be most appropriate to take a copy of data on leaving the system.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • PDF
  • BLOB

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We don't currently provide an SLA within our T&Cs but are happy to enter into an appropriate SLA.
Approach to resilience We have the following resilience mechanisms in place:
We take regular backups. Currently these are every 24 hrs but could be taken more regularly if there is customer demand.
We have designed our solution to include database replication so that there would be a permanent alternative database maintained in real time to support immediate fail over.
Our LDAP credentials server is backed up every 24 hrs and we have a mechanism for synchronisation between LDAP and database.
We monitor the status of all elements of the platform and can respond in the event of a failure of any component.
The solution is designed to be multi-level and we can start up additional components in parallel and load balance across them in the event that the web server or application server fail or overload.
Building a server is automated and we can build and deploy additional resources in minutes.
If our database server grows unexpectedly, we can stop, resize/expand the disks memory or CPU resources and restart within 5 minutes.
As we run on AWS we have access to the power and scalability of AWS.
Outage reporting We have a public dashboard which is enabled during planned outages.
We provide email alerts of predicted outages.
In the event an outage occurs we expose an alternative web page reporting this.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication We intend to extend our solution to include TFA and implementation of this is in our development pipeline.

Access for most users is limited to port 443 for secure web traffic.
Access restrictions in management interfaces and support channels General management access is via the AWS management console and for this we have TFA configured.

Administrative access to individual machines is available via ssh using AWS encryption keys between specific IP addresses: our main site and the home networks of selected key employees for 24 x 7 access.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essential Plus and IASME
Information security policies and processes Cyber Essentials Plus and IASME compliant information security policies

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All of our components are tracked through their lifetime using the cloud development suite Atlassian
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We use Qualys scanning.
We deploy patches regularly (typically within 14 days) having first trialed them on our development platforms and as part of our release procedures.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We rely primarily on AWS facilities for our protective monitoring. We have monitoring facilities wired up to report exceptions to on immediately they occur by email.

We initiate a response immediately during working hours and for emergencies 24 x 7 once the first person has received the alert.
Incident management type Supplier-defined controls
Incident management approach We take regular backups of our solution data.
We have automated build procedures so we can re-build a solution instance within minutes if necessary.
this rebuild process is practised fortnightly as part of our release procedures.
Our data recovery process is similarly practices regularly as part of our release procedures.
Backups from production servers are regularly tested for integrity and the ability to recover them on a quarterly basis.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1 per person per month
Discount for educational organisations No
Free trial available Yes
Description of free trial We do not commercially offer a "free trial" but there is a defacto free trial period between registering and completing payment setup. During this period a system administrator has the ability to review all of the functionality of the system. The period is in the T&Cs on sign up.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑