oXya UK

SAP ERP Archive Management as a Service

oXya provide a hosted archive service so that customers can store and report on archived and/or, decommissioned SAP and other ERP systems. Data retention rules and policies are built by our partners, Data Lock/Proceed. Reporting may be provisioned for customer users or undertaken by oXya as part of agreed SLAs.


  • Hosted ERP archive service
  • Provision of BI interface for reporting on archive
  • Provision of agreed archived reports from oXya teams to customer
  • Maintenance of hosted archive
  • Implementation of retention management rules
  • ETL data migration from live or legacy systems to archive
  • Flexible storage model
  • Structured and unstructured data can be archived
  • Data held in UK or EU
  • Official security cleared on shore staff provide service


  • Comply with retention management directives
  • GDPR compliance
  • Secure hosting of archive as service
  • Provide Software as a Service BI interface to archived data
  • Provide reports at regular intervals as agreed with clients
  • Compliance with data sovereignty and security requirements
  • Single inclusive service for structured and unstructured data types
  • Provide ETL service to bring customer data to archive
  • Flexible model for data storage


£4150 per terabyte per month

Service documents

G-Cloud 9


oXya UK

Crispin Weston



Service scope

Service scope
Service constraints The bulk of the archived data should be from SAP ERP systems.
System requirements Customers will need to agree migration policy for their data

User support

User support
Email or online ticketing support Email or online ticketing
Support response times As per agreed SLA with each customer. Archived systems are by definition not transactional and have few users. They are therefore unlikely to require many responses to support calls.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide a technical account manager and a dedicated team of on shore support staff.
Support levels are negotiated according to customer needs.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Knowledge transfer workshops between oXya and customer IT or partners defining functional criteria of service such as retention rules implememtation.
Service documentation Yes
Documentation formats Other
Other documentation formats Service is defined in contract scope and statement of work
End-of-contract data extraction A reversibility phase is defined in each contract. During the reversibility phase, the general action plan will be aligned with the integration plan proposed by the new service providers for the scope of services previously delivered by oXya.
At the end of the reversibility phase, oXya is obliged to have forwarded to the new service provider the entirety of the means (documentation, information, tools etc.) necessary for the delivery of service levels similar to those provided by oXya.
In the context of the reversibility phase, oXya is obliged to transfer all theoretical and practical information required to deliver the services provided by oXya. This includes the methodologies used, the procedures and knowledge specific to Customer’s context.
The organization and allocation of resources required for the reversibility phase will be decided during the project launch meeting. For the duration of the project, the manager of the new provider’s “reversibility team” will be in charge of operational management.
The “reversibility steering committee” will as a minimum include:
 the new provider’s “reversibility project manager”;
 Customer’s “reversibility project manager”;
 oXya’s Mission Director.
End-of-contract process The cost of the reversibility phase is not included in monthly fees but a quote will be given at the time, depending on the complexity of requirement.
For example, migration of the archive to a new provider "as is" would not be difficult or expensive but data conversion to a new format might require more work. Customers engaging a new supplier would typically purchase this service from them.

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources Yes
Usage notifications Yes
Usage reporting
  • Email
  • SMS
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Archive data files
  • Databases
  • Operating Systems
  • Virtual Machines
Backup controls Backups can be performed as required by SLA. In an archived system data is not transacted against so DR is usually unnecessary.
Backups will be taken periodically and whenever new data is brought to the archive
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks As this is an archive service there is not a dynamic data flow as there would be with transactional systems. Data is typically imported in a batch process.
Data protection within supplier network Other
Other protection within supplier network Data is not in transit. This is an archive service.

Availability and resilience

Availability and resilience
Guaranteed availability Each customer can negotiate an appropriate SLA containing penalty provisions.
Approach to resilience Available on request.
Outage reporting This is not a transactional service but were there to be an outage for any reason we would communicate to customers by e-mail and phone.

Identity and authentication

Identity and authentication
User authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels This is not typically necessary for an archived system.
Access restriction testing frequency Less than once a year
Management access authentication Username or password
Devices users manage the service through Dedicated device over multiple services or networks

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance accreditation No
Security governance approach All oXya UK providing archive services are security cleared to SC standard.
Access to partner data centres is controlled by them.
Access control to oXya data centres is secured by:
a guard posted at the site entry tp perform first screening;
Complete physical closeure from 8pm to 7am, except for oXya employees with badges
biometric access control at data centre and the offices;
pin code access control to the data centre server rooms ;
There is an intrusion detection alarm system
The 24/7 on-site team monitor data centre entries and exits data centre via an intrusion detection system;
Information security policies and processes All oXya UK providing the service are security cleared to SC standard.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Security Management Services address logical security of all Systems components and data, and include virus protection, intrusion detection, vulnerability prevention, access logging protection and other security services in compliance with customers security requirements and all applicable regulatory requirements. The physical security on Infrastructures is provided as part of our hosting services.
In case of an evolution in a customers security policy leading to a modification of the Infrastructure and/or of the operational tasks, such evolution will be addressed as a Change. Changes caused by evolution in Provider security policy, will have no impact on the Service Fees.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach OXya will protect customers from intrusion, malevolent acts or hacking resulting from 3rd parties staff, via its tools or due to internal network interconnection
Carry out analyses and search information requested by customerdepartments in charge of security within the limits of the Services in scope
Inform customer of any knowledge it may have that may constitute or be likely to constitute harm to its physical or logical security
Protective monitoring type Supplier-defined controls
Protective monitoring approach Develop policies and standards for virus protection
Implement policies for virus protection
Monitor the automatic operation of the virus protection system (associated systems and applications when necessary). Plan virus scanning and control the results
Notify customer in case of any corrected or non-corrected infection
Ensure virus protection on all Systems including remote distribution of virus updates and security hot fixes, as validated by customer on all involved in scope Systems
Incident management type Supplier-defined controls
Incident management approach Service Incident Management is based on:
24x7 automatic surveillance, health checks, and the provision of status reports on the server Operating Systems, database systems, and application systems;
24x7 alarms management and incident classification;
proactive incident resolution.
The objectives of the problem management process are:
to discover, analysis and solve problems (i.e. operational difficulties that do not qualify as incidents);
to engage appropriate expertise to solve problems permanently;
to associate similar problems to—and to resolve—a single root cause.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Different organisations typically use different infrastructure.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £4150 per terabyte per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑