Version from August 30, 2022

General technical conditions for using our products

The following browsers are supported and their use is therefore a prerequisite for the provision of services: Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge and Microsoft Internet Explorer 11 (Internet Explorer 11 reached its end of life cycle at 15.06.2022, future support is subject to specific limitations and cannot be guaranteed for the future. Please contact our team for details.) in their respective current versions.

Service modules

The following sections describe the services offered by SoSafe and define the processes and organizational interfaces required for service provision.

Phishing simulation

The phishing simulation service module comprises the sending of a defined number of (pre-arranged) e-mails to users over the service period. These e-mails simulate real phishing e-mails to increase the users' awareness of IT security risks caused by phishing attacks. When a user clicks on a phishing element (e.g. image, link) in one of the simulated phishing e-mails or is forwarded to a landing page (e.g. Log-in page), a web page is called up (hereinafter referred to as the "learning page"), which informs the user about the simulation and provides concrete information on how the respective e-mail could have been identified as a phishing attempt.

To ensure that all simulated phishing e-mails are delivered to all users to be trained in the training, the customer is required to set up a whitelisting. This is a duty of cooperation on the part of the customer, without which SoSafe cannot guarantee the provision of services. At this point, the customer shall therefore be responsible for ensuring that the simulated phishing mails actually arrive in their complete form in the users' mailboxes and can be used within the scope of the training measure. If the customer cannot influence the whitelisting itself (e.g. because the customer has commissioned an IT service provider to manage its IT systems), the customer must ensure that the whitelisting is nevertheless carried out.

The following steps must be taken for whitelisting:

  • SoSafe's mail servers must be whitelisted in the receiving mail system to prevent the rejection of incoming e-mails.

  • Any existing filter systems (e.g. secure mail gateway) must be configured in such a way that the simulated phishing mails are not marked as "junk" or "spam" and delivery to the users can be guaranteed.

  •  Any existing systems provided by the customer to protect access to the Internet from the user's end devices (e.g. web gateways, proxies, security settings of the operating system) must be configured in such a way that the undistorted display of the simulated phishing e-mails in the user's e-mail programs is guaranteed. Furthermore, these systems are to be configured so that the learning pages can be displayed via a web browser.

  • Additionally customers might also whitelist the following things: 

    • envelope sender addresses

    • list of used domains

    • image server

SoSafe provides instructions for the implementation of these steps. The instructions also contain all necessary technical information such as IP addresses and server names of the mail servers, URLs to be released for filter systems and systems for access protection.

Phishing Report Button

The Phishing Report Button service module is a functionality that allows users to report e-mails that are considered to be a potential phishing attack. The report is sent to an e-mail address defined by the customer in the form of a forwarding of the suspicious e-mail. Simulated phishing emails from SoSafe are not forwarded, but reported to SoSafe. The customer must specify an e-mail address where the forwarding is to take place.

The functionality is provided in the form of a Microsoft Office Add-In. In order for the Outlook add-in to load and function properly, different requirements must be met on the server and client side. The Phishing Report Button can also be used with Google Workspace. 

 

Client requirements

  • The client must be one of the supported applications for Outlook add-ins. The following clients support add-ins:

    • Outlook 2013 or higher on Windows

    • Outlook 2016 or higher on Mac

    • Outlook under iOS

    • Outlook under Android

    • Outlook on the Web for Exchange 2016 or higher and Office 365

    • Outlook.com

  • The client must be connected directly to an Exchange server or to Office 365. When configuring the client, the user must select Exchange, Office 365 or Outlook.com as the account type. If a POP3 or IMAP connection is configured for the client, add-ins are not loaded.

  • Alternatively Google Workspace

Web browsers supported

  • Internet Explorer 11 (Internet Explorer 11 reached its end of life cycle at 15.06.2022, future support is subject to specific limitations and cannot be guaranteed for the future. Please contact our team for details.)

  • Microsoft Edge v1

  • Microsoft Edge v2

  • Chrome

  • Safari

  • Firefox

Outlook requires a certain browser engine to run add-ins

The browser used by Outlook (internally) is determined by the system configuration. Certain Outlook versions with certain system configurations require specific browsers to be installed and enabled. For a detailled explanation and a compatibility table, please contact us.

E-mail server requirements

If the user is connected to Google Workspace, Office 365 or Outlook.com, this already meets all the requirements for the e-mail server. However, for users connected to an on-premises Exchange Server installation, the following requirements apply:

A successful installation as well as a smooth roll-out of the Add-In can only be guaranteed if the customer uses the standard settings of the respective program and has no third-party application in operation that affects the functionality of the Add-In. Individual support by SoSafe during the setup of the add-in in a non-standard infrastructure is explicitly excluded. As an optional service, resources with appropriate expertise can be arranged. This requires a separate and explicit agreement between the parties involved.

Client / Server API Compatibility

The Outlook Add-in makes use of Exchange Web Services (EWS) or the Outlook REST API, in order to retrieve data from the user’s Outlook mailbox. The following sections state the availability of EWS and REST API for all supported Exchange Server/Outlook Client combinations and their effect on forwarding.

Exchange On-Premise

For all Exchange On-Premise servers (no hybrid deployment) we can only support EWS.

Exchange Online / Hybrid server deployments

For Exchange Online and hybrid deployments of Exchange servers we support the following EWS and REST API availability for the respective client/server combinations:


REST: REST API only

EWS: EWS only
GRAPH: Graph API only
Both: EWS and REST API
All: EWS + Rest API + Graph API

Windows

Windows

 

Windows Outlook clients

 

 

MS 3651

Outlook 2019

Outlook 2016

Outlook 2013

 

 

Server

Exchange Online

All

All

EWS

EWS

Exchange 20192

All

Both

EWS

EWS

Exchange 20162

Both

Both

EWS

EWS

macOS

macOS

 

macOS Outlook clients

MS 3651

Outlook 2019

Outlook 2016

 

 

Server

Exchange Online

All

Both

Both

Exchange 20192

Both

Both

Both

Exchange 20162

Both

Both

Both

Other

 

Outlook clients

Android App

iOS App

Desktop Browser

Mobile Browser

 

Server

Exchange Online

REST

REST

Both

not supported

Exchange 20192

REST

REST

Both

not supported

Exchange 20162

REST

REST

Both

not supported

Microsoft Office 365 subscription
connected to Exchange Online (hybrid deployment)

Differences in forwarding via EWS and REST

Forwarding can be done in “.eml” or “split” mode, each of which brings the following differences. Depending on the available API and the configured forwarding mode, the following files are forwarded to the customer’s email addresses:

 

via REST

via EWS

.eml mode

  • mail.eml

  • mail.eml

    • for emails greater than 500 kB the add-in automatically switches to split mode

Split mode

  • body.html

  • headers.txt

  • All attachments as the original files 3

  • body.html

  • headers.txt

  • attachments.txt 3

    • contains information about the attachment’s name, size, type, isInline

If the email contains attachments

E-Learning

The e-learning service module comprises the possibility for all authorized users of a customer to access the agreed number of learning modules within the scope of service provision. The learning modules impart knowledge in the field of IT security and cover a wide range of sub-topics. The booked learning modules can be accessed via SoSafe's own learning platform or integrated into a customer's existing Learning Management System (LMS) via SCORM streaming. The learning modules are divided into learning videos and interactive learning modules.

The learning videos can be used with or without acoustic output (this can be controlled locally via the user's operating system or browser). All language versions (see section "Multilingual Package") of the learning videos have an audio track and subtitles. The interactive learning modules are without sound track.

Access via learning platform

The proprietary learning platform of SoSafe is available at https://elearning.sosafe.de. Here users can register with their professional e-mail addresses. Alternatively, an anonymous access code can be used.

Access via customer-side LMS

The learning modules are provided in the standard SCORM 1.2 (from our end compatible with common LMS such as: SAP SuccessFactors Learning, Adobe Captive Prime LMS, ILIAS, Moodle, Totara Learning) as container files. These container files can be integrated into the LMS. The content of the learning modules is then provided by a streaming server of SoSafe at the time of access. For this purpose, access to the streaming server at lms0.sosafe.de must be guaranteed. 

SoSafe Manager

The SoSafe Manager can be accessed by the customer at https://manager.sosafe.de and it is available in English and German only. SoSafe Manager is the portal for the administration of awareness measures. Within the reporting dashboard on the portal, the customer can view various key figures about the commissioned service components, such as general click rates of the simulated phishing e-mails, the overall progress in e-learning or - depending on the service agreement - also individual e-learning results of individual employees. Exactly which data can be viewed and processed is regulated in a separate Data Processing Agreement.

Scope of services of individual awareness packages

The individual awareness packages of SoSafe contain different scopes of services and support levels. The special features of the individual packages are listed in the following sections. If services are not described in this SLA, the scope of services according to the feature overview is of secondary importance.

Package Starter

  • The package Starter is only available for customers with 5-250 users.

  • For package Starter, all users must be registered with the SAME mail domain name. (single domain only)

  • The customer is provided with instructions (downloadable PDF) on the self-service platform https://app.sosafe.de, which explain all necessary steps, such as setting up whitelisting, in a way that is understandable for an average user.

  • All relevant information (customer master data, billing data, etc.) must be entered by the customer via the platform.

  • A template (Excel file) is provided for the transmission of the user list, the scheme of which must be adhered to ensure a clean upload of the data to the self-service platform. This user list can be updated by the customer. The actual number of users in the system must not exceed the licensed number of users (contractually agreed upper limit).

  • A sample of the Data Processing Agreement is provided, which must be signed and uploaded by the customer.

  • Analytics: Includes access to the SoSafe Manager Portal, including the Analytics Dashboard to analyze KPIs (e.g. click and completion rates).

  • Interactive learning modules and learning videos in e-learning are fixed and cannot be changed. A suitable industry package can be selected for the phishing simulation.

Package Essential

  • If required, a 30-minute kick-off meeting can be held by telephone or web conference in which a SoSafe awareness expert explains all necessary technical preparations to the customer and coordinates the next steps.

  • Free choice of mail domain names for user registration.

  • With the User Management customers can simply upload a user  user list for the phishing simulation and/or e-learning. A template (Excel file) is provided for this purpose. The transmission of the user list to SoSafe is done via a secure data connection. The customer will receive a user account for this purpose. The actual number of users available in the system shall not exceed the licensed number of users (contractually agreed upper limit). As a gesture of goodwill, a cost-neutral exceeding of the agreed upper limit by up to 7 % is granted.

  • The customer can update the user list via the above-mentioned access to the SoSafe Manager Portal at any time on his own, should there be any changes due to fluctuation, etc.

  • SoSafe provides instructions for setting up the whitelisting.

  • For e-learning, the agreed upon number of learning modules and learning videos can be activated for all users of the customer from the available interactive learning modules on IT security (difficulty level: beginners). In consultation with the customer, SoSafe can be set up with a reminder function that, for example, reminds users who have not yet registered or have not yet completed individual modules by e-mail of a registration/finalization. Available languages are English and one additional language of choice (if supported by SoSafe).

  • For the phishing simulation, we randomly send out 12 simulated phishing emails throughout the year, based on attacks observed in your industry. This collection is updated continuously. Any customization of the e-mails' content is not included in this package; this is only possible in the Premium package. Available languages are English and one additional language of choice (if supported by SoSafe).

  • Setup times: The kick-off can be carried out within one calendar week from the date of order (written acceptance of the offer by SoSafe), or later if requested by the customer. As soon as the kick-off has been carried out, SoSafe assures a possible start of the awareness building within 10 working days, provided that all necessary data are provided by the customer without delay and that activities requiring cooperation are carried out.

  • User feedback: You can view user feedback and export it as a CSV file.

  • The evaluation contains benchmarks on all key figures compared to the customer average.

  • When using the SoSafe learning platform, users receive a certificate for all learning modules passed.

  • Gamification: On the SoSafe learning platform, users pass levels, collect badges and can view their progress in a personal success overview. (Can be switched on and off)

Package Professional

All components from Package Essential, but differently or additionally:

  • Spear phishing simulation: All e-mails are individualized for the respective recipient using a placeholder system (e.g. "Dear Mr. Miller, ...") and in some cases also include details such as the name or location of the customer.

  • Branding: The customer's logo is displayed at the top of the learning pages associated with the phishing simulation, as well as on the SoSafe learning platform. The buttons and colour design elements of the learning pages as well as the learning platform can be adapted in colour to the customer's corporate identity. In addition, the e-mail-unspecific information text on the learning pages can be created or adapted according to customer requirements. If logo and color scheme are freely available, the setup can be done by SoSafe. Otherwise, the corresponding data will be provided by the customer. The customer guarantees for the integration that he holds the rights of use of the logo and is liable for any violation of the rights of third parties.

  • Multilingual package: Selected phishing emails, learning pages and learning content are available in additional languages. Currently 31 languages are available, an up-to-date list will be provided upon request.

  • Setup times: The kick-off can be carried out within one calendar week from the date of order (written acceptance of the offer by SoSafe), or later if requested by the customer. As soon as the kick-off has been carried out, SoSafe assures a possible start of the awareness building within 20 working days, provided that all necessary data are provided by the customer without delay and that activities requiring cooperation are carried out.

Package Premium

All components from Package Professional, but differently or additionally:

  • For the setup and configuration of the Phishing Report Button, SoSafe will provide instructions for the technically supported infrastructure alternatives

  • Customization Engine: Selected contents of the e-learning modules can be customized. A questionnaire is provided for this purpose, which the customer can use to define the individual specifics (e.g. password length, contact person for data protection) within a framework defined by SoSafe.

  • Customized spear phishing simulation: We additionally send 3 simulated phishing emails, which we create together with you individually for your organization (e.g. replication of a CEO fraud). The individually created phishing mails are provided in English and German.

  • Awareness Bites: As part of omnichannel learning, we send your employees short learning contents and real case studies on the topic of IT security via e-mail.

Optional package Enterprise:

  • Targeted delivery: We are able to assign selected, simulated phishing emails to specific user groups for even more targeted training.

  • Full-service implementation: Your personal implementation manager supports and advises you on the advanced configuration of your awareness platform: best-practice approaches, whitelisting, recommendations for communication incl. templates, user management with data quality assurance.

  • Business Review: As an Enterprise customer you will receive Executive Business Review(s). This includes a report containing information on: 1) Target achievement (e.g. deep dive into relevant metrics and product usage data) 2) Benchmarking (e.g. against customer master data, industry of the customer, company size) 3) Advice on measures (e.g. providing communication documents to employees or for internal reporting, best practices of comparable companies) 4) Support and advice for the long-term cyber security awareness strategy of the customer.

  • Priority Support: Your personal contact person treats all your support requests with priority and supports you by e-mail or telephone, subject to our support times.

  • ISO 27001 reporting: The data is evaluated in a ISO 27001-audit compliant manner.

  • Expert evaluation: In addition to the provisions regarding the user list, the list can be supplemented with additional classifications. These can be, for example, user groups based on the customer's organizational units or locations. The evaluations on the reporting dashboard are then differentiated according to this classification. When the customer defines the classification, the agreed provisions of the Data Processing Agreement must always be observed; for example, the minimum size of a user group must not be less than 5 persons for data protection reasons.

  • Expert benchmarking: The evaluation contains additional benchmarks, e.g. on the customer's industry and company size – can be requested by the respective Customer Success Manager.

  • Advanced scheduling: We are able to adapt the dispatch times individually to customer requirements, e.g. vacation periods and time zones.

  • Advanced Analytics: Includes the same KPIs as in the normal Analytics feature, but also allows them to be grouped according to user groups or Extended Data. Customers with Advanced Analytics can use the Extended Data fields in their user addresses. Extended data can be additional regions or departments that customers would like to filter and see in the Analytics. 

  • SCORM streaming: You get access to the learning modules as SCORM containers and can integrate them into your own learning management system.

  • Supporting awareness material: You receive supporting digital material for your awareness campaign, e.g. posters, screensavers, flyers, communication templates.

  • Data export: You can export evaluation data as Excel or CSV file.

  • To register on the SoSafe learning platform, it is also possible to use a Single Sign-On via Azure Active Directory (AD), Google or an user provisioning via Okta. To enable the learning platform to authenticate itself against the AD, an Azure AD in the cloud is required (hybrid setup possible). The protocol used is OAuth 2.0 or SAML in version 2.0, which is ideally suited for use in web apps. Only a one-time authorisation of our web app by the customer's Azure AD administrator is required. The technical requirements for Single Sign-On can be viewed at support.sosafe.de. SCIM is supported within the following limits:

    • The SCIM connection to the SoSafe Manager only supports data transfers from the Microsoft Azure AD, no on-premise Active Directories are supported.

    • The SCIM connection only supports the connection of one Azure tenant. All user data to be transferred must be managed by the customer in one Azure tenant. The connection to multiple tenants is not supported.

    • If a SCIM connection to the SoSafe Manager is established, the user administration is carried out exclusively via the Azure AD on the customer side; it is not possible to additionally import users into the SoSafe database via Excel or CSV imports.

Package "Data Protection"

Can be booked in addition to or instead of the above packages.

Package "Data Protection Professional":

  • For e-learning, the agreed upon number of learning modules and learning videos can be activated for all users of the customer from the available interactive learning modules. In consultation with the customer, SoSafe can be set up with a reminder function that, for example, reminds users who have not yet registered or have not yet completed individual modules by e-mail of a registration/finalization.

  • If required, a 30-minute kick-off meeting can be held by telephone or web conference in which a SoSafe awareness expert explains all necessary technical preparations to the customer and coordinates the next steps.

  • User feedback: You can view user feedback and export it as a CSV file.

  • The evaluation contains benchmarks on all key figures compared to the customer average.

  • When using the SoSafe learning platform, users receive a certificate for all learning modules passed.

Package "Data Protection Premium":

  • Customization Engine: Selected contents of the e-learning modules can be customized. A questionnaire is provided for this purpose, which the customer can use to define the individual specifics (e.g. password length, contact person for data protection) within a framework defined by SoSafe.

  • Branding: The customer's logo is displayed at the top of the learning pages associated with the phishing simulation, as well as on the SoSafe learning platform. The buttons and colour design elements of the learning pages as well as the learning platform can be adapted in colour to the customer's corporate identity. In addition, the e-mail-unspecific information text on the learning pages can be created or adapted according to customer requirements. If logo and color scheme are freely available, the setup can be done by SoSafe. Otherwise, the corresponding data will be provided by the customer. The customer guarantees for the integration that he holds the rights of use of the logo and is liable for any violation of the rights of third parties.

Optional Package "Data Protection Enterprise":

  • Full-service implementation: Your personal implementation manager supports and advises you on the advanced configuration of your awareness platform: best-practice approaches, whitelisting, recommendations for communication incl. templates, user management with data quality assurance.

  • Business Review: You will receive up to 4 Executive Business Reviews per year. This includes a 60 minute phone call with your personal manager at SoSafe. Furthermore, you will receive a report containing information on: 1) Target achievement (e.g. deep dive into relevant metrics and product usage data) 2) Benchmarking (e.g. against customer master data, industry of the customer, company size) 3) Advice on measures (e.g. providing communication documents to employees or for internal reporting, best practices of comparable companies) 4) Support and advice for the long-term cyber security awareness strategy of the customer.

  • Priority Support: Your personal contact person treats all your support requests with priority and supports you by e-mail or telephone, subject to our support times.

  • Expert evaluation: In addition to the provisions regarding the user list, the list can be supplemented with additional classifications. These can be, for example, user groups based on the customer's organizational units or locations. The evaluations on the reporting dashboard are then differentiated according to this classification. When the customer defines the classification, the agreed provisions of the Data Processing Agreement must always be observed; for example, the minimum size of a user group must not be less than 5 persons for data protection reasons.

  • Expert benchmarking: The evaluation contains additional benchmarks, e.g. on the customer's industry and company size.

  • Advanced scheduling: We adapt the dispatch times individually to customer requirements, e.g. vacation periods and time zones.

  • SCORM streaming: You get access to the learning modules as SCORM containers and can integrate them into your own learning management system.

  • Supporting awareness material: You receive supporting digital material for your awareness campaign, e.g. posters, screensavers, flyers, communication templates.

  • Data export: You can export evaluation data as Excel or CSV file.

  • To register on the SoSafe learning platform, it is also possible to use a Single Sign-On via Azure Active Directory (AD), Google or an user provisioning via Okta. To enable the learning platform to authenticate itself against the AD, an Azure AD in the cloud is required (hybrid setup possible). The protocol used is OAuth 2.0, which is ideally suited for use in web apps. Only a one-time authorisation of our web app by the customer's Azure AD administrator is required. The technical requirements for Single Sign-On can be viewed at support.sosafe.de. SCIM is supported within the following limits:

    • The SCIM connection to the SoSafe Manager only supports data transfers from the Microsoft Azure AD, no on-premise Active Directories are supported.

    • The SCIM connection only supports the connection of one Azure tenant. All user data to be transferred must be managed by the customer in one Azure tenant. The connection to multiple tenants is not supported.

    • If a SCIM connection to the SoSafe Manager is established, the user administration is carried out exclusively via the Azure AD on the customer side; it is not possible to additionally import users into the SoSafe database via Excel or CSV imports.

Package „Occupational safety"

  • For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on work security. In consultation with the customer, SoSafe can be set up with a reminder function that, for example, reminds users who have not yet registered or have not yet completed individual modules by e-mail of a registration/finalization. The modules are available in German and English, more languages on request.

Package „General Act on Equal Treatment"

  • For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on the General Act on Equal Treatment. In consultation with the customer, SoSafe can be set up with a reminder function that, for example, reminds users who have not yet registered or have not yet completed individual modules by e-mail of a registration/finalization. The modules are available in German and English, more languages on request.

Package „Compliance"

  • For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on compliance. In consultation with the customer, SoSafe can be set up with a reminder function that, for example, reminds users who have not yet registered or have not yet completed individual modules by e-mail of a registration/finalization.  The modules are available in German and English, more languages on request.

Optional Package “Multitenancy”

Our “Multitenancy package” offers the ability to utilize multiple application instances (tenants) per one customer account. Each tenant’s data is isolated and remains invisible to other tenants. Configuration is also individualized per tenant for various platform properties, including but not limited to admin rights, user lists, placeholders, branding, phishing simulation templates, SCORM streaming, Phishing Report Button and other.