General technical conditions
Here you find the General Technical Conditions for using our products.
Current version: 18. March 2024
1 General technical conditions for using our products
This document describes the general technical conditions for the use of our products. Please refer to your Feature Matrix to find out whether a product is included in your scope of services.
The General Technical Conditions for using our products are subject to change. SoSafe reserves the right to update the General Technical Conditions without notice. Please make sure you check the latest version at https://link.sosafe-awareness.com/general-technical_conditions-en.
2 Browsers supported
The following browsers are supported and their use is therefore a prerequisite for the provision of services: Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Microsoft Internet Explorer 11 (Internet Explorer 11 reached its end-of-life cycle on 06/15/2022, future support is subject to specific limitations and cannot be guaranteed for the future. Please contact our team for details) in their respective current versions.
3 Service modules
The following sections describe the services offered by SoSafe and define the processes and organizational interfaces required for service provision.
When implementing these service modules, the customer is generally obliged to cooperate in order to ensure the provision of services by SoSafe.
3.1 Phishing simulation
The phishing simulation service module comprises the sending of a defined number of (pre-arranged) emails to users over the service period. These emails simulate real phishing emails to increase the users' awareness of cyber security risks caused by phishing attacks. When a user clicks on a phishing element (image, link, etc.) in one of the simulated phishing e-mails or is forwarded to a landing page (such as the login page), a web page is called up (hereinafter referred to as the "learning page"), which informs the user about the simulation and provides concrete information on how the respective e-mail could have been identified as a phishing attempt.
3.1.1 Phishing Simulation Options
For the phishing simulation, we randomly send out the agreed amount of simulated phishing emails throughout the year, based on attacks observed in your industry. This collection is updated continuously.
Spear phishing simulation: All emails are individualized for the respective recipient using Standard phishing placeholders (such as "Dear Mr. Miller, ...") and in some cases also include details such as the name or location of the customer.
Customized spear-phishing simulation: If booked, we additionally send 3 simulated phishing emails, which we create together with you specifically for your organization (such as a simulation of CEO fraud). The individually created phishing emails are provided in English and German.
3.1.2 Whitelisting
To ensure that all simulated phishing emails are delivered to all users to be trained in the training, the customer is required to set up a whitelisting. This is a duty of cooperation on the part of the customer, without which SoSafe cannot guarantee the provision of services. At this point, the customer shall therefore be responsible for ensuring that the simulated phishing emails actually arrive in their complete form in the users' mailboxes and can be used within the scope of the training measure. If the customer cannot influence the whitelisting itself (such as because the customer has commissioned an IT service provider to manage its IT systems), the customer must ensure that the whitelisting is nevertheless carried out.
The following steps must be taken for whitelisting:
SoSafe's email servers must be whitelisted in the receiving email system to prevent the rejection of incoming emails.
Any existing filter systems (such as secure mail gateway) must be configured in such a way that the simulated phishing mails are not marked as "junk" or "spam" and delivery to the users can be guaranteed.
Any existing systems provided by the customer to protect access to the Internet from the user's end devices (such as web gateways, proxies, security settings of the operating system) must be configured in such a way that the undistorted display of the simulated phishing emails in the user's email programs is guaranteed. Furthermore, these systems are to be configured so that the learning pages can be displayed via a web browser.
Additionally, customers might also whitelist the following:
envelope sender addresses
list of used domains
image server
SoSafe provides instructions for the implementation of these steps for selected tools. The instructions also contain all necessary technical information such as IP addresses and server names of the email servers, URLs to be released for filter systems, and systems for access protection. Please note that third-party support is needed for some third-party services.
3.2 Phishing Report Button
The Phishing Report Button service module is a functionality that allows users to report emails that are considered to be a potential phishing attack. The report is sent to an email address defined by the customer in the form of a forwarding of the suspicious email. Simulated phishing emails from SoSafe are not forwarded, but instead reported to SoSafe. The customer must specify an email address where the forwarding is to take place.
The functionality is provided in the form of a Microsoft Office add-in. In order for the Outlook add-in to load and function properly, different requirements must be met on the server and client side. The Phishing Report Button can also be used with Google Workspace with some limitations.
3.2.1 Client requirements
The client must be one of the supported applications for Outlook add-ins. The following clients support add-ins:
Outlook 2013 or higher on Windows
Outlook 2016 or higher on Mac
Outlook for iOS
Outlook for Android
Outlook on the Web for Exchange 2016 or higher and Office 365
The client must be connected directly to an Exchange server or to Office 365. When configuring the client, the user must select Exchange, Office 365, or http://outlook.com as the account type. If a POP3 or IMAP connection is configured for the client, add-ins are not loaded.
Alternatively: Google Workspace
3.2.2 Web browsers supported
Microsoft Edge v1
Microsoft Edge v2
Chrome
Safari
Firefox
Internet Explorer 11
As of 06/15/2022, Internet Explorer 11 (IE11) has reached its end-of-life cycle. This change primarily affects users on MS Outlook versions 2013 and 2016. From 11/16/2023, customers using IE11 will no longer receive new feature updates on the Phishing Report Button, although critical bug fixes will continue to be addressed. Customers using modern versions of Outlook will benefit from accelerated updates and new features. We advise customers still using IE11 to transition to supported browsers for optimal experience and support.
3.2.3 Outlook requires a certain browser engine to run add-ins
The browser used by Outlook (internally) is determined by the system configuration. Certain Outlook versions with certain system configurations require specific browsers to be installed and enabled. For a detailed explanation and a compatibility table, please contact us.
3.2.4 Email server requirements
If the user is connected to Google Workspace, Office 365 or http://outlook.com, this already meets all the requirements for the email server. However, for users connected to an on-premises Exchange Server installation, the following requirements apply:
The server must be Exchange 2016 or later.
Exchange Web Services (EWS) must be enabled and accessible over the Internet. Many add-ins require EWS to function properly.
The server must have a valid authentication certificate to issue valid identity tokens. New Exchange Server installations include a default authentication certificate.
The client access servers must be able to communicate with AppSource to access add-ins from Microsoft AppSource.
There are some URLs that customers must be able to connect to
A successful installation as well as a smooth roll-out of the add-in can only be guaranteed if the customer uses the standard settings of the respective program and has no third-party application in operation that affects the functionality of the add-in. Individual support by SoSafe during the setup of the add-in in a non-standard infrastructure is explicitly excluded. As an optional service, resources with appropriate expertise can be arranged. This requires a separate and explicit agreement between the parties involved.
3.2.5 Client / Server API Compatibility
The Outlook add-in makes use of Exchange Web Services (EWS) or the Outlook REST API in order to retrieve data from the user’s Outlook mailbox. The following sections state the availability of EWS, REST and Graph API for all supported Exchange Server/Outlook Client combinations and their effect on forwarding.
Exchange On-Premise
For all Exchange On-Premise servers (no hybrid deployment) we can only support EWS.
Exchange Online / hybrid server deployments
For Exchange Online and hybrid deployments of Exchange servers we support the following EWS, REST, and Graph API availability for the respective client/server combinations:
REST: REST API only
EWS: EWS only
Graph: Graph API only
All: EWS + REST API + Graph API
Windows
Windows | Windows Outlook clients | |||||
MS 3651 | Outlook 2021 | Outlook 2019 | Outlook 2016 | Outlook 2013 | ||
Server | Exchange Online | All | All | All - Graph MSAL PopUp | EWS | EWS |
Exchange 20192 | All | All | All - Graph MSAL PopUp | EWS | EWS | |
Exchange 20162 | EWS/REST | EWS/REST | EWS/REST | EWS | EWS | |
Exchange On-Premise | EWS | EWS | EWS | EWS | EWS | |
macOS
macOS
| macOS Outlook clients | ||
Office on Mac (classic UI) | Office on Mac (new UI) | ||
Server | Exchange Online | All | All |
Exchange 20192 | All | All | |
Exchange 20162 | EWS/REST | EWS/REST | |
Exchange On-Premise | EWS | EWS | |
Other
Other | Outlook clients | |||||
Android App | iOS App | Web Browser (Exchange Online) | Web Browser (On-Premise) | Mobile Browser | ||
Server | Exchange Online | Graph/REST | Graph/REST | All | EWS/REST | not supported |
Exchange 20192 | Graph/REST | Graph/REST | All | EWS/REST | not supported | |
Exchange 20162 | REST | REST | EWS/REST | EWS/REST | not supported | |
Exchange On-Premise | not supported | not supported | n/a | EWS/REST | not supported | |
1 Microsoft Office 365 subscription
2 connected to Exchange Online (hybrid deployment)
Graph MSAL pop-up: Every time a user opens the Phishing Report Button, the user will see a flash of a MSAL pop-up for logging in the user via Graph
Differences in forwarding via EWS and REST/Graph API
Forwarding can be done in “.eml” or “split” mode, each of which differ in the following ways. Depending on the available API and the configured forwarding mode, the following files are forwarded to the customer’s email addresses:
| via REST/Graph | via EWS |
.eml mode |
|
|
Split mode |
|
|
3 If the email contains attachments
3.3 PhishAssist/ Reporting Nudges
PhishAssist is a feature of the Phishing Report Button, designed to assist users in the identification of potential malicious emails. Its primary objective is to educate users on critical factors to evaluate while assessing emails for potential threats.
3.3.1 PhishAssist's Assessment Criteria
PhishAssist employs an assessment based on five key factors to establish the potential risk of an email:
Email authentication: Checks are conducted on SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) to authenticate the email source. Please note that this risk factor, while essential to our evaluation, is not explicitly displayed to users within the user interface.
Sender information: Both the sender's domain and name undergo an examination to confirm legitimacy.
Email attachments: PhishAssist scrutinizes the types of attachments included in the email, providing feedback if types commonly associated with security risks are detected.
Embedded links: All embedded links are analyzed for characteristics typically indicative of phishing attempts.
Email content: The email content is reviewed for terms often employed within phishing communications.
The current implementation of PhishAssist operates entirely within the user’s email client. This ensures no email data is transmitted externally, aligning PhishAssist with GDPR (General Data Protection Regulation) requirements implicitly.
3.3.2 Clarification on PhishAssist's Functionality
PhishAssist is a tool designed primarily to enhance user awareness and vigilance in identifying potential email threats. It is essential to understand that PhishAssist does not and will not definitively categorize an email as either entirely safe or a confirmed phishing attempt. Instead, it aims to guide users in identifying the tell-tale signs often associated with malicious emails.
In the assessment process, PhishAssist scrutinizes links within the email, specifically their attributes, not by opening or following them. This approach helps identify characteristics typically associated with phishing attempts.
Similarly, the evaluation of email attachments is based solely on the file type. The contents of these attachments are not opened or analyzed within a Sandbox environment to determine potential maliciousness.
3.3.3 Client / Server API Compatibility of PhishAssist
Operating system | Office version | Edge WebView2 (Chromium-based) installed? | PhishAssist |
Android | Any | Not applicable | Yes |
Any | Office web | Not applicable | Yes, if not opened in IE11 |
iOS | Any | Not applicable | Yes, if not opened in IE11 |
Mac | Any | Not applicable | Yes |
Windows 7, 8.1, 10, 11 | Non-subscription Office 2013 to Office 2019 | Does not matter | Not supported |
Windows 10, 11 | Non-subscription Office 2021 or later | Yes | Yes |
Windows 7 | Microsoft 365 | Does not matter | Not supported |
Windows 8.1, Windows 10 ver. < 1903 | Microsoft 365 | No | Not supported |
Windows 10 ver. >= 1903, Windows 11 | Microsoft 365 ver. < 16.0.11629 | Does not matter | Not supported |
Windows 10 ver. >= 1903, Windows 11 | Microsoft 365 ver. >= 16.0.11629 and < 16.0.13530.20424 | Does not matter | Yes |
Windows 10 ver. >= 1903, Windows 11 | Microsoft 365 ver. >= 16.0.13530.20424 | No | Yes |
Windows 8.1, 10, 11 | Microsoft 365 ver. >= 16.0.13530.20424 | Yes | Yes |
Note: This table includes information on the compatibility of PhishAssist with different operating systems, Office version, and whether Edge WebView2 (Chromium-based) is installed. The entries "Not applicable" and "Does not matter" indicate that a particular criterion is not relevant to a specific combination of operating system and Office version.
3.3.4 Exclusion of Liability
SoSafe expressly disclaims any liability arising from incidents where the assessment data generated by PhishAssist is used as the sole basis for email security decisions, and a subsequent cybersecurity event occurs. The intent of PhishAssist is to serve as an educational tool to augment user awareness and discernment, rather than providing absolute assurance of email safety.
3.4 E-Learning
The e-learning service module comprises the possibility for all authorized users of a customer to access the agreed number of learning modules within the scope of service provision. The learning modules impart knowledge in the field of cyber security and cover a wide range of sub-topics. The booked learning modules can be accessed via SoSafe's own learning platform or integrated into a customer's existing learning management system (LMS) via SCORM streaming. The learning modules are divided into learning videos and interactive learning modules.
The learning videos can be used with or without acoustic output (this can be controlled locally via the user's operating system or browser). All language versions (see section "Multilingual Package") of the learning videos have an audio track and subtitles. Some modules are not optimized for viewing on mobile devices.
3.4.1 Access via learning platform
The proprietary learning platform of SoSafe is available at https://elearning.sosafe.de. Users can register with their professional email addresses. Alternatively, an anonymous access code can be used.
Core personalization: Core personalization of user paths determined by factors such as goal setting, duration, completion milestones, language preferences, selected lessons, and insights from the Risk Assessment Survey. Future personalization parameters will be contingent upon the chosen package. Some additional E-Learning features are currently not compatible with core personalization (Policy Management, Custom Modules, Manager Escalation).
For e-learning, the agreed upon number of learning modules and learning videos can be activated for all users of the customer from the available interactive learning modules on cyber security. A reminder function reminds users who have not yet registered or have not yet completed individual modules of a registration/finalization via email.
When using the SoSafe learning platform, users receive a certificate for all learning modules passed.
Gamification: On the SoSafe learning platform, users pass levels, collect badges, and can view their progress in a personal success overview.
Content Management:
Customization Engine - Through the use of content placeholders, content on the learning platform can be customized to meet the needs and regulations of your company.
Policy Management - Upload policies, present them to your employees, and track their acceptance with downloadable reports.
Custom Modules/ Bring your own content - Upload and play your SCORM 1.2 cyber security content on our learning platform. Technical conditions are:
Select authoring tools are compatible
Upload limits: 150MB for modules, 10MB for pictures
Quiz needs to be passed with >75%
Limited module categorization and language bundling
We support static SCORM1.2 modules
Manager Escalation - Schedule email updates for people managers and keep them informed of their team's e-learning progress.
To register on the SoSafe learning platform, it is also possible to use Single Sign-On via Microsoft Entra ID, Google, or Okta. To enable the learning platform to authenticate itself against the identity provider, an identity provider in the cloud is required (hybrid setup possible). The protocol used is OAuth 2.0 or SAML 2.0, which is ideally suited for use in web apps. Only a one-time authorization of our web app by the customer’s administrator is required. The technical requirements for Single Sign-On can be viewed at http://support.sosafe.de.
3.4.2 Access via customer LMS
The learning modules are provided in the standard SCORM 1.2 as container files. These container files can be integrated into the LMS. The content of the learning modules is then provided by a streaming server of SoSafe at the time of access. For this purpose, access to the streaming server at lms0.sosafe.de must be guaranteed.
Individual support by SoSafe for the setup of the learning modules in a third LMS is explicitly excluded and the support of the third-party providers is referred to.
3.5 SoSafe Manager
The SoSafe Manager can be accessed by the customer at https://manager.sosafe.de and it is available in English, German and French. The SoSafe Manager is the portal for the administration of awareness measures. Within the reporting dashboard on the portal, the customer can view various key figures about the commissioned service components, such as general click rates of the simulated phishing emails, overall e-learning progress, and - depending on the service agreement - individual employees’ e-learning results. Exactly which data can be viewed and processed is regulated in a separate Data Processing Agreement. Access can be optionally secured via MFA.
Branding: The customer's logo is displayed at the top of the learning pages associated with the phishing simulation, as well as on the SoSafe learning platform. The buttons and color design elements of the learning pages and learning platform can be adapted to the customer's corporate identity. In addition, the information text on the learning pages (non-specific, independent of the email) can be created or adapted according to customer requirements. If the logo and color scheme are freely available, the setup can be done by SoSafe. Otherwise, the corresponding data will be provided by the customer. The customer guarantees for the integration that they hold the usage rights to the logo and are liable for any violation of the rights of third parties.
Supporting awareness material: You receive supporting digital material for your awareness campaign, such as posters, screensavers, flyers, and communication templates.
Multilingual package: Phishing mail templates, learning pages and learning content are available in additional languages. Up to 30 languages are currently available, an up-to-date list will be provided on request.
3.5.1 User Data Provisioning
There are two ways to transfer user data: via a user list or automatically via a SCIM connection. The customer must ensure that only e-mail addresses whose domain is owned by the customer are transferred.
With the User Management, customers can simply upload a user list for the phishing simulation and/or e-learning. A template (Excel file) is provided for this purpose. The transmission of the user list to SoSafe is done via a secure data connection. The customer will receive a user account for this purpose. The actual number of users available in the system shall not exceed the licensed number of users (contractually agreed upper limit)
The customer can update the user list via the aforementioned access to the SoSafe Manager Portal at any time on their own should there be any changes due to fluctuation, etc.
Automatic user provisioning: You can add users via a SCIM connection with Microsoft Entra ID, Okta, or Google Workspace. SCIM is supported within the following limits:
The SCIM connection to the SoSafe Manager only supports data transfers from the Microsoft Entra ID, no on-premise Active Directories are supported.
The SCIM connection only supports the connection of one source tenant. All user data to be transferred must be managed by the customer in one tenant. The connection to multiple tenants is not supported.
If a SCIM connection to the SoSafe Manager is established, the user administration is carried out exclusively via the source tool on the customer side; it is not possible to additionally import users into the SoSafe database via Excel or CSV imports.
No nested groups supported
Each person can only be in exactly one user group at a time
The technical requirements for SCIM connections can be viewed at http://support.sosafe.de.
3.5.2 Analytics
An Analytics and reporting dashboard that features key behavioral metrics, including phishing and e-elearning performance.
User feedback: You can view user feedback.
The evaluation contains benchmarks on all key figures compared to the customer average.
ISO 27001 reporting: The data is evaluated in an ISO 27001 –audit-compliant manner.
Expert evaluation: In addition to the provisions regarding the user list, the list can be supplemented with additional classifications. For example, these can be user groups based on the customer's organizational units or locations. The evaluations on the reporting dashboard are then differentiated according to this classification. When the customer defines the classification, the agreed provisions of the Data Processing Agreement must always be observed; for example, the minimum size of a user group must not be less than 5 persons for data protection reasons.
Expert benchmarking: The evaluation contains additional benchmarks, such as on the customer's industry and company size. This can be requested by the respective Customer Success Manager.
Data export: You can download evaluation data as an Excel or CSV file.
3.6 Multitenancy
Our “Multitenancy package” offers the ability to utilize multiple application instances (tenants) per one customer account. Each tenant’s data is isolated and remains invisible to other tenants. Configuration is also individualized per tenant for various platform properties, including but not limited to admin rights, user lists, placeholders, branding, phishing simulation templates, SCORM streaming, Phishing Report Button, and more.
3.7 Conversational Learning Option (Sofie):
Security professionals can directly send timely alerts via the MS Teams bot Sofie, reaching their employees 1:1 and ensuring that awareness is always on.
4 Additional Content
4.1 “Data Protection” package
For e-learning, the agreed upon number of learning modules and learning videos can be activated for all users of the customer from the available interactive learning modules.
4.2 “Occupational safety” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on occupational safety. The modules are available in German and English, and more languages on request.
4.3 “General Act on Equal Treatment” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on the General Act on Equal Treatment (AGG). The modules are available in German and English, and more languages on request.
4.4 “Compliance” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on compliance. The modules are available in German and English, and more languages on request.
4.5 “Cyber Security for IT Professionals (Role-based learning)” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on cyber security for IT professionals (role-based learning). The modules are available in German, English, French, Dutch, Danish, Swedish, Norwegian, Spanish, and Italian, with more languages on request.
4.6 “German Supply Chain Law (LkSG)” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on the German Supply Chain Law (LkSG). The modules are available in German and English, and more languages on request.
4.7 “Anti Money Laundering” package
For e-learning, the agreed upon number of learning modules can be activated for all users of the customer from the available interactive learning modules on Anti Money Laundering. The modules are available in German, English, French, Dutch, Danish, Swedish, Norwegian, Spanish, and Italian, with more languages available on request.
5 Service Levels
SoSafe offers different kinds of services based on the booked service level. Please refer to your Feature Matrix to see which features apply to your subscription plan.
5.1 Implementation
Quick implementation: You will receive non-customizable implementation services based on our best practice recommendations. Additional materials to guide you through the process will be provided.
Full-service implementation: Your personal implementation manager supports and advises you on the advanced configuration of your awareness platform: best-practice approaches, whitelisting, recommendations for communication incl. templates, user management with data quality assurance.
Advanced scheduling: We are able to adapt the dispatch times individually to customer requirements, such as vacation periods and time zones.
Advanced Analytics: Includes the same KPIs as in the normal Analytics feature, but also allows them to be grouped according to user groups or Extended Data. Customers with Advanced Analytics can use the Extended Data fields in their user addresses. Extended data can be additional regions or departments that customers would like to filter and see in the Analytics. The Extended Data in Analytics is only visible if personalized analytics have been agreed upon before starting awareness measures.
5.2 Support
Support times are subject to the general response times listed in our SLA. Within these agreements priority is defined by your booked service.
Knowledge Base access: you will receive access to our knowledge base articles.
Priority support: Your support requests are treated with priority subject to our support times.
5.3 Customer Success
We offer Customer Success support either via E-Mail only or offer access to Customer Success Managers to consult on security awareness strategy and support ongoing usage of SoSafe.
6 Self-Service-Awareness-Platform
This package is only available for customers with 5-250 users.
For this package, all users must be registered with the SAME email domain name. (single domain only).
The customer is provided with instructions (downloadable PDF) on the self-service platform https://app.sosafe.de, which explain all necessary steps, such as setting up whitelisting, in a way that is understandable for the average user.
All relevant information (customer master data, billing data, etc.) must be entered by the customer via the platform.
A template (Excel file) is provided for the transmission of the user list, the scheme of which must be followed in order to ensure a clean upload of the data to the self-service platform. This user list can be updated by the customer. The actual number of users in the system must not exceed the licensed number of users (contractually agreed upper limit).
A sample of the Data Processing Agreement is provided, which must be signed and uploaded by the customer.
Analytics: Includes access to the SoSafe Manager Portal, including the Analytics Dashboard to analyze KPIs (such as click and completion rates).
Interactive learning modules and learning videos in the e-learning are fixed and cannot be changed. A suitable industry package can be selected for the phishing simulation.