Drupal CMS: Open-source Content Management and Website Development

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud

Private cloud

Community cloud

Hybrid cloud
Service constraints: Scheduled security updates are normally applied monthly and require a small amount of system downtime (normally around 30 mins). We agree with clients to agree to a suitable maintenance window in order to apply these which can be outside of normal working hours. While it can be migrated to a range of platforms using most common web servers, CiviCRM requires PHP with a MySQL or equivalent database.
System requirements: Latest version of all major web browsers

User support

Email or online ticketing support: Email or online ticketing
Support response times: We provide a 4h response time during standard working hours (9am - 5.30pm) weekdays. Our standard contracts are Monday to Friday, but weekend support is available at an additional cost.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 A
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Yes, at an extra cost
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: We use the "Freshdesk" platform for managing support requests with their integrated chatbot. At the time of writing there are no firm details as to whether any accessibility testing has taken place.
Web chat accessibility testing: We use the "Freshdesk" platform for managing support requests with their integrated chatbot. At the time of writing there are no firm details as to whether any accessibility testing has taken place.
Onsite support: Yes, at extra cost
Support levels: We provide a single support level but agree contracts based on the number of required base hours per month. Clients can always increase this number of hours if needed or call use ad-hoc support hours. The online helpdesk allows users to create and track support tickets, provide details, URLs and upload images (e.g. screen shots) relevant to the issue. The system provides real-time monitoring, with email alerts sent to all subscribed users each time a ticket is updated. Support is billed at a base rate of £105 per hour, with discounted support contracts available for larger number of hours. We provide help-desk support during the hours of 9.00am to 5.30pm UK time (excluding weekends and public holidays in England).
Support available to third parties: Yes

Onboarding and offboarding

Getting started: The Compucorp implementation process is focused on helping the platform to deliver tangible outcomes for our clients. We are able to offer an end to end implementation service including discovery, configuration, training (both on and offsite) as well as supporting with complex content migrations. We will also supply full documentation of all processes that have been designed as part of the onboarding. We offer onsite and online training and extensive user documentation.
Service documentation: Yes
Documentation formats: HTML
End-of-contract data extraction: As a user you will always be able to download data via the application export features, but for more technical administrators we can either provide database access to download data or we can export this for you in any prescribed format.
End-of-contract process: In some cases the hosting for the service is owned/managed directly by the client and we will manage it on your behalf. As such should you choose to move away, we will not restrict you from access to your own server and hosting infrastructure to work with another partner. You will have full ownership of your own code as everything is provided under open source licenses. If you are moving to a completely different application, we offer an optional decommissioning service to perform a full audit of all server, backups, credentials and data at an additional cost.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: None.
Service interface: No
User support accessibility: WCAG 2.1 AA or EN 301 549
API: Yes
What users can and can't do using the API: Drupal has a highly configurable API which can allow any level of integration required. API's would however need to be configured to meet your integration requirements.
API documentation: Yes
API documentation formats: HTML
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Drupal is a highly flexible platform that supports high levels of customisations from within the application interface. This includes adding fields to various entities in the system. It is also possible to select from and install a wide array of community contributed extensions which add additional functionality. Should further customisation be necessary, the open source nature of the platform allows us to develop the platform in any way needed, and is unconstrained. We would be happy to discuss any developments as part of any implementation.

Scaling

Independence of resources: Our hosting infrastructure ensures that customer instances are logically separated to prevent users from accessing resources not alloted to them. Compucorp AWS-powered hosting ensures that customers are segregated via security management processes/controls at the network and hypervisor level.

Analytics

Service usage metrics: Yes
Metrics types: User last login date/time. User group access. Further metrics are possible and available on request. Full integration with google analytics available on request.
Reporting types: API access

Real-time dashboards

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: In-house
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users cannot export all of their own data from the platform currently. Administrators can configure exports of any of the system data.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: Compucorp's AWS-hosted systems guarantee 99.99% availability of the service except for any scheduled maintenance downtime as may be agreed with the customer. Higher levels of availability with high availability infrastructures are available at request. Failure to meet agreed levels of availability will result in service credits awarded to the customer.
Approach to resilience: AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on their website via the links below: • Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/ • Amazon S3 SLA: http://aws.amazon.com/s3-sla • Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/ • Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/ • Amazon RDS SLA: http://aws.amazon.com/rds-sla/ • AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/ Our well-architected solutions on AWS leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, which ease the burden of achieving specific SLA requirements.
Outage reporting: Compucorp’s incident reporting system ensures that outages (service failure, web site unavailable, etc) are reported directly to responsible parties via e-mails, so that necessary actions can be taken. An API is available on request.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password
Access restrictions in management interfaces and support channels: 2-factor authentication Public key authentication (including by TLS client certificate) Identity federation with existing provider (for example Google Apps) Dedicated link (for example VPN) Username or password.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Audit information for users

Access to user activity audit information: Users receive audit information on a regular basis
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: AWS
ISO/IEC 27001 accreditation date: March 27 2020
What the ISO/IEC 27001 doesn’t cover: Compucorp does not hold the certification directly, however, our hosting provider AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: Yes
Who accredited the PCI DSS certification: Sagepay / Coalfire
PCI DSS accreditation date: 06/06/2019
What the PCI DSS doesn’t cover: Compucorp does not hold the certification directly, however, Sagepay, one of our preferred online payment partners, have current Payment Card Industry Data Security Standard (PCI DSS) certification. • PCI DSS v3.2 Level 1 Service Provider We can also integrate with other online payment providers as required who can provide this certification for e-commerce functionality.
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: Compucorp operate an ISO 9001 aligned quality manual and ISO 27001 aligned information security policy. Our quality manual underpins our approach to software development, testing and release processes. Our information security policy underpins our approach to data management including staff training, development processes and internal data management. Should a higher level of security governance certification be required for an implementation we would be happy to seek it.
Information security policies and processes: Compucorp implement formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Compucorp is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data by maintaining policies in a centralised and accessible location. A copy of our policies are available on request.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Changes to the service are managed as described by our quality manual. All code changes are subject to multiple stages of review, before being committed to a fully auditable version control system. Automated and manual tests are then run before the changes are applied to any live environment.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: At the application level Compucorp monitors Drupal's Security notices. Drupal and therefore Compucorp use a risk level system based on the NIST Common Misuse Scoring System (NISTIR 7864). Each vulnerability is scored using this system and a number is assigned between 0 and 25. Security release "windows" are the first and third Wednesday every month, PDT timezone. A release window does not necessarily mean that a release will actually be made however. The hosting platform (operating system, software, and applications) receives automated security patching for all software directly from the OS maintainers.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Our comprehensive webserver monitoring solution will alert us to unusual system activity, unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Near real-time alerts flag incidents and our infrastructure team will take immediate action at the infrastructure or application level to correct any issues identified.
Incident management type: Supplier-defined controls
Incident management approach: Users report incidents via ticket or telephone to our support team who will then investigate, categorise and escalate these to our Information Security Management Team as required. Urgent issues are given clear priority and are treated as soon as possible. We retrospective all information security incidents in order to identify solutions to ensure they are mitigated in future.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

Compuco is committed to promoting sustainability in everything we do. As a Company built on open source principles we believe in not only minimising our impact on the environment, but also having a net positive contribution to society at large. Every day we can make decisions that will impact on the environment and the communities of which we are part. As such we have developed the following policy to dictate our actions for the benefit of all those involved. Our Sustainability Policy is based upon the following principles: To comply with, and exceed where practicable, all applicable legislation, regulations and codes of practice. To integrate sustainability considerations into all our business decisions. To ensure that all staff are fully aware of our Sustainability Policy and are committed to implementing and improving it. To use the latest technologies to minimise the impact on sustainability of all office and transportation activities.
Equal opportunity: Equal opportunity

Compucorp is committed to achieving a working environment which provides equality of opportunity and freedom from unlawful discrimination on the grounds of race, sex, pregnancy and maternity, marital or civil partnership status, gender reassignment, disability, religion or beliefs, age or sexual orientation. Our Policy aims to remove unfair and discriminatory practices within Compucorp and to encourage full contribution from its diverse community. Compucorp is committed to actively opposing all forms of discrimination. Compucorp also aims to provide a service that does not discriminate against its clients and customers in the means by which they can access the services and goods supplied by Compucorp. Compucorp believes that all employees and clients are entitled to be treated with respect and dignity. Any and all personal data used in connection with this Policy shall be collected, held, and processed in accordance with Compucorp’s [Employee] Data Protection Policy.

Pricing

Price: £600 to £900 a unit a day
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Compucorp can provide a full demonstration version of the system to clients to use for an agreed period of time (up to 1 month).

Drupal CMS: Open-source Content Management and Website Development

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Drupal CMS: Open-source Content Management and Website Development

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents