Storm ID

Umbraco Cloud

Umbraco Cloud is a fully managed SaaS/UaaS service for the design, build and support of Umbraco CMS (including Heartcore for headless CMS). Storm ID can set up and implement Umbraco Cloud, underpinned by Microsoft Azure, to deliver a highly resilient, secure and scalable environment.

Features

• Enterprise publishing framework
• Fully accessible and compliant
• Multi-lingual capabilities
• Cross-browser administrator access
• Content versioning
• Umbraco workflow
• ISO/IEC 27001:2013 security certified
• Responsive mobile friendly design
• Storm's agile and iterative digital service design methodology
• Storm's best practice user centred digital service design methodology

Benefits

• Storm ID is a Microsoft Solutions Partner
• Resilient, scalable and cost effective fully managed hosting service
• Highly extensible publishing framework supporting integration of bespoke transactional services
• Supported by award-winning strategic digital service development
• Extensive Microsoft .NET digital services development capability
• Best practice digital service design methodologies
• Increase performance and flexibility of your network
• Reduced total cost of owning an IT solution
• Remove the risks of hosting on your own hardware
• Improved IT security

£50,000 to £250,000 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@stormid.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

171080222356087

Contact

Business Development
0131 561 1250
tenders@stormid.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: There are limits and constraints associated with our hosted Umbraco service. The number of Umbraco sites, number of envrionments per site and number of users are determined based on the subscription package purchased. ; ; Default quotas are flexible and can be configured by the Storm ID Service Client Partner.
• System requirements: All system requirements are supported

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours.; ; Response times at weekends, public and bank holidays are negotiated separately.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours.; ; P1 - Urgent: Complete loss of an entire service for all users or severe degradation resulting in inability to function;; P2 - High: Service functioning improperly resulting in some loss of service/system failure removing service from a number of users;; P3 - Medium: Service functioning at less than optimal performance/system problem impacting but not removing service, resolve minor bugs/site errors;; P4 - Low: Change requests.; ; Support services are tailored to each client and charges reflect the level of service required to support the service. Standard hourly rate is £105. A discounted rate of £95 can be had for bank of hours bought in advance.; ; Storm ID provide a Technical Account Manager backed up by a WebOps Team. Support can be accessed via an online ticketing system, email or phone. Enhanced support (outside office hours and at peak service use) is available optionally. Monitoring systems and alerts will be implemented with regular reports provided on service performance and support used.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: To support customers we offer tailored training for the Umbraco Cloud CMS which can be delivered remotely or on premise.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Approach can be designed to suit customer requirements.
• End-of-contract process: Approach can be designed to suit customer requirements. There may be additional costs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile experience is fully featured but interfaces are optimised for smaller form factor.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: .
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Manual and automated interface accessibility testing has been undertaken but not specifically for users of assistive technologies.
• API: Yes
• What users can and can't do using the API: Umbraco offers a headless implementation (Umbraco Heartcore) which exposes fully documented APIs for content delivery and management. These APIs can be used to both retrieve read-only content and media, or to perform create, read, update and delete operations on items with the CMS. Access to APIs can be restricted by an API key.; ; Storm ID can also provide custom API implementations for extended functionality as required utilising ASP.NET Web API.; ; Set-up and access to the API's can be arranged by the Storm ID Service Manager.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Almost any element of the Umbraco Cloud CMS can be customised to meet specific customer needs. Customisation is available to support the need to scale, to support specific security standards, monitoring and reporting or to provide extended help desk cover.; ; Customisation requirements are typically informed through early stage work in determining user needs and organisational goals. For a live service, further customisations can be considered in response to analytics, user feedback and product enhancements.

Scaling

• Independence of resources: Virtualisation technology is used to ensure applications and users sharing the same infrastructure are kept apart. A dedicated infrastructure option is also available.

Analytics

• Service usage metrics: Yes
• Metrics types: Using tools such as web analytics and other data sources we monitor service usage and performance and recommend where service improvements could be made.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Approach can be designed to suit customer requirements.
• Data export formats:
  • CSV
  • Other
• Other data export formats: XML
• Data import formats:
  • CSV
  • Other
• Other data import formats: XML

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Storm ID guarantee that hosted services will be available 99.95% of the time. If service levels fall below the quality we commit to then penalties will be incurred to compensate customers and drive service improvement. ; ; Financial penalties, service credits and their calculation will be agreed as part of the call-off agreement with the customer together with the terms and conditions and KPIs for the service.
• Approach to resilience: Microsoft Azure provides failover capability. More information available on request.
• Outage reporting: Public dashboard, API and email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Limited access network (for example PSN)
• Access restrictions in management interfaces and support channels: Available on request
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA
• ISO/IEC 27001 accreditation date: 07/02/2023
• What the ISO/IEC 27001 doesn’t cover: The scope of our certification is Information Security Management of all Company systems, data, software and customer supplied data processed on their behalf. As laid out in our Statement of applicability dated 30/08/2022. Our certification does not cover items held within customer-controlled systems or within Azure systems hosted by Microsoft to whom the responsibility for security falls.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Information is an asset that Storm ID has a duty and responsibility to protect.; ; Our information security management system (ISMS) sets our approach to managing information security and is approved by top management and communicated to employees, contractual third parties and agents.; ; Top management are committed to protecting the information that we store and process though good information security practices. To achieve this, and comply with regulations, we have established: ; ; an information security policy; a commitment to customer focus and applicable regulatory requirements ; information security objectives that are measurable and consistent with the information security policy ; an ISMS describing our approach to information security; responsibilities, authorities and communication processes ; a management review process; a process to ensure availability of resources ; data access and security processes ; a business continuity / incident management procedure; ; Top management believe that a commitment to information security is important in order to: ; ; encourage information and cyber security awareness amongst employees, to develop and a ‘secure by design’ mindset; increase customer confidence, which helps build relationships with and retain customers ; reduce our exposure to risk ; effectively utilise our resources ; ; Storm ID have Cyber Essentials Plus accreditation and ISO27001.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change management is employed to evaluate, control and minimise risk and cost, and maintain the established standards and quality criteria. Our change management process is incorporated into our ITIL-based continual improvement process, that encompasses business objectives, creates baselines, defines measurements, and plans and implements improvements. Our change controls:; ; establish the purpose, category and nature changes; determine the potential consequences of changes; assess resource requirements for the changes; ; We use configuration management to establish and maintain consistency in our software’s performance. This includes configuration management for:; ; Project/work management; Source control; Build/release pipelines; Packages and artefacts; Azure CSP tenancies, subscriptions and Infrastructure
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Storm ID apply our Quality Management System processes, and Cyber Essentials Plus backed security best practices to the information and IT assets we handle, reducing risk associated with vulnerabilities by being able to identify, classify, prioritise, remediate and mitigate vulnerabilities. Vulnerability scans are run regularly to identify weaknesses in the configuration of systems and to determine if any are missing important patches or software. Remediation or mitigation is undertaken on any vulnerabilities identified according to the class and priority of the vulnerability.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use ‘always-on’ proactive and protective monitoring to:; ; monitor the software performance; systematically identify risks; detect software faults when they occur; quickly initiate necessary corrective actions; ; Our proactive monitoring involves collecting meaningful and practical information. To do this we use tools such as:; ; Azure App Insights; Azure Log Analytics; StatusCake; Performance analytics; Service reports; Helpdesk calls and tickets; Customer complaints and positive feedback
• Incident management type: Supplier-defined controls
• Incident management approach: Storm ID’s incident management process requires that all events and suspect events that could result in the actual or potential loss of data, breaches of confidentiality, unauthorised access or changes to systems, must be reported immediately to top management by email, telephone or in person.; ; Incidents are centrally recorded, and appropriate management measures, including escalation and notification procedures are in place.; ; Incident reporting procedures are included in employee training.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Storm ID is committed to achieving NetZero greenhouse gas emissions by 2045, aligning with Scottish Government policy and supporting the UK Government policy of achieving NetZero emissions by 2050. We have established a Carbon Reduction Plan following PPN 06/21 guidelines, associated guidance and reporting standings. For our greenhouse gas company reporting, we use the UK Government emission conversion factors. ; ; Our strategy prioritises minimising our impact on the environment and contributes to tackling the climate crisis. We aim to make changes to support this and plan for the effects of climate change on our organisation, stakeholders, customers and suppliers. Consequently, we have established the following environmental management measures:; • Service offering: Providing service design recommendations for a coherent information architecture that helps users find content they need more efficiently, reducing the carbon emissions created from the service.; • Optimising digital services by encouraging greener choices: Applying the principles of weight reduction to application interfaces and image optimisations. Encouraging the use of dark mode capability and the promotion of colour palettes to prioritise low energy colours, whilst keeping accessibility in mind.; • Migrating internal IT infrastructure to cloud-based services: Decommissioning old infrastructure and migrating to optimised cloud-based services, reducing on-premise IT infrastructure and comms room cooling requirements.; • Flexible working principles: Maintaining flexible working practices and opportunities, leading to fewer employee commutes to our office, reduced energy consumption (gas/electricity) and decreased use of office supplies, resulting in fewer deliveries and transportation needs. ; • Local biodiversity: Joining and contributing data to the UK Pollinator Monitoring Scheme with staff volunteers maintaining our office garden with seasonal flora to stimulate local wildlife. ; • Supply chain audit: Conducting thorough checks on environmental sustainability and carbon reduction for each of our suppliers. In particular, supporting local businesses and those actively working to reduce their carbon emissions.

  Covid-19 recovery

  Storm ID continued operation throughout the pandemic, delivering essential services to the NHS, including software for the NHS Scotland National Notifications & Contact Tracing Service, a long COVID study and providing further services for key public sector organisations. ; ; Acknowledging the pandemic’s effect on individuals and communities, we have remained committed to providing employment opportunities for those seeking retraining. We broadened and enhanced both our apprentice and graduate recruitment programmes for those entering the workforce, following disruptions in further and higher education, to support growth in our local economies. ; ; We prioritised our employees’ wellbeing by providing home-working equipment for posture and comfort, organising regular social wellbeing events and comms channels, contributing financially to fitness and wellbeing treatments, providing health and dental insurance and offering counselling services in partnership with Bupa. ; ; We maintained inclusive and accessible practices and conditions through the implementation of our fully remote recruitment process. This has allowed us to recruit from a wider geographical area and offer flexibility to prospective candidates. Embracing fully remote and hybrid working has helped us attract top talent while improving work-life balance. ; ; Our hybrid working model allows staff the benefits of both home and office-based working, while meeting customer needs. Storm ID enables employees to work from wherever they prefer; whether from home, the office or elsewhere, subject to security considerations. With our office space utilisation at lower capacity we use the space more thoughtfully for individual or team-based work.; ; Many of the projects we delivered since the pandemic have aimed to help organisations and their service users manage and recover from the impact of COVID-19. Engaging in projects that make a difference to people and the wider community has had a positive impact on the health and wellbeing of our team.

  Tackling economic inequality

  Storm ID is an accredited Living Wage employer. We offer competitive compensation packages and benefits, designed to attract and retain talent. With our annual salary review policy, employees can expect their pay to be increased in line with the cost of living, without having to request it. We have a Profit Related Reward scheme, with a portion of the company’s profit shared among all employees as a bonus.; ; Our annual budget process guarantees funds for investing in workforce development. This covers costs for ongoing professional development activities, access to online learning resources and attendance at events. We regularly discuss opportunities for development to address career progression, skill gaps and achieve recognised qualifications. These discussions occur during monthly one-to-one check-in meetings between workers and line managers. ; ; We maintain inclusive and accessible recruitment practices. We believe that protected characteristics should never be barriers to career progression. Our inclusive working environment fosters a culture where individual growth and rewards are solely based on merit and capability. We have a flexible location recruitment policy and where appropriate will be looking to hire from regions in the UK where we know there is an economic need for skilled jobs. ; ; Our R&D initiative allows employees to work on their own ideas, fostering intrapreneurship. These ideas often focus on topics important to employees, such as environmental sustainability and equal access to STEM. Additionally, our team frequently volunteers to host CoderDojo sessions in our offices to inspire young people, especially girls and young women, to pursue STEM fields.; We have assisted employees in developing intellectual property (IP) and launching new businesses.; ; From a supply chain perspective, we have formed partnerships with cybersecurity companies to offer security incident management and IT health checks in the services we provide to public sector clients.

  Equal opportunity

  Storm ID is committed to providing a workplace where diversity, equality, equity and inclusion are actively discussed, promoted and supported. Our employee-powered People and Culture Forum contributes to the creation and maintenance of a working environment in which all individuals can make best use of their skills, free from discrimination (direct and indirect), victimisation, harassment and bullying, and we monitor and measure regularly through employee surveys.; ; We maintain inclusive and accessible recruitment practices. We firmly believe that protected characteristics should never be barriers to career progression. We have a flexible location recruitment policy and where appropriate will be looking to hire from regions in the UK where we know there is an economic need for skilled jobs. Our inclusive working environment fosters a culture where individual growth and rewards are determined fairly based on capability, with a transparent remuneration policy.; ; We ensure equal access to training, identifying needs through appraisals. Employees receive appropriate training budget and opportunities to help them advance within Storm ID. Our inclusive working environment fosters a culture where individual promotions and rewards are solely based on merit and capability. ; We are committed to reducing the disability employment gap. Storm ID is currently at Level 1: Disability Confident Committed and we are actively working towards Level 2: Disability Confident Employer. We will continue our inclusive recruitment practises and work with the Disability Confident scheme to improve how we recruit, retain and develop disabled employees. ; ; Our HR Team keeps track of our workforce profile to assess how diverse, equitable and inclusive our workforce is.; ; Storm ID will continue to engage specialist EDI Consultants where needed to improve our efforts in this area and the positive impact on recruitment of disadvantaged and underrepresented groups.

  Wellbeing

  Storm ID prioritises health and wellbeing, job satisfaction, and achieving a work and life balance. Our hybrid working model offers the advantages of both remote and office-based work, catering to customer needs while allowing employees to choose their preferred work location, whether at home, in the office or elsewhere, with security considerations. ; ; We encourage employees to utilise our wellbeing benefits, which include flexible working arrangements, our eye care scheme, financial contributions to fitness, health and dental insurance and counselling services in partnership with Bupa. Additionally, we remind employees about the importance of using their annual leave allowance.; ; Our HR team and People and Culture Forum regularly share content on mental health and wellbeing, such as during Stress Awareness Month and World Mental Health Day, to raise awareness and encourage time-to-talk. Additionally, we actively support local charities through annual sponsored activities and participation in community initiatives. Our volunteering policy grants all colleagues two days per year to dedicate to charity or community work.; ; Contractual stability is a key priority for us and we ensure the burden of risk is not disproportionately placed on workers. We offer competitive and transparent remuneration and a benefits package designed to attract and retain talent. Our annual salary review takes place in March, ahead of the new financial year. Our review policies guarantee salary increases aligned with the cost of living, without the need for individual requests. We also operate a Profit Related Reward (PRR) scheme, distributing a portion of company profits among all workers.; ; We want employees to excel in their work, take pride in their achievements and feel supported. Job fulfilment is integral to our job design, serving as a key criterion during candidate interviews and a point-of-discussion during monthly one-to-one check-ins and quarterly progress reviews with line managers.

Pricing

• Price: £50,000 to £250,000 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@stormid.com. Tell them what format you need. It will help if you say what assistive technology you use.