Primo Milestone

Primavera EPPM Cloud Hosting Service

We provide Cloud Hosting facilities for Enterprise Project and Portfolio Management (EPPM) and Enterprise Cost and Contract Management (ECCM) software for organisations where the main supplier does not have a cloud solution or where the supplier offering is inappropriate

Features

• Secure private hosting
• Primavera hosting managed by Primavera consultants
• Bespoke managed secure hosting
• Remote access

Benefits

• Privately managed Primavera hosting
• Support from Primavera consultants
• Highly resilient and robust
• Quickly access from anywhere

£80 to £90 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jinesh.patel@milestoneuk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

183210276337075

Contact

Jinesh Patel
(0)1525 243404
jinesh.patel@milestoneuk.com

Service scope

• Service constraints: From time to time there will be planned maintenance. These are usually once per quarter and are normally required for security reasons. Customers will be informed in advance. ; ; We endeavour to have these outside normal business hours.
• System requirements:
  • Business grade desktop or laptop
  • Reliable Internet Connection
  • Exclusion from Content Inspection is desirable to reduce latency
  • Oracle licencing

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our metrics show average response time to email is 7 minutes. Our standard contracted support excludes weekends.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Definitions; 1 - Urgent Total loss of service; Service unavailable or severely degraded to all users.; ; 2 – High Service impaired or degraded; Poor response times experiences by some users.; Issues with non-essential functionality. ; ; 3 - Medium Service change requests, non urgent tasks; Create, delete or suspend accounts.; Change permissions.; Expired passwords, other login issues.; ; 4 – Change Request Non service affecting works; Upgrades.; Upgrade versions.; Add new applications.; Restore Databases to previous points in time. ; ; First Line Response Target Resolution; 1 – Urgent 30 Minutes 2 Hours; 2 – High 1 Hour 4 Hours; 3 – Medium 2 Hours 8 Hours; 4 - Change Request 1 day To be agreed; ; Customers are provided wit Account managers and direct access to support engineers. Support cost is included in service cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We advise clients on options for migrating their data. If required we can run integrity scripts on user data to identify inconsistencies and corruption. We can cleanse data and upgrade database versions.; ; For user we provide detailed documentation on using the service and can run workshops on getting started.; ; We provide a sandbox environment for users to test scenarios.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: First there is no charge for data handover.; ; User can request their data as a standard Oracle RMAN backup or Oracle DBDump file. In addition users can export individual project as Oracle Primavera XML or XER files.
• End-of-contract process: We offer to provide the data to the client free of charge. ; ; We will keep the data for 30 days and will securely erase it to UK Government standards after that time.; ; There is no additional costs at the end of the contract for transferring or destroying the data.

Using the service

• Web browser interface: Yes
• Using the web interface: All functions are available via the web interface
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: Testing was done by Oracle.
• API: Yes
• What users can and can't do using the API: Web Services are implemented and fully documented. ; ; There are no particular limitations.; ; Oracle's web interface follows Oracle accessibility philosophy and policies found at www.oracle.com/us/corporate/accessibility/policies/index.html. ; ; The Oracle Accessibility Guidelines are based on the2017 Revised Section 508 of the Rehabilitation Act of 1973 as amended, and the World Wide Web Consortium's(W3C) Web Content Accessibility Guidelines version 2.0 guidelines at the AA level (WCAG 2.0 AA). Oracle is committed to developing new products in conformance with Revised Section 508 and the WCAG 2.0 AA standards to the extent practicable. Our online documentation follows OAG 3.0, by fully adopting the Revised Section 508standards. In 2017 the U.S. Access Board announced the Revised Section 508 standard that is based on the WCAG 2.0 AA standards. In 2014, the European Union standard EN 301 549 ‘Accessibility requirements suitable for public procurement of ICT products and services in Europe’ was issued in response to Mandate 376, and it too was based on the WCAG 2.0 AA standards. Oracle has been an active participant in the development of these guidelines and is closely tracking their progress.
• API automation tools:
  • Ansible
  • Chef
  • Terraform
  • Puppet
• API documentation: Yes
• API documentation formats: HTML
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Each customer environment is unique. They are not shared or federated.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Oracle

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Entire customer database
  • Virtual server snapshots
• Backup controls: As standard, backups of customer databases are made on a daily basis, 7 days a week and a minimum of 10 backup iterations are kept. Customers do not control backups.; ; In addition snapshots of database and application servers are made on a daily basis and a minimum of 10 iterations are kept.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: IPsec or TLS VPN gateway
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We guarantee 95% availability for the entire service.; ; customers are refunded on a pro-rata basis for any downtime that exceeds 1one working day.
• Approach to resilience: We use virtualisation technology to dynamically move servers between physical hosts when hosts are highly loaded.; ; We use dual independent power feeds to all server racks and servers. ; ; We use 2 separate backup technologies and copy server images to a standby datacentre on a daily basis.; ; We use Highly Available clustered internal and external firewalls.
• Outage reporting: A private dashboard in our operations centre; ; email alerts

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are on a dedicated firewalled subnet.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Dedicated link (for example VPN)
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 19/02/2023
• What the ISO/IEC 27001 doesn’t cover: Both datacentres are ISO 27001 certified.; ; The hosting service offered by Milestone is not yet certified.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Out Technical director defines policies for the management of information security and sets direction and provides advice to help protect client data.; ; They coordinate the reporting of information security risk to our Directors. ; ; Our Information Security programs are designed to preserve the confidentiality, integrity and availability of data , accessed, used, maintained, and hosted by us.
• Information security policies and processes: The hosting and security teams both report to our technical director; ; We implement a number of security policies including but not limited to; ; Remote access; Password management; Portable media; Acceptable use; Data Destruction ; Use of management network; Backups; Disaster Recovery; Security Training; Account disablement; ; We ensure policies are followed by monthly reviews where we review incidents, access logs, account usage. Serious breaches of policy result in disciplinary proceedings.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our change management process follows clear steps; ; Description - what will change.; Why it must be done and will it impact security.; Who will be involved.; Links to documentation, e.g., security bulletin; Pre-installation plan including; Consent - warn those affect and obtain consent; Backup.; Install plan - in as much detail as possible; Post-installation. Check that the system and anything interacting with it works correctly. revert any temporary settings. Make changes to the documentation. ; Backout Plan. Actions that will be performed in case of problems within a reasonable time
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We are in receipt of various security bulletins including those specific to our services - for example Oracle's quarterly security bulletin. ; ; We access new vulnerabilities and plan our mitigation approach accordingly.; ; Normally we patch once a month in a regular scheduled 4 hour window. However with serious vulnerabilities we liaise with clients to schedule an emergency patch window.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use intrusion protection on external firewalls to block IPs with suspicious activity.; We review all outbound activity on firewall logs and investigate any anomalies e.g., denied requests.; We continuously monitor servers for various conditions such as URL availability.
• Incident management type: Supplier-defined controls
• Incident management approach: Users may report incidents via email or phone call or we may discover incidents from monitoring or alerts.; ; We use a straightforward incident management process that defines procedures for; ; Incident Logging and Categorisation; Notification & Escalation; Investigation and Diagnosis; Resolution and Recovery; Incident Closure; ; users are informed of an incident as soon as one is detected and will receive updates as new information become available. After resolution the receive an full incident report.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: We uses a walled garden approach where each organisation have an entirely separate environment with its own dedicated database and application servers and subnet.; ; It is not a federated solution.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Telstra is part of the Climate Change Agreement in the UK, and complies with the 2018 Streamlined Energy and Carbon Reporting scheme and the Energy Savings Opportunity Scheme.; ; The datacentre is now running on 100% renewable energy sources. In addition, all fixtures and fittings now include motion detector LED lighting to improve energy efficiency, and a water osmosis system has been implemented to improve the building’s water efficiency and cooling. These important steps follow changes we made in 2018, when we installed new chiller units that have improved energy efficiency by more than 40 per cent.; more info: https://www.telstra.co.uk/en/news-research/articles/running-on-100-renewable-energy-powering-telstras-move-to-sustainability

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Primo Milestone Ltd recognises that discrimination and victimisation is unacceptable and that it is in the interests of the Company and its employees to utilise the skills of the total workforce. It is the aim of the Company to ensure that no employee or job applicant receives less favourable facilities or treatment (either directly or indirectly) in recruitment or employment on grounds of age, disability, gender / gender reassignment, marriage / civil partnership, pregnancy / maternity, race, religion or belief, sex, or sexual orientation (the protected characteristics).

Pricing

• Price: £80 to £90 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We provide a free trial if the client can provide a rational for the trial. ; ; Trials include all features of the service.; ; Trials are limited by time - typically this is 15-30 days.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jinesh.patel@milestoneuk.com. Tell them what format you need. It will help if you say what assistive technology you use.