Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 1: Cloud hosting
  3. Element Matrix Services
New Vector Ltd

Element Matrix Services

Matrix Server Hosting - build on Matrix without having to own and manage your Matrix infrastructure. Element Matrix Services (EMS) is a robust and reliable hosting service for fast, secure real time communication.

Features

  • Fully managed hosting
  • Multi-tenant or dedicated hosting
  • Custom domains
  • End-to-End Encryption
  • Hosted bridging
  • Universal chat
  • Decentralised
  • Run by the experts

Benefits

  • Inherent resilience through decentralisation
  • Solid foundations, supported by experts
  • Fully managed hosting for fast, robust performance
  • Speed development by building on top of hosted Matrix infrastructure
  • End-to-end encryption for secure chat
  • Control of your data, even when it’s hosted by us
  • Build and embed your own encrypted chat
  • Open network, with bridging to other platforms
  • Scalable to support up to millions of users

Pricing

£1.08 a licence

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at roba@element.io. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

2 5 2 0 9 6 4 6 7 9 9 3 4 4 7

Contact

New Vector Ltd Ron Aherne
Telephone: 07885553945
Email: roba@element.io

Service scope

Service constraints
None
System requirements
  • None for cloud.
  • An environment where the server can run (if on-premise).
  • We recommend a Kubernetes container environment (if on-premise)
  • But all modern infrastructure is supported (if on-premise).

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 1 business day
User can manage status and priority of support tickets
No
Phone support
No
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AAA
Web chat accessibility testing
Web chat is provided through the Element app. We have iterated our standard design and 'large text mode' directly with education-based Buyers This process involved user testing and validation. We have also worked extensively with Mozilla’s accessibility team to support screenreaders and achieve AAA WCAG compliance (c.f. https://www.marcozehe.de/how-to-use-element-and-matrix-with-a-screen-reader/)
Onsite support
Yes, at extra cost
Support levels
Remote support is provided as part of the services between 0900-1800 UK time, which can be delivered at Level 2 and/or Level 3. We can provide technical account managers, who oversee and coordinate the delivery of ongoing support. Associated costs are provided in the pricing matrix.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We currently provide remote or onsite training, which can of course be tailored to the users and controllers. We also have comprehensive user guides and user videos to support setup and familiarisation.

Our Element Enterprise Installer service also makes setting up a Matrix deployment quick, intuitive and secure, leveraging proven cloud-native technologies such as containers and Kubernetes if you wanted to bring your Matrix deployment on-premise. Deployments can be migrated between any Kubernetes-certified environments. Furthermore, our bridging capabilities then allows users and organisations to remain connected to existing services and platforms, to enable a gradual transition to their new cloud service.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
If the customer is self-hosting then they will, by design, own and retain complete control of their data throughout. When the customer is hosted in Element’s cloud (via EMS) and users wanted to extract their data, they can request a database export (PostgresSQL database dump.) This can export the whole database (if the user has the required level of administrative access) or specific extracts (from rooms.) Finally, there is a client-side option that allows end users to export a room’s history, post-decryption. This is useful for archiving content, whereas the DB dump is better suited for migrating whole servers. Self-managed, on premise deployments have the same options.
End-of-contract process
If the customer is self-hosting then they will, by design, own and retain complete control of their data throughout. When the customer is hosted in Element’s cloud (via EMS) and users wanted to extract their data, they can request a database export (PostgresSQL database dump.) This can export the whole database (if the user has the required level of administrative access) or specific extracts (from rooms.) Finally, there is a client-side option that allows end users to export a room’s history, post-decryption. This is useful for archiving content, whereas the DB dump is better suited for migrating whole servers. Self-managed, on premise deployments have the same options.

Using the service

Web browser interface
Yes
Using the web interface
Users can create an online account to manage their products and services through a web portal interface. Account creation is self-service. The interface provides users with a variety of functions including:
The ability to create and manage Matrix homeserver (and hosted client instances).
Purchasing, hosting and configuration of Matrix related services and integrations - bots, bridges, service extensions.
Managing subscriptions, invoicing, account and payment details. Viewing historic usage and invoices.
Administration tools for a variety of homeserver management functions including creating homeserver users accounts, setting / resetting passwords, broadcasting server messages, viewing and managing homeserver rooms and resource utilisation.

The web interface provides a rich UI for management of user services, including the ability to configure core server configuration, specify user registration and authentication mechanisms, setting branding, etc. Changes made in the UI will be propagated to the running services when saved.
Server and service configuration is currently limited to a single user login associated with the account. Account authentication is achieved through username and password credentials (with optional two factor authentication), or via Single Sign On e.g. Google account authentication. Only successfully authenticated users are able to view or make changes to products and services associated with an account.
Web interface accessibility standard
WCAG 2.1 AAA
Web interface accessibility testing
We have iterated our standard design and 'large text mode' directly with education-based Buyers This process involved user testing and validation. We have also worked extensively with Mozilla’s accessibility team to support screenreaders and achieve AAA WCAG compliance (c.f. https://www.marcozehe.de/how-to-use-element-and-matrix-with-a-screen-reader/)
API
Yes
What users can and can't do using the API
Element’s offering is based on the Matrix protocol, which is designed as a giant API (https://spec.matrix.org/v1.2/). As such, essentially anything can be done via the API: user management, room management, moderation, etc. In the case of Matrix hosting, the user (i.e. administrator of the service) will probably mostly interact with the Client-Server API (https://spec.matrix.org/v1.2/client-server-api/) as they set up a client to use the resources of the server, but may have to interact with the Application Service API (https://spec.matrix.org/v1.2/application-service-api/), for example if they try to integrate their communication system with a third party via bridging, or the Identity Service API (https://spec.matrix.org/v1.2/identity-service-api/) if they are trying to use existing identifiers with the service.
API automation tools
  • Ansible
  • Terraform
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
  • Other
Using the command line interface
Configuration via the command line is done using standard tools such as cURL, and as such is compatible with any operating system where cURL runs (ie: Linux, Windows via the WSL, macOS, the BSD family and other variants of UNIX.
The command line interface available for automating EMS is described in https://spec.matrix.org and https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
Our use of Kubernetes environments ensures the logical separation of users and, therefore, mitigates the demand and impact of other users and deployments. Our Element Enterprise Installer service makes setting up a Matrix deployment quick, intuitive and secure, leveraging proven cloud-native technologies such as containers and Kubernetes. Deployments can be migrated between any Kubernetes-certified environments. Furthermore, our bridging capabilities then allows users and organisations to remain connected to existing services and platforms, to enable a gradual transition to their new cloud service.
Usage notifications
Yes
Usage reporting
Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Number of active instances
  • Other
Other metrics
We can provide Grafana dashboards showing deep server analytics
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Conversion data
  • Transferred files
  • Underlying databases
Backup controls
Users may backup their data themselves by exporting it; alternative EMS can provide regular snapshot backups of database and filesystem state in order to avoid data loss. The schedule is currently defined by the EMS administrator for the account rather than by users.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks
Data flowing from a customer’s network to our network is protected at all times by TLS 1.3 encryption. A second layer of encryption is enabled at the content layer, in the form of end-to-end encryption (Olm and Megolm, variants of the double-ratchet protocol).
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Each customer service is logically separated using industry best-practices

Furthermore, in Matrix, events in rooms are end-to-end encrypted, meaning as well as being encrypted over the wire (TLS), events (messages) also encrypted at rest on the server. They can only be read by the client (the user device) which has the keys to decrypt the message.

This provides multiple levels of protection: separation between customers, encryption of data in transit, and encryption of data at rest.

Availability and resilience

Guaranteed availability
99.5% availability by default

Credit to the customer’s account.
Approach to resilience
The service is designed to be decentralised, with multiple servers federating together to create the service. For instance, chat room data doesn’t exist only on a given server but on the servers of all end-users participating in the conversation. Furthermore, server X going down and becoming inaccessible doesn’t affect another server Y’s users’ capacity to use the service. Only users of server X are affected. These properties create a built-in layer of resiliency.
Outage reporting
We have support rooms with customers to discuss outages and their resolution. We also would contact by email if necessary, but have never had a customer outage that needed such a step.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Join permissions on rooms. Rooms can be publicly joinable, invite-only, or scoped to the Space (Matrix Room container.) Rooms can also be restricted to a given server. Management interfaces (e.g. EMS) are additionally restricted by role-based access controls.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a government network (for example PSN)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
  • Used at OFFICIAL SENSITIVE on current UK Gov deployments.
  • Successfully evaluated at SECRET in a Test & Dev environment.

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
Our approach to information security is based on the principles defined by ISO 27001 as much as possible, in the sense that best practice risk management principles are followed for policy and procedure changes, as well as embedded within day to day information security work.

In terms of specific policies and procedures, we have an IT Information Security Policy in place, which covers both server-side and workstation level security, which is then complemented by other policies and procedures:
- Patching Policy;
- Incident Response Procedure;
- Personal Data Breach Notification Procedure;
- BYOB and Device Security Procedures and Guides;
- Privileged Access Controls and User Entitlement Reviews.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use Ansible and Terraform. Since everything is infrastructure-as-code, we enforce code reviews from peers and have CI checking and validating patches.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Initially, vulnerabilities are assigned a ticket in an internal repository. For third-party software, we triage (looking at publicly available solutions), assess exposure and disable/work around the affected functionality until a patched version is available. We monitor security announcements, mailing lists, maintain in-house vulnerability scanning and pentesting.

For our own software, our engineering team works on a fix. Depending on severity, we either remediate the issue immediately or wait for a patched release. Finally, we verify that the issue no longer affects us. Vulnerabilities are reported by external researchers via security@matrix.org or security@element.io, or discovered in-house.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We monitor alerts for important events, such as sign-ins to important accounts. We perform weekly in-house port and vulnerability/CVE scans to monitor changes in our external surface.

If a potential compromise is detected, a ticket is filed internally, detailing known information. The incident is then also raised in an internal security room and given top priority.

The Ops and Security teams cooperatively assess and investigate the incident to determine what, if anything, needs to be done to sanitise (rebuilding hosts, rotating secrets, etc). In the event of a data breach, the internal Data Breach Response and Notification Procedure is followed.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are either reported to us by external researchers via security@matrix.org or security@element.io, or discovered in-house. If a potential compromise is detected, a ticket is filed internally, detailing known information. The incident is then also raised in an internal security room and given top priority.

The Ops and Security teams cooperatively assess and investigate the incident to determine what, if anything, needs to be done to sanitise (rebuilding hosts, rotating secrets, etc). In the event of a data breach, the internal Data Breach Response and Notification Procedure is followed.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Other
Other virtualisation technology used
We use Kubernetes containers to isolate separate applications from each other, and to separate different user instances from each other.
How shared infrastructure is kept separate
We use Kubernetes containers to isolate separate applications from each other, and to separate different user instances from each other.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
We use AWS as our datacentres, who adhere to the EU code of conduct for energy-efficient datacentres. For more information please visit https://aws.amazon.com/about-aws/sustainability/

Social Value

Fighting climate change

Fighting climate change

We have invested heavily in designing Matrix to provide robust decentralised access control and permissions without wasting any electricity: Matrix uses a minimal energy footprint and is designed specifically for low-latency decentralised communication rather than using blockchains of any kind. We also have a Carbon Reduction Plan, which is available on request (as submitted in Lot 4).
Tackling economic inequality

Tackling economic inequality

To provide training opportunities for underrepresented groups, Element is sponsoring interns through the Outreachy organisation. Outreachy provides internships to people subject to systemic bias and impacted by underrepresentation in the technical industry where they are living.
Equal opportunity

Equal opportunity

Operating in a technical industry means diversity is a huge focus of ours. We believe that having a diverse team brings fresh ideas and approaches, making us more creative and effective in our work. We reflect this commitment throughout the business but mostly in our hiring practises. Some things we have done recently include: We are providing unconscious bias training to all of our team that are part of the interview process; We review our job descriptions against the industry standard, to ensure we are using inclusive language; We have extended our candidate sourcing to include agencies and job boards with a focus on diversity hiring; We work with organisations providing internships to diverse candidates to ensure we are providing equal opportunities where we can. Being a global team also means our focus needs to be on making the wider team feel that Element is an inclusive, accepting and safe place to work. Some things we have done recently to promote inclusion include: We run our company meeting in three different time zones to make sure everyone in the team has time with the founders and doesn’t miss important announcements; We’ve rolled out a company events calendar including local celebrations specific to each country; We’ve rolled out a new holiday policy which recognises the local bank holidays for each region and have promoted them company wide for transparency; We celebrate our differences by incentivising the creation of employee led groups, like the Queer Group; Inclusion is not only activities we promote, but also in our day to day behaviours. Here are some examples we try to live by: We respect each others time zones, making sure we work asynchronously when needed; We translate things where we can, whether this be official documents or in a chat room.
Wellbeing

Wellbeing

Our main goal for wellbeing at Element is to make sure our team feels safe, productive and happy at work. Transparency - We are committed to being a transparent organisation so we can build trust with our team. Only when trust is present, do people feel they can be open and honest about their wellbeing needs. Senior Leadership - Our senior leaders are our biggest wellbeing advocates. Having them onboard and communicating about the importance of wellbeing regularly, means our team can feel safe to manage their wellbeing in their own way. Flexibility - We know everybody's needs around mental health are different. We are committed to giving the team the time and space they need to manage their own wellbeing and giving managers the discretion to offer flexibility when it is needed. Open Communication - We regularly check in with our team through various surveys, feedback forms and 121 chats to make sure our wellbeing offering is still fit for purpose. We also provide wellbeing check in sessions and open lines of communication, where people can come and talk openly ad hoc and in a safe environment Benefits Offering - Having a consistent feedback loop on wellbeing means we are consistently reviewing our wellbeing offering to make sure we are providing our team with the right tools. That currently consists of lots of annual leave to take time to de-stress, private medical insurance support including access to mental health services as well as flexible hours to avoid burnout. Manager Resources - We also provide tools for managers to help them support their teams wellbeing such as wellbeing guides and mental health support guides for managers Events- We make sure to recognise things like Mental Health Awareness Week and Wellbeing at Work Week, organising events and talks to promote wellbeing.

Pricing

Price
£1.08 a licence
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Trial Enterprise licences for up to 600 users for 1 month, including our Enterprise Installer tool to set up your own deployment. Bridges (from our existing library) on a case-by-case basis.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at roba@element.io. Tell them what format you need. It will help if you say what assistive technology you use.