MIXD

WordPress hosting and support

Mixd Managed Hosting is a managed WordPress hosting platform for UK public sector websites. Hosted in the UK and operated by specialists in enterprise WordPress development, we provide secure WordPress hosting, maintenance and support services for the NHS, central government departments, local authorities and other public sectors.

Features

• 24/7 support
• 99.99% uptime SLA
• Hosted in UK data centres
• Automated WordPress updates
• Web Application Firewall (WAF)
• DDoS protection
• Encrypted backups
• Monitoring and alerting
• Built-in CDN (Content Delivery Network)
• High-performance scalable infrastructure

Benefits

• Built for UK public sector WordPress websites
• Fully managed WordPress hosting service
• Mixd is a leading enterprise WordPress agency
• Expert support from a user-centred digital agency
• Web accessibility support and training
• Flexible support options including SLA
• UK-based support team
• Committed to Social Responsibility
• ISO27001, ISO9001 and Cyber Essentials Plus certified

£120 a unit a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@mixd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

274386226674801

Contact

Phil Shackleton
0113 360 8250
info@mixd.co.uk

Service scope

• Service constraints: Mixd Managed Hosting is a managed hosting platform built specifically for public and third sector WordPress websites. We provide secure hosting, maintenance, support and development services to cover all your WordPress needs. In order to provide security assurance, websites being migrated to the service must be audited by Mixd before being deployed onto the platform. Planned maintenance will be agreed in advance and any required downtime will be scheduled with timescales to suit both parties.
• System requirements: WordPress

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: For urgent priority support requests, the initial response is 1 hour. For high priority, the initial response is 2 working hours. For normal priority, the initial response is 8 working hours. For low priority, the initial response is within 5 business days.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Testing completed by our support software provider Zendesk.
• Onsite support: Yes, at extra cost
• Support levels: Support plans can be customised to meet individual client needs depending on their in-house technical capabilities with our optional support time add-ons. Please refer to the attached pricing document for support costs. Our support helpdesk is available 09:00-17:30 Monday to Friday, excluding UK public holidays for routine support requests and 24/7 for emergency out-of-hours support. By raising a support ticket, you can ask for assistance with any problem you come across, from a bug on the website to help using WordPress. All plans include a dedicated account manager and quarterly performance review meetings.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will assess your likely capacity and support requirements. Based on this we’ll recommend a combination of support options and infrastructure that we believe best meets your needs.; ; Questions about our service can be raised through the G-Cloud clarifications question process to help you make an informed decision.; Hosting, maintenance and support can be tweaked to fit your changing needs throughout the life of the contract.; ; We can also offer help with more complex migrations that may require functional changes or assurance work to be completed, as well as supporting any internal assurance work that you might need to do within your organisation.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Mixd will supply a full export of your WordPress website (including the database and uploaded files such as images and documents) on request at any time, via a request to our Helpdesk. Mixd will provide support to you and/or any authorised new supplier to migrate the site to a new environment or successfully extract data from it. Should you and/or your authorised new supplier require further assistance, we can, for an additional fee, remain involved with the migration to a new hosting environment to help you and them become more familiar with the service and complete a thorough handover.
• End-of-contract process: If you decide to move on we will maintain close contact with you throughout the offboarding process to ensure quality of service from beginning to end. We will arrange a meeting to discuss the date you want to leave and outline the steps we will need to take in order to provide you with an export of any data required. Our Change Control Procedure outlines the process we would follow including; migration of any data, decommissioning your service, liaison with other suppliers (if required) and issuing final invoices. Usually, the off-boarding process will take a few weeks.

Using the service

• Web browser interface: Yes
• Using the web interface: Our Support Helpdesk can be used by all clients to view, manage and respond to support tickets across their organisation.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: Testing completed by our support software provider Zendesk.
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: All sites are served via a world-class Content Distribution Network, ensuring our service can cope with significant increases in demand. As part of our dedicated hosting tier, we have strict separation of customer instances, ensuring an increase in demand from other users of our Mixd Managed Hosting service does not affect your site.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Our underlying infrastructure is provided by Google Cloud. Google Cloud adheres to numerous independently validated privacy, data protection, security protections and control processes, and is responsible for the physical security of the hardware powering its services. We rely on them for management of physical media. Where appropriate, we also add layers of logical encryption to our services; for example, to protect backups at rest and information in transit.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • WordPress core files
  • WordPress themes
  • WordPress plugins
  • WordPress file uploads
  • Database
• Backup controls: The service is automatically backed up daily. Should you require a custom backup service, please get in touch to discuss your needs.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide a 99.99% uptime SLA. We provide a service credit of 3% of the monthly fees paid for any period of downtime longer than 1 minute (this is calculated in 30 minute blocks, so, 1-30 minutes of downtime equates to a 3% credit).
• Approach to resilience: Mixd Managed Hosting is designed to be extremely resilient. All hosted clients benefit from multiple layers of caching, daily backups with the ability to quickly rebuild individual machines, load-balancing for redundancy which permits downtime-free continuous improvement and extremely straightforward scaling options where additional capacity is required.
• Outage reporting: Mixd Managed Hosting is comprehensively monitored. For any outage incident, we alert clients via email and conduct a post-incident review.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Support and management interfaces require a username and password login over HTTPS. WordPress Admin access is restricted to Mixd only.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 24/01/2024
• What the ISO/IEC 27001 doesn’t cover: Our certification covers all areas of the business and operations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Non-police personnel level 2 (NPPV 2)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our information security management system covers every aspect of Mixd's operations, including Mixd Managed Hosting. Day-to-day security decisions are managed by our Information Security Manager, who reports to the Operations Team. The effectiveness of the system is reviewed at least annually. We are also subject to an annual ISO27001 audit. We take a continuous improvement approach to all our internal processes as we learn lessons.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We control our configuration and change management processes through our ISO27001 and ISO9001 policies. We monitor announcements of issues related to the system-level and application-level components that we use and treat all security-related updates as high-priority work. We constantly monitor and improve the platform as we gain experience operating it, and we consider the security impact of our changes at all stages of our work.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We perform regular internal security testing and can optionally engage with third parties to perform application and network vulnerability assessments to assess any weaknesses and threats to our services upon request. We also regularly review and update security policies; provide our employees with security training; perform application and network security testing; conduct risk assessments; and monitor compliance with security policies. Our Disaster recovery and Business continuity policy is available on request.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor a wide variety of metrics across our infrastructure. We also monitor for anomalous log events and review these alerts centrally. Our actions based on these events vary. Our most frequent action is to refine and extend our set of rules for dropping malicious traffic and/or generating bans for the originating IP addresses. As necessary, we also carry out investigations into underlying issues, and take appropriate remedial action. We respond to these issues as they arise during business hours, at the start of business hours for non-emergency alerts, and 24/7 for critical alerts.
• Incident management type: Supplier-defined controls
• Incident management approach: Following the initial incident response by our operations team, we carry out a post-incident review. This review is published internally and shared with clients when there is a client impact. The review identifies the nature of the incident, documents the initial response, explains the timeline and circumstances of the incident and lists agreed remedial actions. These actions are then fed into ongoing operations work. Users are able to report incidents via the support desk and are encouraged to use our emergency address and/or follow up by phone where appropriate.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: KVM and Kubernetes (K8s)
• How shared infrastructure is kept separate: For customers utilising shared plans, installs are logically segregated and attempts to access data outside of allowed directories are prevented and logged. Linux system access control and kernel level segmentation are in place to prevent executable code from one customer from accessing files of another customer. Premium solutions are on segmented private networks with isolated processing power, memory, disk space and system resources. WP Engine utilises AppArmor, a mature, widely-used, kernel-level access control system, that allows for the restriction of various operations, including filesystem, network, Inter-Process Communication, and others.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Mixd data centre partners focus on energy efficiency and continuous innovation in their data centres and their scale allows them to achieve higher resource utilization and energy efficiency than the typical on-premises data centre. In addition to the environmental benefits inherently associated with running applications in the cloud, they have a long-term commitment to achieve 100% renewable energy usage for their global infrastructure.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Mixd have published a Carbon Reduction Plan and are committed to achieving net zero emissions by 2030. Since 2022 we have a Carbon Reduction (CR) team supporting robust, ambitious climate change activity and accountability for meeting our reduction targets. Our environmental protection and improvement activities have broad focus, including: training and education events, internal and supplier audits, community awareness activity, accreditation activities, environmental improvement volunteering and an increasing focus on mindset shifts through concepts like 'conscientious coding' and design, where efficiency of code is viewed as a way to reduce carbon emissions. As further evidence of our commitment to reductions in greenhouse gas emissions, water use and waste-to-landfill, we: measure our emissions, including tools we use and hosting services for clients, through an independent assessor; promote low tech, carbon reduction strategies, offsetting where possible to clients, such as faster-loading websites; consider travel throughout contracts. We are experienced at working remotely and promote remote meetings by default; have launched initiatives for staff to reduce their personal carbon footprint, including a cycle to work scheme and electric vehicle (EV) scheme. We also encourage and support staff to minimise carbon emissions associated with working remotely including switching to green home energy providers and turning lights and appliances off at mains when not in use.

  Covid-19 recovery

  During the COVID-19 pandemic and recovery phase, Mixd offered its services for free to any public sector organisation that needed help developing websites to support the COVID-19 recovery phase. For example, we developed a WordPress COVID-19 communications platform that could quickly and easily be deployed for NHS Trusts, Clinical Commissioning Groups (CCGs), Councils and Police Forces across the UK. The goal was simple – design and develop a website platform that would facilitate clear communication.

  Tackling economic inequality

  We have diversified our hiring practices by recruiting talent at graduate and junior levels to nurture new skills. Since 2014, Mixd have worked with Universities across the UK to bring together young digital talent for an intensive three day event called Work in the Web which is focused on the skills and techniques that help students get a head start in our ever changing industry. Additionally, working directly with the University of Leeds and Leeds Beckett University has enabled us to create more job opportunities in the Northern region. We have made our job opportunities more accessible to those facing employment barriers by advertising on platforms that target underrepresented groups such as Ladies of Code. Flexible and remote working options are offered by default. Once individuals join our team, we support their skill development by providing a substantial learning and development budget, assisting them in obtaining recognised qualifications and identifying opportunities to create new roles during ongoing operational reviews. Contracts awarded under this framework will be used to create more employment opportunities for those facing barriers to employment. To enhance supply chain resilience and capacity, we collaborate with a diverse range of trusted partner organisations. This collaborative approach allows us to leverage market-leading expertise to solve client problems and increase our capacity and resilience in delivering services.

  Equal opportunity

  Diversity and equality are the cornerstone of our business, and we are fully committed to promoting both in all aspects of our work. We value people and want them to feel free to be themselves. We embrace each other’s differences, in gender, religion, beliefs, ethnicity, disability, age, sexual orientation, neurotype, nationality, and identity. We are diverse - like the people we build, design, and create for. We want to design and build inclusive services for all, fully empathising with all types of users and sharing and harnessing cultures and values often held by our clients. In practice, this means we: work to inclusive and accessible recruitment practices, and retention-focused activities: provide working conditions which promote inclusion and promote retention and progression: mask candidate data around protected characteristics to ensure fair/equal selection process with a broad range of accessible skill-based assessments available to identify candidates: conduct regular equal pay audits, reviewing and changing as appropriate and proactively create employment, re-training,and other return to work opportunities. Amazing things happen when we collaborate together. We work in the open and believe everyone’s voices should be heard. We recognise individual needs and aim to provide a work environment that is accessible, welcoming, and empowering for all. We want everyone to feel supported and included in our wider community. We’re committed to being transparent with our diversity information and regularly assessing the impact of all our policies and practices. Our approach is set out in our Equality and Diversity Policy.

  Wellbeing

  We provide support for our team's wellbeing and professional development, including an annual learning and development budget (£1000) and paid support for professional qualifications/study leave, as well as personal wellbeing measures such as eyecare and paid time off for COVID vaccinations. We offer flexible and part-time working options, office modifications for accessibility and mentoring opportunities. To monitor and evaluate our team's wellbeing, we empower line managers and delivery leads to check in regularly with their staff, encourage a sustainable working pace and conduct weekly line management check-ins and daily project standups to address issues promptly. Additionally, we provide a dedicated online space for discussing wellbeing, where individuals seeking help receive support from their manager, teams and HR. We also monitor the uptake of wellbeing benefits through our HR tools and measure company-wide sentiment through quarterly surveys, using anonymized data to inform the evolution of our HR policies.

Pricing

• Price: £120 a unit a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@mixd.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.