Website Express Ltd.

Cloud Drupal Content Management System (CMS)

ISO9001/27001 certified Drupal 7 or Drupal 8/9 cloud hosted CMS for websites and digital services. Website Express' GDPR compliant Drupal CMS platform securely handles multilingualism, CRM, integrations, single sign-on, forms and workflow. The Drupal content management system is open-source, easy-to-use, yet powerful. Mobile, accessible and designed to your user’s needs.

Features

• Drupal templates for mobile devices and different browsers
• User centred, fully compliant and accessible to WCAG 2.1 AAA
• Drupal mobile and browser based editing and administrator access
• Drupal content versioning, audit and rollback
• Drupal workflow – simple and complex user matrices
• Drupal cloud hosting - Secure, fully managed UK based
• Apache Solr powered search engine
• Open Source, since 2009, complete high performance Drupal server stack
• High performance with redis cache, PHP-FPM, Nginx and CDN
• High security with server guard, WAF and IDS

Benefits

• Drupal 6, Drupal 7 and Drupal 8/9 public sector experience
• 24/7/365 support with direct Drupal developer access
• Modular, extensible system - many secure Drupal extensions
• Robust, proven Drupal functionality, tried and tested by governments worldwide
• UK based agency, Drupal team and hosting provision. No freelancers
• Extensive English/Welsh bilingual Drupal experience - Government and Education sectors
• Anti DDOS measures and global CDN
• Open source excellent value for money
• Future proof with millions of sites already using
• Fast page load times keep users engaged

£525 to £1,800 a unit a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@website-express.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

300188903277147

Contact

William Velasco
029 2000 4547
info@website-express.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: If you'd like us to migrate or support an existing Drupal CMS, website or online application that has been built by another provider, we will first need to validate existing GDPR compliance, security, accessibility, usability and compatibility with a site audit.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response time are agreed as part of an SLA.; ; Typical response times are:; Priority 1 - 1 hour; Priority 2 - 4 hours; Priority 3 - 8 hours; Priority 4 - 16 hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: Our open source web chat technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal project.
• Onsite support: Yes, at extra cost
• Support levels: Together with our fully managed hosting platform, we offer two support options. Your Website Express project manager will be your single point of contact for the duration of your support contract.; ; • Standard Support - Work is billed to the nearest 30 minutes and charged at our standard rates with no surcharges - £600 a day. Support will be provided during office hours, Monday to Friday, 9.00 to 5.30pm. For additional cover, see our 24/7/365 support offering below.; Support time is flexible and can be used for support or ad-hoc development requests. ; ; • 24/7/365 Support - for clients who demand the highest level of service. This is 24 hours a day, seven days a week, 365 days a year and available as an addition to our Standard Support above. This level of support costs an additional £650 a month.; ; In the unlikely event of your website or application becoming totally unavailable, our support team will be notified and take immediate action 24/7 to identify and resolve the issue regardless of the support level.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide onsite training, user documentation and telephone support for client onboarding.; ; For complex onboarding, we also offer a paid bespoke service where we will perform the onboarding for you.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: We will provide full access to the CMS or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
• End-of-contract process: We will provide full access to the CMS or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.; ; This is all included as standard within the price of the contract. Additional support would be chargeable.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: A fully responsive mobile version is available for administration of the service with no limited features.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: Full site administration is provided, including the ability to: - Create, clone, and migrate Drupal instances. - Verity sites. - Reset passwords. - Run scheduled tasks. - Create and restore backups on demand. - Disable or delete a site. - Run database updates. These options may be limited by role.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: Our open source web technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal project.
• API: Yes
• What users can and can't do using the API: Drupal has many available open-source, off the shelf configurable APIs. ; ; These include APIs for Authentication, Cache, Configuration, Database, Entity, Filter, Form, Javascript, Layout, Logging, Menu, Migrate, REST, Render, Routing, Services, State, Translation and Update management.; ; Full details can be found at: https://www.drupal.org/docs/8/api
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: You can pick and choose from a wide range of contributed modules to add functionality to your site, and from a wide range of contributed themes to change your site's appearance. These add-on modules and themes are also known as 'contrib', because they were contributed by members of our Drupal community, and are available on Drupal.org free of charge.; ; The service provides a selection of development and delivery options, each of which can be tailored to suit the buyer's requirements.

Scaling

• Independence of resources: Each hosting unit is able to auto-scaling up to 128 GB RAM and 24 CPU Real Threads. Fast SSD plus SAS 15K in RAID6 provide high speed and best reliability.; ; For large applications, any number of hosting units may be purchased to cover usual levels of demand, with automatic scaling of RAM and CPU for short load peaks beyond these limits.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide you full transparent access to all project data and service reports. These accessible in real time, and automatically sent on at regular intervals (Typically monthly)
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: A number of options are available depending on the nature of the site:; ; A) User dashboard - self download.; B) Admin user - download and send.; C) Developer - pull from database and send.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • SQL
  • Excel
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: The system is fully secured using HTTPS / TLS 1.3.; ; Connections made using insecure HTTP will be automatically redirected to HTTPS connections, and no insecure HTTP connections will be possible.; ; All system-level access to the hosting platform is via secure SSH and SFTP protocols over a private VPN.; ; Any client access is only accepted via secure SSH, SFTP and FTPS connections.; ; A strict 90-day password expiration policy is enforced for all accounts.; ; The system is protected by a firewall, CDN and web application firewall. ; ; Additional access restrictions may be configured at the CDN level.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.98% for Standard Hosting; 100% for High Availability Hosting; ; On a case by case basis, we offer service credits which are discussed as part of the contract process.
• Approach to resilience: We monitor our Drupal platforms via HTTPS by checking a never cached URI, to confirm that it responds with expected content so that the uptime report gives accurate information on both Nginx server, PHP-FPM backend and Database server availability.; ; We never pause this monitoring, even during scheduled maintenance, which means that our real average uptime is 99.99% to 100%.; ; Our managed hosting provider, runs its own fully redundant diverse fibre connection BGP4 network (AS30827) on Juniper MX80 series carrier grade routers with direct connectivity to LINX and Tier-1 networks. Routers check all available networks and choose the quickest path. In the event of one Internet route failing, traffic is rerouted via alternative networks. ; ; Our data centre provider, has both ISO 27001:2013 Information Security and Business Continuity certification and ISO 22301 Business Continuity Management certification.; ; Local auto-healing is used to monitor and repair possible issues on the server, and this process runs every 5 seconds. If a web or database process becomes unresponsive, then it will be automatically restarted before an issue has time to develop. All issues are logged for further analysis and reporting if needed.
• Outage reporting: Incidents (high error rates, unusual resource usage, etc) and outages (service failure, web site unavailable, etc) are reported directly to responsible parties via e-mail and/or text messages, as well as being reported to our internal monitoring system where teams can coordinate to resolve issues.; ; An API and public or private dashboard is also available upon request.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: A current username and password together with optional 2FA are required for access to our hosting systems.; ; Administrative connections may only be made over secured SSH or TLS channels.; ; It is impossible to have permanent access to your data (databases) - only temporary connections may be made while a concurrent and authorized SSH connection is open from the same IP address.; ; Access to filesystems is restricted via temporarily authorized and tracked SSH keys.; ; A password strength and rotation policy is in place and enforced.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: UKAS
• ISO/IEC 27001 accreditation date: 31/05/2021
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Sage Pay Europe
• PCI DSS accreditation date: 09/06/2018
• What the PCI DSS doesn’t cover: Website Express does not hold the certification directly, however, Sage Pay Europe, our preferred online payment partners, have current Payment Card Industry Data Security Standard (PCI DSS) certification.; • PCI DSS; • PCI DSS v3.2; • PCI DSS v3.2 Level 1 Service Provider; ; We also integrate with other online payment providers, based on client preferences which can provide this certification for e-commerce functionality.; ; In addition, we can integrate GOV.UK Pay which uses payment processes that are fully Payment Card Industry (PCI) compliant.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 9001:2015
  • Investors in People
  • ISO 22301:2012 BUSINESS CONTINUITY MANAGEMENT SYSTEM (Data centre provider)
  • Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: As part of our annual, audited ISO 9001 and 27001 systems, we have defined roles and responsibilities for information security, with overall responsibility being held by a Website Express Ltd. Director.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow a robust change management process which is audited annually under our ISO 9001 certification.; ; Changes are assessed for their impact and risk, and a process of continual identification, monitoring and review of the levels of IT services specified in the SLA ensure that quality is maintained.; ; All changes are implemented through a version-controlled configuration management system and progress through a series of automated and manual testing steps before being applied to the 'live' infrastructure.; ; This systematic and comprehensive approach ensures that changes to services are reviewed, tested, approved and communicated.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We follow the NIST Common Misuse Scoring System (NISTIR 7864). Each potential vulnerability is scored using this system by the Drupal Security Team. ; ; The hosting platform (operating system, software, and applications) receives automated security patching for all software directly from the OS maintainers, with security patches applied as soon as they are available and have been tested on pre-production environments.; ; Alerts and newsletters are available from the maintainers, and technical staff monitor a number of respected advisory services for news.; ; Our Content Delivery Network provides a Web Application Firewall which is constantly updated to defend against newly released exploits.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Active web server monitoring will block the access first temporarily for one hour and permanently after many temporary blocks for any IP which is a source of DoS-like activity — too many connections in a very short timeframe. ; ; Strict firewall monitoring automatically denies access temporarily for one hour if it detects too many failed login attempts for SSH, SFTP or FTPS, detects a port scan or other exploits.; ; The Web Application Firewall will similarly deny access to known exploits.; ; Staff are automatically notified during any potential compromise and will take immediate action at the infrastructure or application layer
• Incident management type: Supplier-defined controls
• Incident management approach: Policies exist within our SLAs that describe our response process for common events, with coordination and escalation available for non-standard incidents. Users report incidents through our service desk via ticket, web chat, email or telephone, and are kept updated with the progress and state of the incident throughout the event via the ticketing system. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Website Express Limited is committed to fighting climate change, reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods.; ; We recognise that our operations have an effect on the local, regional and global environment and that we have a responsibility to the environment beyond legal and regulatory requirements.; ; We will encourage customers, suppliers and other stakeholders to do the same.; ; This extends to all areas of our operations, including:; - Running our data centres and office on green energy from renewable sources; - Reducing our carbon footprint to a minimum by the extensive use of digital tools and collaborative technologoes; - We work with our clients to maximise the sustainable nature of services we design and build for them.; ; Full details are available in our Environmental Policy which is available on request.
• Covid-19 recovery:

  Covid-19 recovery

  COVID-19 has exacerbated existing economic and social challenges, while also creating many new ones. Now more than ever, it’s critical that we help you respond to the demands you may be facing.; ; Throughout the pandemic, we will do everything in our power to aid the recovery of local communities and economies. This includes employment, re-training, return to work opportunities, community support, developing new ways of working and supporting the health of those affected by the virus.; ; Now more than ever, it’s critical that we make it possible for you to continue your operations and help you respond to the unique demands that you may be facing. Website Express has been in business for over a decade supporting the mission-critical work that keeps every organisation – especially those in the public sector – operational and successful. At this challenging time, you can count on us to support your organisation.; ; Our leadership team is meeting continuously to assess and appropriately respond to the crisis as it evolves. Of course, everyone’s health and welfare are a priority, as most of our employees are working from home. We have extensive online collaboration capabilities to help ensure business continuity and we’re working tirelessly to help everyone stay safe while at the same time continuing to serve you.
• Tackling economic inequality:

  Tackling economic inequality

  Social purpose is woven into Website Express' fabric. From creating new businesses and new employment opportunities to improving education and training, Website Express is committed to tackling economic inequality at the root. Our overriding vision is to help lower the unequal distribution of income and opportunity between different groups in society.; ; Our commitment to working with small, diverse, high-quality suppliers is an important aspect of our procurement vision. We endeavour, on a good-faith effort basis, to work with and develop small, minority, and women-owned businesses. The team is always looking for small and diverse suppliers that can deliver creative, high-quality products and services. Ultimately, our goal is to diversify our supplier base by encouraging these small and diverse suppliers to compete for business.; ; We strive to pay all our suppliers promptly and always before the due date of their invoices.
• Equal opportunity:

  Equal opportunity

  Website Express Ltd. recognises that discrimination and victimisation are unacceptable and that it is in the interests of the Company and its employees to utilise the skills of the total workforce.; It is the aim of the Company to ensure that no employee or job applicant receives less favourable facilities or treatment (either directly or indirectly) in recruitment or employment on grounds of age, disability, gender/gender reassignment, marriage / civil partnership, pregnancy/maternity, race, religion or belief, sex, or sexual orientation (the protected characteristics).; ; Our aim is that our workforce will be truly representative of all sections of society and each employee feels respected and able to give their best.; ; We oppose all forms of unlawful and unfair discrimination or victimisation.; ; All employees, whether part-time, full-time or temporary, will be treated fairly and with respect.; ; Selection for employment, promotion, training or any other benefit will be on the basis of aptitude and ability. All employees will be helped and encouraged to develop their full potential and the talents and resources of the workforce will be fully utilised to maximise the efficiency of the organisation.; ; Our staff will not discriminate directly or indirectly, or harass customers or clients because of age, disability, gender reassignment, pregnancy and maternity, race, religion or belief, sex, and sexual orientation in the provision of the Company’s goods and services.; ; In addition, full account is taken of any guidance or Codes of Practice issued by the Equality and Human Rights Commission, any Government Departments, and any other statutory bodies.; ; Full details are available in our Equality Policy which is available on request.
• Wellbeing:

  Wellbeing

  Today, every UK business has a duty of care requirement to look after the; health and safety of employees, including their wellbeing.; ; In light of this, promoting and protecting staff wellbeing in the workplace is; important for every business.; ; Website Express recognise this and have developed a Wellbeing Policy which covers the following key areas:; ; Promoting mental wellbeing by:; - Providing information and raising awareness of mental health issues; - Promoting policies and actions that support mental wellbeing in the; workplace; - Equipping employees with the skills to support their own mental health; ; Encouraging physical health by:; - Promoting physical activity across the business; - Supporting a healthy, balanced diet in the workplace; - Encouraging staff to drink 6-8 glasses of water a day; ; Management and leadership; - Equipping managers and leaders with the skills to: Identify and assist those; with mental ill health; - Raising awareness of mental and physical wellbeing across the business; ; Offering support to employees by:; - Creating a culture that supports the wellbeing of all employees; - Offering help, support and guidance to those with a mental health issue; - Assisting those returning to work after a period of mental ill health; ; Supporting those coming back to work by:; - Making any necessary adjustments to the role/environment; - Establishing agreed recruitment practices; - Retaining and supporting staff who develop mental ill health; ; Full details are available in our Wellbeing Policy which is available on request.

Pricing

• Price: £525 to £1,800 a unit a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@website-express.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.