Secure UK-based Drupal managed hosting
Since 1998, The Positive Internet Company has specialised in Linux hosting services with extensive experience of the Drupal CMS. Positive owns and operates its green UK datacentre, providing performant, 24/7-monitored, tailored managed platforms with stringently audited security.
Positive focuses on enterprise-grade highly-available secure private cloud solutions with data sovereignty guaranteed.
Features
- Dedicated account manager for all services
- Proactive consultative performance and security
- 24/7 monitoring, response and full patch management
- Highly-scalable private cloud
- Support agile languages including PHP, Ruby, Python, Javascript, Perl
- Full CMS management including Drupal, WordPress, Magento, Laravel
- 24/7 ticket and phone support
- 99.99% availability SLA
- All data stored and hosted in the UK
- Automation tools for easy deployment
Benefits
- Fully managed environment lets you focus on your core missions
- Fully managed service removes responsibility for hardware and software
- Immediate human response to any alerted issue
- Resilient dedicated hosting on custom-designed hardware
- Secure UK-based company, management, engineering and technical team
- Trusted advice from industry veteran, founding gold-sponsor of Debian LTS.
- 20+ years of expertise in the full Open Source stack
- 100% green renewable energy hosting
- Unlimited 24/7/365 support with on-site technical experts
Pricing
£250 to £10,000 a server a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
3 0 1 5 0 9 5 3 9 6 4 3 4 2 4
Contact
The Positive Internet Company Limited
Managed Services Team
Telephone: 0800 316 1006
Email: gcloud@positive-internet.com
Service scope
- Service constraints
- N/a
- System requirements
- GNU/Linux platforms preferred
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 24/7 online ticketing support. Three working-hour support reply promise for non service-affecting issues. Fifteen minute response-time for service-affecting issues. Immediate escalation via telephone always available.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AAA
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
-
Positive provides unparalleled consultative support: from design to ongoing management of the network, platform, operating system and architecture, security, backups, monitoring and 24/7 response. All support costs are fully inclusive. Positive will also assist with application support and optimisation as appropriate.
Contactable via email, 24/7 phone and portal. Dedicated account manager and direct availability to all on the technical team, including platform architects, security experts, networking team, RDBMS specialists and CMS consultants. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Positive provides full onboarding services via our 63-point bespoke provisioning process, including deep-dive discovery of technical, stakeholder and business requirements, with onsite meeting. This is followed by managed migration which includes replicating the existing environment, parallel running and tuning it, and finally migrating the service to the new live platform. Finally, Positive produces internal and external documentation and training materials as appropriate.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- In full compliance with the GDPR and related legislation, we provide all requested data from our services once the contract ends, in the formats requested. We support all open formats.
- End-of-contract process
- We will always work to avoid any vendor locking, and to provide reasonable planning, cooperation and assistance to achieve a smooth transition/exit. At the end of a customer's contract, we are happy to roll over if this is requested into rolling 90 day terms as required for the fluid decommissioning process.
Using the service
- Web browser interface
- Yes
- Using the web interface
- We provide full access to all ongoing support tickets and other services on request.
- Web interface accessibility standard
- WCAG 2.1 AAA
- Web interface accessibility testing
- Our interfaces have been used successfuly in production by those using accessibility assistance
- API
- Yes
- What users can and can't do using the API
- We support all open deployment services to our customised cloud platforms.
- API automation tools
-
- Ansible
- Chef
- Puppet
- Other
- API documentation
- Yes
- API documentation formats
-
- HTML
- Command line interface
- Yes
- Command line interface compatibility
- Linux or Unix
- Using the command line interface
- All functionality can be provided to every aspect of the service via SSH connections to the CLI, either as a normal user or root.
Scaling
- Scaling available
- No
- Independence of resources
-
We can provide fully-managed dedicated private clouds where all the infrastructure is completely under the control of a single client.
For cloud instances, we provide resource segregation. - Usage notifications
- Yes
- Usage reporting
-
- Other
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- CPU
- Disk
- HTTP request and response status
- Memory
- Network
- Number of active instances
- Reporting types
-
- Real-time dashboards
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- In-house
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Hardware containing data is completely destroyed
- Equipment disposal approach
- A third-party destruction service
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Operating system images
- All applications and configuration
- All user data
- Database dumps
- Copies for versioning
- Backup controls
- We can provide a fully flexible backup schedule for every type of data or restoration requirement.
- Datacentre setup
- Multiple datacentres with disaster recovery
- Scheduling backups
- Users contact the support team to schedule backups
- Backup recovery
-
- Users can recover backups themselves, for example through a web interface
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Legacy SSL and TLS (under version 1.2)
- Other
- Other protection between networks
- SSH tunneling etc.
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Other
- Other protection within supplier network
- SSH tunneling
Availability and resilience
- Guaranteed availability
- SLA guarantees 99.99% service availability, and includes pro-rata credits for any periods that fall under this guarantee, up to the monthly value of the service in question.
- Approach to resilience
- Positive Park has full N+1 resilience, so that no infrastructure component within the facility can cause a service-affecting outage. This includes fully redundant cooling and power (with multiple UPS, battery and generator backup, with multiple refueling arrangements). The network infrstructure is completely triangulated between London and Manchester so that no single path failure can cause a connectivity outage.
- Outage reporting
- Positive uses its own outage report system called SING, which allows clients to subscribe via email, API or social media feeds to outage announcements.
Identity and authentication
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- Management interfaces have IP based restrictions, and then appropriate authetication and validation access, via PKI or strong usernames and passwords. All access is encrypted via SSL.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Devices users manage the service through
-
- Dedicated device on a segregated network (providers own provision)
- Dedicated device on a government network (for example PSN)
- Dedicated device over multiple services or networks
- Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
- Directly from any device which may also be used for normal business (for example web browsing or viewing external email)
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- NQA / UKAS
- ISO/IEC 27001 accreditation date
- 03/03/2022
- What the ISO/IEC 27001 doesn’t cover
-
Our ISO 27001 certification refers to the provision and support of hosting and colocation services at Positive Park data centre campus.
All aspects of the business align with these processes and procedures though the focus of audit is naturally information security operations. Marketing and social media are not directly covered by the certification but nonetheless follow the same internal security best practices as appropriate. - ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- Full compliance with ISO/IEC 27001 .
- Information security policies and processes
- ISO/IEC 27001
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Positive follows ITIL change management best practice. All changes are assessed for their impact and risk, and implemented through version-control configuration management. All changes are validated and assessed for service impact potential, with rollback and mediation steps determined before any such steps are undertaken.
All services and servers have a detailed log of activity and change control requests, which can be fine grained for the specific service and stakeholder expectation. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Positive utilises Debian GNU/Linux LTS, with rapid patching. As soon as a vulnerability is reported and patched, systems receive those patches. The benefit of LTS is that such patching is guaranteed over a number of years without any danger of unintended version upgrades. Positive is on the appropriate CERT lists, as well as embargoed zero-day announcement lists, so it can mediate known threats even before they have received an official patch. Positive will specifically monitor for trends in application exploit and leverage its knowledge to provide agile solutions to such threats.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
Positive NOC is staffed 24/7. Alerting and monitoring usually includes security and anomaly detection. Security issue are immediately escalated to the senior security team, who act appropriately based on the nature of the incident, up to and including the immediate segregation or even powering-down of affected systems for further analysis.
A range of security analyses are undertaken including file hashing comparisons, root-kit-detection systems and full log auditing. Once the scope of the incident is understood, patching, rollback or rebuilding as appropriate is undertaken before the system restore.
A full RCA is produced as soon as possible, within any agreed SLA. - Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Positive maintains formal incident response processes for common events. It encourages users to report incidents via the authorised ticketing system, or through the. 24/7 emergency response number.
Incident reports are provided once the full information and amelioration data has been collated as a document released to the agreed account-holder. Further discussions and meetings are encouraged thereupon.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Supplier
- Virtualisation technologies used
- KVM hypervisor
- How shared infrastructure is kept separate
-
Positive provides dedicated private clouds, with completely dedicated hypervisor serfvers, so that no infrastructure is shared between clients.
Positive can also provide VMs on its shared PosiCloud infrastructure, where full KVM compartmentalisation is enforced.
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
-
Positive uses 100% green renewable energy in its Positive Park datacentre, as certified by The Green Web Foundation. It employs passive cooling systems wherever possible and uses energy-efficient CPUs and other components where the task allows for such. All lights are on PIR circuits. Deployed servers use energy-efficient drives and CPUs where appropriate for the service levels they provide.
All company vehicles are either electric or hybrid, and staff are required to use public transport wherever possible.
Social Value
- Fighting climate change
-
Fighting climate change
Positive uses 100% green renewable energy in its Positive Park data centre, which is certified by the Green Web Foundation.
Our commitment to sustainability goes beyond the selection of a renewable energy tariff and runs across all aspects of our operations.
For example, the Positive Park campus is ideally situated on the Cambridgeshire Fens - a region renowned as a leading centre for wind energy generation. Furthermore, the wind patterns across the flat plains enable the effective use of passive cooling systems, drastically reducing our dependence on power-hungry traditional air conditioning units.
We also use energy-efficient hardware; all lighting is on PIR circuits and deployed servers use energy-efficient drives and CPUs where appropriate.
Uniquely, the Positive Park campus is located on several acres of land reserved solely for sustainable practices. We set aside a large portion of the campus for wilding, creating an oasis which provides vital habitat for bees, butterflies, moths, birds, and other native flora and fauna that rely upon that ecosystem.
We also maintain a dedicated website with information about Positive’s commitment to fighting climate change specifically and the issues confronting the digital economy more generally at https://host.green. Finally, we are an industry-leader and public advocate for a more sustainable Internet, including participating in interviews with the BBC.
Pricing
- Price
- £250 to £10,000 a server a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- 30 day free trial of complete service.