Platform.sh Limited

Platform.sh Cloud Application Platform (PaaS)

Platform.sh is a cloud hosting Platform-as-a-Service supporting PHP (Drupal, Symfony, Laravel etc), NodeJS and several other languages including a highly optimised/flexible development/deployment process. Clients are making 20-40% project savings. It allows you to host web applications on the cloud while making your development and testing workflows more productive.

Features

• Fleet management. Manage/update thousands of sites with little effort
• Scalable, triple redundant architecture offering guaranteed 99.9 or 99.99% uptime
• Integrated/Bundled CDN
• Support for PHP, Drupal, Ruby, Python, NodeJS, Java and more
• UK datacentre and other European sovereign clouds: AWS/GCP/Azure and more
• Automated workflow, effortless integration with GIT
• Automated, unlimited environments (dev, stage, etc) based on git branches
• High level of automation, effortlessly. Devops becomes NoOps
• Capability to automate application updates at scale
• Instant cloning for new environments and git service integrations

Benefits

• Manage/update fleets at any scale. Hundreds or thousands of websites
• Proactive scaling, uninterrupted live service, 6-384 CPU's in <10 minutes
• Guaranteed enterprise uptime = 99.99% :less than 4 minutes /month
• Development & deployment workflow is regime change; developers love it
• <40% developer productivity improvements, no more DevOps
• 10-15x faster testing and UAT sign off
• 90-100% less DevOps and tickets
• New developer set-up time & new environment spinup 100x faster
• Deployment frequency improves from monthly to several times a day
• Manage sites in different technologies in a standardised fashion

£120 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris.cairns@platform.sh. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

336403966893091

Contact

Chris Cairns
07710 550259
chris.cairns@platform.sh

Service scope

• Service constraints: None
• System requirements: Git is required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: On Enterprise:; Urgent: 1 hr 24x7; High: 8 business hours; Normal: 24 business hours; ; On Elite:; Urgent: 45 min 24x7; High: 4 hours 24x7; Normal: 8 hours 24x7; ; Slack chat available during business hours. Enterprise support is 24/7
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Performed by the chat system provider - Slack. Slack has a dedicated accessibility team. See https://slackhq.com/designing-slack-for-everyone and https://slack.com/intl/en-gb/accessibility-plan
• Web chat accessibility testing: Users can use a screen reader for all functionality. Users have colour blind options Many other accessibility options. See https://slackhq.com/designing-slack-for-everyone
• Onsite support: Yes, at extra cost
• Support levels: Professional: best-effort support, no SLA.; Enterprise: 99.9% (grid) to 99.99% (dedicated) uptime guarantee, less than 1h guaranteed response times and more.; Elite: Same as Enterprise, with better guaranteed response times, includes account management and more (see table at pricing page or service description). Certain plans include the "Account Management service" at not extra cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Platform.sh provides a free trial, has online training, an extensive user documentation at https://docs.platform.sh, video tutorials, ready-to-use templates and onsite training is available for extra cost.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Customers wishing to terminate service can have all their data returned to them upon request, either via support ticket or via the CLI.
• End-of-contract process: Customer has full access to code and data which is 100% portable, no lock in. Renewal by default, cancelation at no charges with full data access. There is an off-boarding and exit plan period for no extra cost. Data is destroyed after customer is deprovisioned

Using the service

• Web browser interface: Yes
• Using the web interface: Synchronize files, databases, merge and branch environments, configure SSL certificates, domains, setup routes, environment variables, permissions, users, http access locks, deploy keys and much more.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: We have done testing in line with WCAG 2.1AA
• API: Yes
• What users can and can't do using the API: Anything that can be done in the web interface can also be done via the API, and more. Deployments, snapshots, integration setup, tunnels, project operations, uploads and more can all be done via the API. Our API is well documented.
• API automation tools:
  • Ansible
  • Chef
  • Puppet
  • Other
• Other API automation tools:
  • Jenkins
  • Circle CI
  • Anything that works with a GIT upstream
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
  • Other
• Using the command line interface: A single-line command can be used to install the CLI; Everything that can be done on the UI can also be done via the CLI, plus some integrations like Slack, Webhooks, managing backups, interact with the databases and issuing application commands

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Enterprise Dedicated deployments receive dedicated infrastructure. All other environments are containerised with resources being guaranteed by the allocator.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Key Transactions
  • Throughput
  • Error rate
  • Some custom metrics
  • Elastic APM / NewRelic / Tideways are compatible
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Volumes encrypted by default.; Third-parties guarantee protection
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • A snapshot of the full cluster in a single image
  • Includes all data and code
• Backup controls: Periodicity of snapshots can be determined by the customer.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: The only mechanism where data can enter and leave Platform.sh is via secure encrypted protocols unless the customer specifies otherwise (such as forcing HTTP on).
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Data transit is firewalled to only be accessible by expected and specified relationships. Each container is only able to communicate to explicitly defined relationship subjects

Availability and resilience

• Guaranteed availability: Enterprise Dedicated: 99.99% uptime guarantee, <1h guaranteed response times on P1 tickets. ; ; Enterprise: 99.9% uptime guarantee, <1h guaranteed response times on P1 tickets.; ; Professional: Best-effort; ; Enterprise Dedicated service credits: Greater than or equal to 99.99% - 0%; 99.99 to 99.9% - 3%; 99.89 and 99.8% - 5%; 99.79 to 99.7% - 10%; 99.69 to 99.5% - 20%; 99.49 to 97% - 33%; Below 97% - 50%; ; Enterprise Service Credits: Greater than or equal to 99.99% - 0%; 99.89 to 99.7% - 5%; 99.69 to 99.5% - 10%; 99.49 to 99% - 20%; 99 to 97% - 30%; Below 97% - 50%; ; Uptime calculation excludes the time the system is unavailable due to work being carried out to fix a technical malfunction inherent to our system, and/or to carry out a maintenance operation.
• Approach to resilience: Platform.sh is a highly available container grid; ; The grid is automatically self-healing. Any host that fails gets taken over by a healthy node; Any service that fails is automatically moved to a healthy host; Any unhealthy host is evacuated and the services move to a healthy host; The gateways are aware of the state of the underlying infrastructure and freeze traffic as failover happens; Grid hosts are aware of the state of services and do not run “deployment hooks” on services that fail-over, making failover quasi-instantaneous.; ; Platform.sh runs all of its underlying infrastructure in a highly available fashion. Every single element has a minimum of 3X redundancy.; Gateways;; Grid hosts;; Build hosts;; Coordinators;; Storage nodes
• Outage reporting: Outages are reported via our status page (https://status.platform.sh/) which is hosted off-site, as well as via the helpdesk and email for individual affected customers. Detailed incident reports are sent to afflicted customers after resolution. A full RCA is provided for customers with an assigned Technical Account Manager.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
• Other user authentication: IP-based; SSO is also supported for some service tiers
• Access restrictions in management interfaces and support channels: The project owner can assign roles to other accounts
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Risk3sixty, LLC
• PCI DSS accreditation date: 06/04/2020
• What the PCI DSS doesn’t cover: The OVH-FR-2 (France) region is excluded from our PCI and SOC2 certifications. More information at https://docs.platform.sh/security/compliance-guidance.html; ; Only Enterprise and Elite service levels are PCI compliant.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • CCPA
  • GDPR
  • BDSG
  • PIPEDA
  • Australia Privacy
  • HIPAA/HITRUST
  • SOC 2 Type 1
  • SOC 2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: A corporate governance framework is in place to ensure continuity and monitor quality of the Security Programs. The following groups are established to facilitate corporate governance: Board of Directors: Helps ensure oversight for management strategy and operations. Audit Committee: Helps ensure that an independent body can provide sound corporate governance in corporate matters. Governance, Risk and Compliance (GRC) Council: A GRC Council is established with members of the Executive team to help ensure that organizational risks are prioritized and addressed, accepted or transferred. There are also definitions for Monitoring, Architecture, Policy, Plan & Procedure Review and External Third Party Audits.
• Information security policies and processes: Platform.sh has a risk-based "Information Security Program". Various Risk Owners have been identified within their respective business units and must evaluate the likelihood and impact on confidentiality, integrity and availability and make a decision based on a predefined list of actions, and then document the results and distribute to key stakeholders Internally, access to systems is granted on the basis of the need-to-know principle. Users are given access only at the appropriate level required to perform their job functions. There is a strong information security policy defining the information classification, roles, responsibilities, data handling, risk management, security awareness, training processes, human resources, onboarding, security audits, logs, change management and more. The policies are ensured and enforced by the Corporate Governance Framework.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Software either tracks Debian upstream, and thus tracks that security schedule, or is deployed also via Debian packaging as our own packages. Change configuration management on servers is governed via Puppet. Internal security team assesses incoming patch risk and monitors upstream security channels.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: When vulnerabilities are detected, PSA notices are sent out to any customers who are potentially affected, including steps that we are taking, steps they need to take, and overall threat level.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Compromises would be detected by inspecting access logs, git commit histories. A found compromise results in quarantine actions for affected systems and replacement by clean builds, as well as analysis of access vectors used in attack. Response would be immediate following discovery.
• Incident management type: Supplier-defined controls
• Incident management approach: Process for comment events described in operational manual. User report incidents via helpdesk and/or Slack chat. Incident reports are provided via helpdesk which also triggers email delivery.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: LXC and KVM;Xen;Hyper-V depending on the infrastructure provider
• How shared infrastructure is kept separate: Enterprise Dedicated deployments receive dedicated virtual machines from the underlying IaaS (eg. AWS, Azure, or Orange VMs). Users on the containerised architecture have guaranteed/isolated resources and network spaces

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: https://aws.amazon.com/about-aws/sustainability/; https://cloud.google.com/sustainability; https://www.microsoft.com/en-us/corporate-responsibility/sustainability

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery

  Fighting climate change

  Fighting climate change; ; At Platform.sh we deeply care about the environment.; Climate change is real. And we’re committed to helping; minimize the effects of human activity on the environment by; promoting green hosting.; ; We have committed our support to a number of high-impact environmental agreements and initiatives, including the Climate Act and One Tree Planted.; ; PSH helps customers reduce carbon through improved operating models for their sites.; ; PSH is a highly dynamic container-based solution. Compared to running directly on generic cloud virtual machines, we can achieve unparalleled levels of density, while still guaranteeing resources to production and development environments.; ; PSH partners with infrastructure providers committed to improving their environmental footprints. As a multicloud provider, we offer our customers a choice of provider and region in which their workloads will run.; ; Our infrastructure providers have set ambitious goals for the next few decades. To meet them, they’re investing in green energy, like solar or wind farms.; ; Our orchestrator R&D project limits the necessary computing resources of cloud applications in real time. The orchestrator places workloads as close as possible to customers and allows customers to dynamically migrate their workloads to the most energy efficient providers and regions.; ; PSH has a fully remote workforce. Virtually all of our 250+ employees work from home and never need to commute to an office.; ; By skipping the daily commute, our staff greatly reduces their impact on air pollution, traffic congestion, and public transportation overcrowding.; ; With no need to provide office space for a vast majority of our workforce, Platform.sh conserves the energy that would have been expended in heating, cooling, and lighting our business facilities.; ; By enabling our employees to work from home, we lessen the intense demand for office space construction that has contributed to the rise in CO₂ emissions.

  Covid-19 recovery

  Please find our positions here in the following blog posts:; https://platform.sh/blog/2020/supporting-drupal-covid-19/; https://platform.sh/blog/2020/platformsh-covid-19-response/

Pricing

• Price: £120 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We offer a free one-month trial for Platform.sh Standard with no further commitment required.; After one month users can either terminate their trial or convert to a paid package.
• Link to free trial: https://accounts.platform.sh/platform/trial/general/setup

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris.cairns@platform.sh. Tell them what format you need. It will help if you say what assistive technology you use.