Code Enigma Limited

Drupal security updates

We'll keep your Drupal application secure with regular updates of both core and supported modules. Single monthly fee per Drupal core. Automated monitoring for update releases. Hands-on process to apply relevant updates and ensure your site isn't adversely affected. Approval stage before deploying to align updates with other development activity.

Features

• Fixed monthly fee per Drupal core
• Emergency Drupal security updates implemented immediately
• Other updates within 5 or 30 days depending on severity
• Service Desk for update notifications and testing feedback
• ISO 9001 and ISO 27001 certified systems

Benefits

• Consistently protect your site from threats and vulnerabilities
• Save your internal team by outsourcing basic maintenance
• Quality assurance testing ahead of deployment to production
• Access information and security advice from Drupal experts

£300 an instance a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@codeenigma.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

367268162292211

Contact

Greg Harvey
020 3588 1550
sales@codeenigma.com

Planning

• Planning service: Yes
• How the planning service works: While our support and managed services are largely standardised, we’ve learned as an agency that one size doesn't always fit all. So as part of any engagement with a new client there are key planning activities we'll conduct: ; ; Onboarding - It’s important we understand the objectives of the applications we're supporting. The Onboarding meeting is an opportunity for the team to discuss details, agree on the approach, structure, governance and processes. ; ; Responsibility - We’ll make sure that we know who within your organisation has been delegated with decision making responsibility, and who to go for signoff. This will smooth the delivery of work and responses to requests. ; ; Communication - While our Service Desk is the main communication tool between Code Enigma and clients we'll also establish other touchpoints. We'll schedule regular Service Reviews between you and our account management team. This is your opportunity to provide feedback for us to gauge how effectively we're delivering your services. We'll ensure we remain aligned with your objectives, and can anticipate and adapt to any changes that may be on your horizon.
• Planning service works with specific services: No

Training

• Training service provided: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: We'll start by auditing the application to be supported. We'll look at performance, state of the Drupal application, and integration points. We audit for code compliance against Drupal standards and for performance using New Relic, along with load testing. ; ; We can only support Drupal sites using version control, preferably Git, so we'll audit how version control is being used. We'll formulate a plan for moving the application into version control using either a Git provider of your choice or our own GitLab service.; ; In this instance, we'll install our open source Drupal deployment scripts onto a dedicated utility server and configure GitLab to execute them with its built-in continuous integration tools. These scripts provide full release devops, so all developers need to do is commit their code and Jenkins takes care of the rest.; ; We'll then test the application within a multi-stage deployment environment, including backups. Once we are confident about application stability, we will formulate a plan for going live within the new environment, particularly around DNS management.
• Setup or migration service is for specific cloud services: No

Quality assurance and performance testing

• Quality assurance and performance testing service: Yes
• How the quality assurance and performance testing works: An updates process will be agreed with you and documented on our Service Desk project overview, and in our relevant technical documentation wiki. This must detail which of your team will be responsible for testing and approving security updates, and when they should be deployed.; ; We can also audit and fix vulnerabilities in any custom code you use on your website, helping reduce the security risk. All our developers are familiar with common vulnerabilities, referring to the OWASP Top Ten as a bare minimum. Drupal coding standards are also available, as well as specific documentation for writing secure code for Drupal. We use tools such as Nightwatch for functional testing, BrowserStack or LambdaTest for browser/device compatibility, and axe DevTools and Lighthouse for accessibility testing.; ; If you want to further streamline the process, we can help you write automated tests to comprehensively check your site’s functionality after updates have been applied.

Security testing

• Security services: Yes
• Security services type:
  • Security risk management
  • Security incident management
  • Security audit services

Ongoing support

• Ongoing support service: Yes
• Types of service supported:
  • Buyer hosting or software
  • Hosting or software provided by your organisation
  • Hosting or software provided by a third-party organisation
• How the support service works: We constantly monitor the Drupal security page (and other dependencies like Symfony), apply relevant updates, ensure your site is performing well, then pass it back to you for final approval before deploying.; ; If the creator of a Drupal module makes changes to it, we'll update it for you.; ; Wherever we can, client applications are added to our automated updates service (using Codario) to automate the security update process as much as possible. This enables us to commit to implementing security fixes within 5 or 30 days depending on their severity.; ; In the event of highly critical security updates, Code Enigma may decide to live patch applications directly before following the usual update process. This will always be evidenced through issues raised in the Service Desk and communicated with you.

Service scope

• Service constraints: We can only support sites using version control. Clients and their services are required to conform to our ISO 27001 information security policies. We work as a distributed team so will not normally work onsite. We're unable to support Windows servers on any hosting platform. We're Debian Linux specialists, infrastructure running other versions may require migration to a new server. Security in our hosting service is a shared responsibility between Code Enigma, Amazon Web Services (or other hosting provider), and the client.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our Service Desk is available 24/7 for users to submit issues, requests and report incidents. Our UK/EU based team is available from 8am to 6pm (UK). We endeavour to respond to support tickets within one working day.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Our web chat tool, Mattermost is WCAG 2.0L compliant. For meeting Web Contact Accessibility Guidelines 2.0 (WCAG), Mattermost has received a third-party “A” rating and is working towards an “AA” rating. https://docs.mattermost.com/overview/compliance.html#accessibility-compliance
• Web chat accessibility testing: None.
• Support levels: All clients have access to the same level of support and Service Level Agreement.; ; Code Enigma provides all clients with secure, authenticated access to our management dashboard. From this, you’re able to manage your users, access instant chat services, view live systems status dashboards and use our secure file sharing.; ; This also enables access to our Service Desk which is based on the open source, issue management tool, Redmine. ; ; Our Operations team oversees contract and relationship management for all clients, including scheduling and chairing regular service reviews. These are an opportunity to review and discuss any key issues/incidents, improvement suggestions/requests and problem/root cause analysis. They are also an opportunity for qualitative feedback on how we deliver our services. The frequency of these reviews is agreed with you, but we typically meet with clients monthly.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA Certification
• ISO/IEC 27001 accreditation date: 30/08/2023
• What the ISO/IEC 27001 doesn’t cover: Areas of HR and Finance teams that deal with company data
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  We choose to base many of our services on AWS due to their commitment to be net zero by 2040. We review the data centres we use against the Green Web Foundation's hosting directory (https://www.thegreenwebfoundation.org/directory/) to look for opportunities to minimise our environmental impact. AWS' approach differs from most other green hosting companies in that it is not only based on offsetting, carbon credits, and tree planting, but also significant investment in renewable energy schemes internationally. We are exploring the prospect of using company funds to subsidise “green” home improvements for our UK employees (replacing gas boilers with heat pumps, solar panel installation, insulation improvements etc.). We reviewed our banks against https://switchit.green/ and have closed our account with HSBC. We currently bank with the Co-Operative, Nationwide, and an investment bank in the North of England, and are investigating Unity Trust and Tide because of their ethical and sustainable approach to banking. We are also official partners of the Eden Reforestation Projects https://www.edenprojects.org/partners?search=Code+Enigma

  Tackling economic inequality

  Code Enigma is proud to be an ethical employer. It’s rooted deep in our values to be fair and open. That’s why we’re members of the Living Wage Foundation in the UK and also signed up to the Prompt Payment Code.; ; We have a dedicated training budget per head, enabling our employees to invest in themselves with supported time off in order to obtain further skills in their chosen field.; ; We are also experts in open source software, we invest heavily via both our time and our mission fund to ensure free software flourishes, which is a major way out of poverty in both the developed and developing world, providing free tools to allow people to train and learn new skills.

  Wellbeing

  Our company Health & Safety, Dignity at Work, and Diversity & Equality policies are coupled with private health cover for our staff - committed to helping them get the help they need when they need it.

Pricing

• Price: £300 an instance a month
• Discount for educational organisations: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@codeenigma.com. Tell them what format you need. It will help if you say what assistive technology you use.