Cyber-Duck

AWS Managed Hosting and Support

We offer AWS managed hosting service and 24/7 premium support for government bodies requiring P1 SLA and support. We ensure your platform runs in a cost-effective/resilient manner, making use of cloud’s auto-scaling and automated provisioning.

Accredited for ISO 27001, we guarantee the confidentiality, availability and integrity of your data.

Features

• Auto-scaling cloud hosting to handle peak of traffic
• Infrastructure as Code with multi-availability zones cloud hosting
• Pay-as -you-go cloud hosting
• Redundant file storage
• Structured and unstructured database as a service
• Cloud backup with point-in-time restore
• Data encryption (at rest and in transit)
• Automatic cloud infrastructure patching
• Multi-AZ deployments
• Fully managed migrations to AWS

Benefits

• Redundant hosting configuration
• No single point of failure
• ISO 27001 and Cyber Essentials Plus compliant hosting service
• GDPR compliant hosting setup
• 24/7/365 proactive monitoring and P1 support
• Fully-managed cloud hosting services
• Scalable hosting system
• Secure hosting infrastructure
• Low total cost of ownership
• Reduced environmental impact with sustainable hosting available

£450 to £1,500 a unit a day

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at CD-Tender-Team@cyber-duck.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

417636794138617

Contact

Matt Gibson
02089530070
CD-Tender-Team@cyber-duck.co.uk

Service scope

• Service constraints: No specific constraints for our service. We follow guidelines and best practices in the configuration, deployment and support/monitoring of your service from the underlying hosting providers (AWS, Azure, Acquia...)
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times vary depending on the severity (urgency) of the issue:; Severity 1 (most urgent) - 2 hour maximum response time; Severity 2 - 24 hour maximum response time; Severity 3 - 24 hour maximum response time; Severity 4 (least urgent) - 24 hour maximum response time; ; Out of hours and weekend support is available at additional cost, and would follow the same structure.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Service Level Agreement:; Urgent issues - Response within 2 hours, resolution within 24 hours.; High priority issues - Response within 24 hours, resolution within 5 working days.; Normal issues - Response within 24 hours, resolution within 2 weeks; Low priority issues - Response within 24 hours, resolution within 4 weeks or next major deployment.; ; Cost: per our rate card.; ; Resource: Quality Assurance Analyst to manage the issue and relevant engineer from our technical team to resolve the issue. Free account management is also provided.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Following our ISO 27001 and other relevant InfoSec certifications, we will run a discovery workshop to design your cloud hosting solution. This will include specifying the redundancy, backup, auto-scaling and data retention policy of the hosting infrastructure.; ; Once deployed, we can provide online training, user documentation and monthly reports on your cloud hosting service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Depending on the underlying web hosting provider, we recommend handing over the hosting account (master credentials & billing) to your team at the end of the contract, to take everything over "as is".; ; We can also support the handover by extracting all assets stored on your cloud hosting solution for a migration to another platform.
• End-of-contract process: Transferring the technical and billing contact of the cloud hosting provider to your team is included in the contract.; ; Any training, data and assets migration or termination of services would need to be scoped and quoted for.

Using the service

• Web browser interface: Yes
• Using the web interface: We rely on the web interface provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: We rely on the web interface provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Web interface accessibility testing: We rely on the web interface provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• API: Yes
• What users can and can't do using the API: We rely on the API provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• API automation tools:
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
• API documentation: Yes
• API documentation formats: HTML
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: We rely on the CLI services provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: We set up each hosting account individually with no shared resources between users.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: AWS, MS Azure, Gov.UK PaaS, Acquia

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Web server instances
  • Databases
  • File storage
• Backup controls: Users will be able to control backup using the features provided by the underlying hosting providers. Our team will take full ownership of this service and provide SLA, support, upgrade and 24/7 monitoring for all cloud-related infrastructure and services.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We rely on the SLA provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia) which is usually at least 99.99%. We also guarantee P1 response time within 30 minutes.
• Approach to resilience: We rely on the resilience provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Outage reporting: We report service outages by email alerts by default. We can deliver custom workflows into back-office systems or other internal tools.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
• Access restrictions in management interfaces and support channels: As per our ISO-27001, we enforce MFA and group policies to access to all management inferfaces.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 22/08/2016
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: ICO - Tier 1

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We are ISO-27001 and Cyber Essentials Plus certified.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We rely on the change management approach provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: For all infrastructure assets, we rely on the vulnerability management provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We rely on the protective monitoring approach provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We rely on the incident management provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia). We also provide an additional layer of reporting and management aligned with our internal ISO 27001 policies. Such incidents can be triggered by our automated monitoring or raised by users via our email or phone helpdesk system. Once the incident is resolved, we provide a full root cause analysis in a post-mortem report.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: AWS, MS Azure
• How shared infrastructure is kept separate: We rely on the virtualisation provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia)

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We rely on the compliance provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia) such as https://aws.amazon.com/compliance/cispe/

Social Value

• Fighting climate change:

  Fighting climate change

  Cyber-Duck is ISO14001 certified, and has published a detailed Carbon Reduction Plan, available on our website. ; ; We have set a target of being Net Zero by 2035 for greenhouse gas emissions and, as part of our Carbon Reduction Plan, report on progress annually. ; ; We provide staff with support for purchasing electric vehicles, and encourage staff to use public transport where feasible. We also offer staff the opportunity to sign up to the Cycle to Work Scheme.; ; We operate a hybrid working policy, with staff working remotely the majority of the time. Face to Face meetings and office days are planned in advance, and where meetings can be done remotely, this is encouraged.; ; Other actions we take to reduce the carbon footprint of our business is how we manage file transfers. Emailing large attachments to multiple recipients consumes a lot of energy, and in our line of work we can send large design files or presentation documents. Instead, we host documents on a central repository, such as DocSend for sales materials, and only send a link to the recipient, saving a considerable amount of energy.; ; Finally, we work proactively with our clients to support them in their own missions towards Carbon Net Zero. We do this by ensuring their websites and other digital products are hosted on architecture that is powered by renewables, and by optimising the user journeys and flow of data, we can cut the amount of energy dedicated towards powering our products.
• Covid-19 recovery:

  Covid-19 recovery

  Cyber-Duck is committed to supporting both staff and the wider community in recovering from COVID-19. To that end we have developed robust procedures to both maintain operational capabilities, whilst ensuring staff are supported both in their day-to-day work, and in their emotional and physical wellbeing. This includes:; ; 1. Providing new employment opportunities regardless of location. We employ people based on talent, skillset and compatibility with our community, regardless of location. We operate hybrid and remote working, and ensure all staff have the tools required to work to their full capacity.; ; 2. Support for those affected by COVID, and those shielding. As a hybrid company, we can facilitate remote working for those who are vulnerable. Where in-person meetings can take place, social distancing is supported where possible. As a global organisation, all meetings are virtual and we facilitate those at risk through providing the tools to join remotely.; ; 3. Supporting businesses and clients by offering fully remote capabilities including support for new and unfamiliar ways of working. Every member of our team is trained in working remotely, and we are tech-agnostic, meaning we work with the tools best for our client.; ; 4. Supporting physical and mental health of those affected by COVID-19 through well-established policies and procedures. All Senior Management and Leaders are trained Mental Health First Aiders, and we also offer all staff access to counselling, gym memberships, and support to maintain physical health.; ; 5. Improving workplace conditions through supplying staff with all relevant required tools, including laptops, additional screens and funding to set up home offices as required. We also offer sustainable travel solutions including support for staff in purchasing electric vehicles, and providing access to the Cycle To Work scheme.
• Tackling economic inequality:

  Tackling economic inequality

  In-line with Cyber-Duck’s Diversity & Inclusion (D&I) Policy, Cyber-Duck has implemented a Gender Pay Gap policy and will voluntarily produce a Gender Pay Gap report from next financial year: introducing transparency to promotion, pay/reward processes. We will calculate the difference between the mean/median/hourly rate paid (salary/bonus) for all full-paid relevant employees, accompanied by the banding, to male/female employees. ; ; Within 6 months of calculating our gender pay gap statistics, we will develop an action plan to be applied in the following 12 months, aiming to reduce or remove any pay/promotion disparity. Wherever possible, the plan will contain actions which have specific targets or timelines that can be objectively measured. Cyber-Duck is proud to already be an Accredited Living Wage and London Living Way employer.; ; We hire staff that are the mutual best-fit, in terms of culture and expertise, regardless of their background or circumstances. HR and Line Managers create adverts that clearly explain the role and our inclusive culture. We ensure equality/accessibility, without discrimination, to work opportunities for those with protected characteristics. ; ; We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales, Girls in AI, London Pride, AXSChat, and 1,000 Black Voices. ; ; Our end-to-end process for Learning & Development is integrated with our HR systems, to ensure it’s part of our team’s day-to-day. It includes previous (30%); on-the-job (40%); CPD (20%) and specialist external training (10%). ; ; We’re always looking to improve our male/female balance (67/33%) and diversity: 13% of our team are black, 27% are “Black Asian and Ethnic Minorities”, 31% are white (non-British), and 42% are white (British).
• Equal opportunity:

  Equal opportunity

  Cyber-Duck applies its Diversity & Inclusivity Policy that explores how we can safeguard protected characteristics like gender. We’ve committed to the Miscarriage Association’s Pregnancy Pledge, ensuring we have supportive policies around pregnancy-related leave including pregnancy loss and illness, and the Menopause Policy, raising understanding for health challenges caused at that time. ; ; HR and Line Managers create adverts that clearly explain the role and our culture of inclusivity. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales and Girls in AI. ; ; We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/assessment tasks/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities.; ; We have implemented a Gender Pay Gap policy, introducing transparency to promotion, pay/reward processes. We calculate the difference between the mean/median/hourly rate for all full-paid relevant employees, accompanied by banding, to male/female employees, which determines actions aimed to reduce or remove any pay/promotion disparity. ; ; We are members of the International Association of Accessibility Professionals and are expert in providing digital services utilising assistive technologies. We are also members of the Royal National Institute of Blind People, and have provided training to staff on ways to ensure accessibility and inclusivity is at the forefront of all day to day operations. ; ; We monitor progress using Progression App, enabling leadership to identify areas where staff require additional support, including assistive technology and measures, to enable staff to carry out their duties and progress to higher paid roles within Cyber-Duck and develop new skills. We are passionate about supporting our staff, contractors and the people we work with and these measures ensure that no one from protected characteristics, disability, disadvantaged or minority backgrounds are held back from achieving their full potential.
• Wellbeing:

  Wellbeing

  Focusing on health and wellbeing is especially important to Cyber-Duck. We hold a weekly company-wide townhall with all staff, openly sharing news and challenges together. We also use it as a safe space for open dialogue and active listening on internal or external topics affecting the team. ; ; Mental health is very important to Cyber-Duck; 15% of Cyber-Duck’s team, including most of the company’s senior management team are certified mental health first aiders, trained by MHFA England. This means they are familiar with the signs of poor mental health, and are competent and confident in assisting with a mental health problem in a non-judgemental way. ; ; We have implemented a Mental Health Policy which includes an active employee toolkit and references to external guidance. Measures include: Encouraging audio-only walking meetings, encouraging team members to take breaks and go for walks, and offering flexible working hours. ; ; We monitor the team’s well-being through FridayPulse, a platform that uses NPS-style Happiness KPI functions, team building tools, culture profile and predictive people analytics. ; ; Using the FridayPulse platform, each department holds weekly meetings to discuss social and emotional well-being. Line managers also hold monthly 1:1 meetings to build deep and qualitative feedback loops with their teams. Our CIPD qualified HR team also regularly meets to staff to support them in an impartial manner. ; ; Voluntary reporting mechanisms on wellbeing/mental health are shared via HiBob, our second HR platform, every quarter. Environment questions explore whether staff’s work environment is comfortable, enabling effectiveness and productivity; if they had the equipment and resources required; and whether their setup is conducive to healthy remote working in the long-term.; ; Employees have access to benefits such as the Healthcare cash plan that rewards healthy living habits such as exercise or meditation; access to counselling, doctors, and resources; gym memberships; remote mindfulness and yoga sessions.

Pricing

• Price: £450 to £1,500 a unit a day
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at CD-Tender-Team@cyber-duck.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.