Shaping Cloud

Microsoft Cloud Licences

Shaping Cloud Microsoft Cloud Licences allows you to purchase, provision and manage your Microsoft licences and Azure subscriptions directly from us. This offers customers an accessible route to software licenses, storage and cloud compute. In addition, we support customers with advice to get the best out of their cloud investment.

Features

• Office 365 / Microsoft 365
• Windows and End User Compute
• Windows Server and Microsoft SQL
• Azure Services with no minimum spend
• Instantly provision your licencing and cloud
• Optimise licences to match usage
• Managed service support
• Security services
• Public Sector and Education discounts available

Benefits

• Transparent pricing, with no hidden fees
• Flexible monthly or annual licencing
• Licence optimisation to get the most from your spend
• Access to Microsoft support
• Centralised subscription and licence management

£0.01 a unit a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@shapingcloud.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

432685673195973

Contact

SC Customer Relationship Team
01614085333
sales@shapingcloud.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: None
• System requirements:
  • Supported internet browsers
  • Hardware meets application requirements
  • Supported Operating System Versions
  • Support Database Versions

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We typically respond to questions within 30 minutes of asking them, or immediately depending on the method of contact and availability. For support services, we have standard SLAs available for working hours, or 24/7/365. The response times for this are defined with the SLA and depend on the categorisation and prioritisation of incident / query.; We also offer tailored SLAs for all clients - our response times are agreed with each client, defined in the SLA and are flexible according to your needs.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: N/a
• Onsite support: Yes, at extra cost
• Support levels: Our support arrangements are tailored to your specific needs, as our experience shows that no 'one-size' fits all requirements. We will discuss your customer support requirements (including the support/services, service levels, response times, communication channels and reporting) to agree your specific requirements for the services that you are looking for.; Our support methodology is based on the rigour of ITIL and the flexibility of Agile principles and a Dev Ops culture. A typical support team is led by a technical account manager who is responsible for day-to-day support and allocation of support requests to our engineers and technical specialists. This approach provides a resilient support service with sufficient cover to ensure all support requests are managed in an effective and efficient manner.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a range of on-boarding services to help organisations get started with the Microsoft product set, including:; ; - Cloud readiness assessment; - Strategy and business case development; - Cloud migration and transformation; - Optimisation; - Managed service
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Please see: https://docs.microsoft.com/en-us/search/?terms=data%20portability
• End-of-contract process: The amount of notification required to end the contract depends on the length of contract taken out and will be included in the call-off contract. At the end of the contract process, Shaping Cloud will support the organisation in extracting any data or moving to another supplier.; ; Customers are able to remove their data from Microsoft Services at any time through the same means they uploaded. Either over their network (internet or express route) or via the Azure Import/Export services. Also see https://www.microsoft.com/en-us/trustcenter/privacy

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: User experience will depend on device type.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Service interface will depend on the service accessed.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Please see: https://www.microsoft.com/en-us/accessibility/features
• API: Yes
• What users can and can't do using the API: Please see: https://docs.microsoft.com/en-us/windows/web/apis
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Please see: https://docs.microsoft.com/en-us/search/?terms=customisation

Scaling

• Independence of resources: Microsoft cloud delivers at a global scale. Correctly configured services and components scale to meet business demand. Please see: https://docs.microsoft.com/en-us/search/?terms=independence%20of%20resources

Analytics

• Service usage metrics: Yes
• Metrics types: A comprehensive list such as AD, Server, Service, Configuration Stores, Spring, Automation, Private Cloud, Batch, Workspaces, Accounts, Blockchain Members, Bot Services, Redis, App Firewall policies, Profiles, Roles, VM's, Storage accounts, blob services, file services, queue services, table services, pools, nodes, communication services, disks, container groups, registries, managed clusters. All metrics can be found here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Microsoft

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Customer are able to remove their data at any time through the same means they uploaded. Either over their network (internet or express route) or via the Azure Import/Export services. Also see https://www.microsoft.com/en-us/trustcenter/privacy
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • Various formats can be exported from the Microsoft product set
  • Shaping Cloud can support export requirements
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats:
  • Various data formats can be imported into the product set
  • Shaping Cloud will support data import work

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Microsoft secures data in transit with two layers of encryption. The primary method uses Transport Layer Security (TLS) 1.2 to encrypt all outgoing traffic from datacenters, ensuring strong authentication, privacy, and integrity. This is the default protocol and it is used universally within Microsoft's network. Additionally, an infrastructure-level encryption is applied using IEEE 802.1AE MAC Security Standards (MACsec) when Azure customer data moves between datacenters, across networks Microsoft doesn't control. This hardware-integrated encryption safeguards against physical interception with no impact on network speed, and is automatically enabled for all Azure traffic.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Microsoft’s approach to enabling two layers of encryption for data at rest is:; ; Disk encryption using customer-managed keys. You provide your own key for disk encryption. You can bring your own keys to your Key Vault (BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources.; Infrastructure encryption using platform-managed keys. By default, disks are automatically encrypted at rest using platform-managed encryption keys.

Availability and resilience

• Guaranteed availability: See SLA's for each service here https://azure.microsoft.com/en-gb/support/legal/sla/summary/?msclkid=0132c6f0a91b11ec927496d95a52a9a9
• Approach to resilience: Network reliability through intelligent software; Safe Deployment with AIOps ; Resiliency threat modeling for large distributed systems; Low and no impact maintenance ; For more detail please see https://azure.microsoft.com/en-us/features/reliability/#features
• Outage reporting: Microsoft Azure reports service outages through several channels to keep its customers well-informed. The primary tool is the Azure Status Dashboard, accessible at https://status.azure.com, which offers real-time status updates of all Azure services across different regions. For a more personalized view, customers can use Azure Service Health within the Azure portal (https://portal.azure.com). This feature provides tailored reports on the health of services used by a customer, detailed incident reports, and guidance for response actions.; ; Customers can also opt to receive email notifications through the Azure Service Health dashboard, which can be customized to alert them about issues affecting their specific services and regions. Additionally, Azure maintains RSS feeds that users can subscribe to for similar updates.; ; These mechanisms ensure transparency from Microsoft regarding Azure's operational status, allowing customers to stay informed about service health, maintenance schedules, and any disruptions affecting their operations.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Azure Active Directory is Microsoft’s multi-tenant cloud based directory and identity management service. Azure-AD includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management.; ; https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods?msclkid=b2a138a1a92d11ec918375623c320dc1
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman
• ISO/IEC 27001 accreditation date: 28/11/2023
• What the ISO/IEC 27001 doesn’t cover: The scope of the ISO/IEC 27001:2022 certification covers the Information Security Management System (ISMS) supporting Microsoft Azure, Dynamics 365, and other Online Services that are deployed in Azure Public and Government Cloud including their development, operations, and infrastructure and their associated security, privacy, and compliance per the statement of applicability version 2023.01.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 01/07/2022
• CSA STAR certification level: Level 3: CSA STAR Certification
• What the CSA STAR doesn’t cover: The scope of the CSA STAR certification is aligned to the scope of the ISO/IEC 27001:2013 Information Security Management System (ISMS) (certificate number 1729711-9) supporting Microsoft Azure, Dynamics 365, and other Online Services that are deployed in Azure Public and Government Cloud including their development, operations, and infrastructure and their associated security, privacy, and compliance and inclusive of the requirements and control implementation guidance of ISO/IEC 27701:2019 for a privacy information management system (PIMS) as data processor per the statement of applicability version 2022.01
• PCI certification: Yes
• Who accredited the PCI DSS certification: Coalfire Systems Inc
• PCI DSS accreditation date: 07/03/2024
• What the PCI DSS doesn’t cover: Service Scope is identified here https://servicetrust.microsoft.com/viewpage/PCI
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • FACT
  • FedRamp
  • NIST 800-171
  • FIPS 140-2
  • CCSL (IRAP)
  • CDSA
  • ISO 27001 (ISMS), 27017 (Cloud Security), 27018 (Personal Data)
  • SOC 1, SOC 2, SOC 3
  • 22301 (Business Continuity), 9001 (Quality Management)
  • See aka.ms/stp for all certifications

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
• Other security governance standards: Microsoft is EN 301 549, ENISA IAF, EU Model Clauses, UK Cyber Essentials Plus, UK NPIRMT, CIS Hardened images, SOC 1 Type 2, SOC 2 Type 2, ; Shaping Cloud is Cyber Essentials Plus and IASME certified.
• Information security policies and processes: Security is integrated into every aspect of Azure. Azure offers unique security advantages derived from global security intelligence, sophisticated customer-facing controls, and a secure hardened infrastructure. This combination helps protect your applications and data, support your compliance efforts, and provide cost-effective security for organizations of all sizes. For more information https://docs.microsoft.com/en-gb/azure/security/; ; Microsoft have policies for infrastructure security, physical security, availability, components & boundaries, network architecture, production network, SQL DB, operations, monitoring, integrity and data protection. For more information please visit https://docs.microsoft.com/en-gb/azure/security/fundamentals/infrastructure-availability

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Azure has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others.; ; Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape. ; Please see https://www.microsoft.com/en-us/SDL/OperationalSecurityAssurance and https://www.microsoft.com/en-us/sdl
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.; 1: Run automated vulnerability scanning tools; 2: Deploy automated operating system patch management solution; 3: Deploy automated patch management solution for third-party software titles; 4: Compare back-to-back vulnerability scans; 5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities; For more information https://docs.microsoft.com/en-us/security/benchmark/azure/security-control-vulnerability-management
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Microsoft Azure employs a robust protective monitoring system encompassing both security and operational stability. Microsoft Defender for Cloud enhances security by continuously assessing Azure resources against the Azure Security Benchmark, offering tailored recommendations and leveraging the Intelligent Security Graph for real-time threat protection. Concurrently, Azure's advanced monitoring technology integrates at multiple infrastructure levels, including components, data centers, and network backbones, to ensure operational health. This proactive monitoring detects performance deviations and potential disruptions, triggering immediate alerts for resolution. Together, these processes ensure Azure's environment is secure and operationally resilient, safeguarding against threats while maintaining service performance and availability.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Microsoft has developed robust processes to facilitate a coordinated response to incidents. ; • Identification – System and security alerts may be harvested, correlated, and analyzed. ; • Containment – The escalation team evaluates the scope and impact of an incident. ; • Eradication – The escalation team eradicates any damage caused by the security breach, identifies root cause for why the security issue occurred. ; • Recovery – During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.; • Lessons Learned – Each security incident is analyzed to protect against future reoccurrence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Consuming cloud services from the main hyper-scale cloud providers and being a part of their commitment to being carbon neutral by 2025 and carbon negative by 2030. Right sizing workloads in the cloud and regularly reviewing consumption further supports these targets and ensures minimum carbon footprint. As part of our engagement with any Customer, we are able to measure the reduction in carbon footprint as a result of adopting cloud services in preference to traditional technology. This supports each organisation in achieving their own plans to become net zero. We are a 100% cloud-based SME, with a minimal carbon footprint and a target to have a zero-carbon footprint by 2030 - so partnering with us also supports moving to a zero carbon footprint in your supply chain.

  Covid-19 recovery

  We are a UK-based SME who creates UK jobs. We have programmes to recruit from a diverse base, including career changers. We are already a diverse workforce and have targets to ensure we continue to be diverse. We are committed to supporting our Customers in the public sector with their plans to support help communities manage and recover from the impact of COVID-19. Use of cloud services ought to ensure your organisation is agile in the response to recovery. Right-sizing and optimising your use of cloud, which we can help you with, will ensure a sound investment of public funds - retaining as much funding as possible for deliver of public services and interventions such as Covid-19 recovery.

  Tackling economic inequality

  We are a UK SME with a diverse workforce. We recognise the benefits from having a diverse workforce and therefore target people from all backgrounds to work at Shaping Cloud. We support career changers and measure values and culture alignment along with career potential higher than formal education - ensuring equal opportunity for those from all economic backgrounds. We partner with a variety of organisations to provide digital training for those from diverse and deprived backgrounds – providing them with their first employment experience subsequent to this training. All our employees are paid above the Living Wage and receive additional benefits, such as private health - having a positive impact on themselves and their families and communities. All our employees receive training in digital as well as five days paid leave for learning every year. We pay all genders equally, according to merit.

  Equal opportunity

  We are a UK SME with a diverse workforce. We recognise the benefits from having a diverse workforce and therefore target people from all backgrounds to work at Shaping Cloud. We measure values alignment along with career potential higher than formal education and background - ensuring equal opportunity for those from all economic and racial backgrounds, as well as those who require additional support or technology in order to carry out their work effectively. E.g. individuals with visual, auditory, physical, speech, cognitive, language, learning, behavioural or neurological impairment, as well as the needs of those for whom English is not their first language. Our recruitment practices value each person according to their experience as well as their potential and do not discriminate in any way on the grounds of race, colour, religion, gender, or sexual orientation. All employees have a personal development plan and access to a personal coach to support them in their professional and personal development - ensuring everyone has equal opportunity for career progression. Each person's performance and contribution is reviewed at least annually, which includes 360 degree views, to determine whether they are ready for career progression. This career progression is awarded on the basis of readiness and not on the basis of a post becoming available or an individual line manager making that decision. In this way, every person has equal opportunity. Implementation of digital services requires consideration to ensure no user is excluded from using the service. This is all the more important with respect to public services. We support our customers with advice with respect to accessibility, and we tailor our solutions and services to our client’s needs in this area.

  Wellbeing

  We prioritise the wellbeing of our workforce, with private health, excellent work-life balance, flexible working location and hours, coaching, and personal development. We regularly canvas for feedback from our employees to ensure they all enjoy work and feel rewarded for their efforts. We have an always available Wellbeing group internally, which arranges activities and challenges throughout the year to promote good health as well as providing a variety of suggestions and opportunities to ensure good mental health. We provide two paid volunteering days per year per employee, and encourage use of these to improve the communities we are a part of.

Pricing

• Price: £0.01 a unit a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Please see https://azure.microsoft.com/en-gb/free
• Link to free trial: https://azure.microsoft.com/en-gb/free/

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@shapingcloud.com. Tell them what format you need. It will help if you say what assistive technology you use.