Zodiac Media Ltd

Drupal CMS hosting

We offer enterprise level managed cloud hosting for your Drupal website using UK based data centres with 99.9% up time guarantees. As part of our hosting service we include 1 day per month of support time, this includes out of working hours support.

Features

• Fully managed hosting service
• Using GDPR compliant UK based data centres
• Ability to scale up/down the number and size of servers
• Load balanced high availability setups available
• Enterprise grade performance and security monitoring systems
• 1 day of support time per month
• Support time includes out of working hours support
• Send only email server capabilities
• Option for custom server packages such as Apache Solr
• We are an ISO 27001 information security certified company

Benefits

• Support time usage is billable to the nearest hour
• Unused support time is kept on balance for future months
• Fully managed service including out of working hours support
• High availability server setups available
• All servers are backed up daily
• Servers are actively monitored for both performance and security

£80 to £640 an instance a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

433661926051062

Contact

Billy Davies
0203 813 8430
info@zodiacmedia.co.uk

Service scope

• Service constraints: For security and stability purposes, we do not allow access to the servers which run client sites (i.e. SSH, SFTP, SCP etc).
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any support inquiries have the following response times based on their severity:; ; * Critical - 2 hours; * Major - 4 hours; * Minor - 2 working days; * Trivial - 4 working days; ; We split the working week up into ‘Normal Working Hours’ (09:00-17:00 Mon-Fri for UK working days) and ‘Antisocial Hours’ (all other times including weekends and UK bank holidays).; ; Only Critical inquires are responded to during Antisocial Hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: Our minimum support level is 1 working day's worth of support time per month at £805 ex VAT per month. Unused support time can be rolled over into the next month, with up to a limit of 5 days being held on account.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Clients will provide us with a copy of the codebase, database and uploaded files folder for their existing Drupal site. If possible it is helpful if clients can provide us with either the config files of their web server, or access to the server itself. We will then restore your site onto our newly provisioned servers ready for acceptance testing. The site can be switched live via co-ordinated DNS changes.
• Service documentation: No
• End-of-contract data extraction: At the end of the contract we will provide clients with a zip of their codebase, database and uploaded files folder.
• End-of-contract process: At the contract end we will liaise with clients to arrange a short content freeze (< 1 hour) at which point the creation of the offboarding zip files can take place. The client can then pass these files to their new contractor so they can set the site up as required. Immediately before the migration of the site away from our hosting, a second content freeze will take place at which point a refreshed copy of the zip files can be generated so that the new contractor can refresh the new copy of the site prior to it being made live via DNS changes. At the end of contract, the servers are terminated, and all client data held by us is deleted as per our ISO27001 policies.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: We always use a dedicated VPS or physical server for each client implementation of Drupal. Staging environments are also provisioned on separate servers from the production environment. This ensures that sites are kept physically separate, removing the possibility of client sites having a negative impact on one another.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Other
• Other metrics: Monthly uptime
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Full image backup of servers
• Backup controls: The servers client sites run on are backed up on a daily basis using full image backup. 3 backups are held simultaneously and are rotated daily, these are: a daily backup, a 2-7-day old backup, and an 8-14-day old backup. It is possible to restore any backup image either to an existing server or to a new server instance.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer a 99.9% uptime guarantee, evaluated on a monthly basis. If we fail to meet this SLA service credits are offered as follows: - Less than 99.9% but equal to or greater than 97% - 20% credit - Less than 97% but equal to or greater than 96% - 40% credit - Less than 96% - 60% credit
• Approach to resilience: Available upon request.
• Outage reporting: Service outages are reported via a shared private dashboard.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Server access is restricted via SSH key in conjunction with password protection and is only available from whitelisted IP addresses across uncommon port numbers.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 02/03/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow an ISO27001 certified Information Management Security System. This includes policies for: employees, clients, suppliers, physical security, network security, secure development, teleworking, access control, data classification, how to store, access, and retain data depending on its classification. It also includes an information asset register and a regularly updated risk treatment plan.; ; An internal security audit is conducted every quarter, and an external audit by an accredited 3rd party body every year.; ; Employees are onboarded with the reporting process and are instructed to report any issues to the Director or Information Technology Security Officer as soon as they are aware of them. The Director and ITSO hold regular security management review meetings to deal with reports. A formal incident response process and contact links with the relevant authorities are maintained.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: A log of server components is maintained. Notifications are automatically dispatched went an instance comes close to using all its resources. Any significant changes sees a project's security and risk assessment reapplied.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: A formal Risk Treatment Plan is maintained and updated periodically with identified risks treated, transferred, or terminated. All Information Assets are categorised based on the impact and likelihood of its confidentiality, integrity, or availability being compromised with the resultant category dictating how it can be stored, accessed, and retained.; ; Links with professional bodies are maintained with security notifications automatically dispatched in group IM channels. Security releases are deployed within 2 weeks of release.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: ClamAV anti-virus software is used to proactively monitor servers. Penetration testing is conducted every quarter.; ; Issues are fixed on discovery with a follow-up scan conducted to confirm rectification. Response times vary between immediate and two weeks depending on the severity rating attached to the issue reported.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Employees are instructed to notify the designated staff members. If applicable, a compromised user account will be blocked and all associated login info changed. If applicable, the affected client will be notified. Should the data breach involve protected data, the breach will be reported to the Information Commissioner’s Office within 72 hours in compliance with the GDPR.; ; Evidence of the breach will be gathered and, if applicable, will be reported to the police. With reference to the Risk Treatment Plan, the impact of the incident will be assessed. Contributing weaknesses in company policy will be identified and rectified.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: KVM hypervisor
• How shared infrastructure is kept separate: We use KVM virtualisation, which is a full virtualization solution, so VPSs are fully isolated even though they share the same physical server.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: The data centre in question runs on 100% renewable energy.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  The data centres used for this service run on 100% renewable energy.

  Tackling economic inequality

  All employees are paid above the living wage regardless of role or experience.

  Wellbeing

  We hold frequent recreational team-building activities. All employees have the option to work from home, enjoy flexible hours, and are entitled to 24 days of annual leave.

Pricing

• Price: £80 to £640 an instance a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.