The Virtual Forge

Data Solutions

The Virtual Forge provides a range of services from consultation, discovery, proof of concept build, solution design, and solution implementation. Each engagement is tailored to the specific needs of the client.


  • Business Use Case Consulting
  • Technical Discovery
  • Solution Architecture
  • Data Model Design
  • Data Processing and Engineering
  • Application Integration
  • Data Governance
  • Data Visualisations


  • Combine data science with business analytics to extract data value
  • Full service experience from consultation through to execution and support.
  • Leverage repeatable automation of your infrastructure
  • Create scalable, resilient, well architected systems to specifications
  • Extensive experience with cloud systems
  • Data quality review and recommendations


£0 to £150 an instance an hour

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

4 3 3 8 5 4 3 2 7 4 1 7 4 0 2


The Virtual Forge The Virtual Forge
Telephone: +44 (0) 207 078 8855

Service scope

Service constraints
Service constraints will vary depending on the scope of work.
System requirements
System requirements will vary depending on the scope of work.

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Response times are based on the priority of the ticket:
- Priority1 = Immediate
- Priority2 = 2 working hours
- Priority3 = 8 working hours
- Priority4 = 24 working hours

Customers may purchase out of hours and weekend support at an additional cost, and response times will be agreed as part of that service.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our standard support offering includes:
- Access to Freshdesk ticketing system
- Access to onsite support
- Dedicated Account Manager
- Response times SLA

Our Premium offering additionally includes:
- Dedicated support staff
- 24x7 hotline for Priority1 incidents

Both offerings are priced separately per project, depending on the amount of support required each month.

Out of hours support
Unsociable hours, namely weekends and statutory holidays, and after 5.00pm on weekdays, will be charged at £300/month to have the service available.

If the customer uses the emergency call line, £200 will be charged for the call-out. This covers up to one hour of the support team member’s time. £150 will be charged for every whole or partial 30 minute period thereafter.
These rates are for the work the development team will have to perform in order to identify and resolve the problem.
Support available to third parties

Onboarding and offboarding

Getting started
A Data Sprint, is often used to scope a Data Solution. A Data Sprint is a limited engagement designed to provide clients the expertise needed to assess the business and technical aspects of a use case. In consultation with a client we will create a mutual understanding of what is needed to achieve the business goals
Service documentation
Documentation formats
End-of-contract data extraction
End of contract data extraction if required will be agreed at the time of scoping the Data Solution.
End-of-contract process
End of contract process will be agreed at the time of scoping the Data Solution.

Using the service

Web browser interface
Using the web interface
Almost all data services have web portal interface, these will be specific to the project.

Configuration parameters of some services are only available from the CLI, SDK or API interface.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Will be dependent on the service being used.
Web interface accessibility testing
All interfaces have been tested.
What users can and can't do using the API
API functionality will vary depending on the service being used.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
API documentation
API documentation formats
  • HTML
  • PDF
  • Other
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Will be dependent on the service being used.


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
Provision of multiple instances. Auto-scaling in place for further instances if pre-agreed compute or latency thresholds are exceeded.
Usage notifications
Usage reporting
  • API
  • Email
  • SMS
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Encryption is managed by 3rd party, ie AWS or Azure, who are CSA CCM v3.0 compliant. AWS use AES-256 for the encryption protocol on data at rest.
Data sanitisation process
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
Back up & Recovery is user specific
Backup controls
We will work with the customer to define a suitable backup & recovery solution as part of the Bespoke Data Service.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Use infrastructure assuring 99.9% uptime
Approach to resilience
We make extensive use of AWS's or Azure native resiliency and redundancy capabilities through leveraging multiple Availability Zones through load balancers for servers and (where possible) distributed databases or read replicas. This is further supported by 'warm' backup regions in case of a disaster recovery scenario.

Details of Amazon SLA's can be found here;
Outage reporting
Outage reporting is configurable to requirements the following reporting services are available.
Public dashboard
Email alerts
Text messages

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication
Typically username and password, but MFA also available.
Access restrictions in management interfaces and support channels
Username and password. Resets only available directly to user via their email.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Company Information Security Policy must be signed by all employees, and is updated regularly.
CTO – The company’s Chief Technology Officer is responsible for corporate-wide IS system planning, implementation, and execution.
Information Security Manager – The IS Manager is responsible for the company-wide datacenter and network infrastructures.
DevOps Engineers – The DevOps Engineers are responsible for all enterprise business systems.
Internal Users -- All members of the the company User Community are required to familiarise themselves with the policies outlined in the The Company Employee and Contractor IS Policies document.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes are managed via the change control process to ensure projects remain within approved constraints. Change proposals are agreed with the client, completed by the individual who identifies the need for a change, then submitted to us. The project team then assesses the impact of the change. The request is submitted to the change control board with the project team's findings to be reviewed. If the change is approved, all project documentation must be updated and the change must be communicated to all stakeholders. Some changes may also require re-alignment of the project costs, schedule, or scope.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Threats are monitored using an IDS provided by AWS/Azure along with the standard protection offered by AWS/Azure. Patches are routinely applied with urgent hotfixes applied the same day as a threat is identified. Threat information is monitored from AWS and industry leading security boards and alert feeds.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
This is managed by AWS/Azure on our behalf.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are managed via a ticketing system.
Information and FAQs are available via the ticketing system to help with common issues. Canned responses are prepared for common issues. Users report incidents via email or through ticket portal. Responses are given according to pre-defined SLAs. RCAs are available for critical issues. Ticket reports are available at client request.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Third-party virtualisation provider
Amazon Web Services and Microsoft Azure
How shared infrastructure is kept separate
Different accounts for different clients on AWS or Azure specific to client requirements
Clients have separated AWS or Azure instances.
AWS and Azure assure security of the cloud.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
Amazon is committed to achieving 100% renewable energy across our global infrastructure.

Microsoft Azure is committed to carbon negative by 2030, 100% renewable energy by 2025

Social Value

Fighting climate change

Fighting climate change

The Virtual Forge are committed to ● Complying and keeping up to date with environmental legislation ● Preventing pollution ● Continually working to reduce our environmental impacts – minimising waste produced, minimising our energy use, training staff and encouraging greener transport options Specific areas where we are working to reduce our environmental footprint: ● Working with our staff and building users to make all of the building’s operations as environmentally friendly as we can, heating and lighting our premises efficiently ● Investigating how much waste we generate, using segregation to enable higher rates of recycling ● Looking at how people travel to and from our site: encouraging public transport and cycling ● Looking at what we buy – sourcing goods with low environmental impact and working with local suppliers wherever possible
Equal opportunity

Equal opportunity

The Virtual Forge Limited is committed to achieving a working environment which provides equality of opportunity and freedom from unlawful discrimination on the grounds of race, sex, pregnancy and maternity, marital or civil partnership status, gender reassignment, disability, religion or beliefs, age or sexual orientation.


£0 to £150 an instance an hour
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.