HUMAN MADE LIMITED

Altis - Enterprise WordPress Hosting

Altis is an enterprise grade WordPress hosting solution used by banks, news organisations and high-volume publishers. Built from the ground up with advanced security and scaling with view based pricing, low latency and high performance. Made for WordPress developers, by WordPress developers.
https://www.altis-dxp.com/
https://docs.altis-dxp.com/

Features

• Every production server has a read-only filesystem
• Separate system for assets (Images, Files)
• Web application firewall
• Encryption in transit and encryption at rest
• SSL certificates and HTTP Strict Transport Security (HSTS)
• Disable content-type sniffing and prevent clickjacking attacks
• Integrated disaster recovery systems
• Data centers are SOC 2, ISO 27001, ISO 27017 certified
• Cloud-native autoscaling
• Content distribution network (CDN)

Benefits

• Automatically scale to any size
• Go global with the Altis CDN
• Predictable and flexible pricing based on traffic
• Built by WordPress developers for WordPress developers
• X-Ray tool provides observability of every single request
• Push to GitHub automatically
• High availability
• Platform update every quarter
• Full developer documentation https://docs.altis-dxp.com/
• Built just for enterprise WordPress

£20,400 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@humanmade.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

464392186907232

Contact

Adam Brown
01629 628082
sales@humanmade.com

Service scope

• Service constraints: Ongoing support, maintenance and cloud hosting for WordPress CMS sites only. Non-WordPress to WordPress migrations available.
• System requirements: Modern website browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response time are tailored to different severity. Urgent requests are responded to within 1 to 2 hours depending on the selected support tier. 4 severity tiers are covered within our support coverage - Urgent, Priority, Medium severity and low severity.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: We use Slack and defer to Slack's testing practices
• Onsite support: Yes, at extra cost
• Support levels: Standard:; 2 hour urgent response SLA; 1 business day priority support; 24×7 urgent support, with business hours support in your region; ; Premium:; 2 hour urgent response SLA; 1 business day priority support; 24×7 urgent support, with business hours support in your region; Technical account manager; ; Enterprise:; 1 hour urgent response SLA; 2 hours priority support; 24×7 support for all issues; Technical account manager
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Altis provides a comprehensive onboarding service to help clients make the best use of our project communication channels and Agile process. We also provide training on all hosting and CMS solutions, either via remote video call or video archives.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Our exit management plan mandates that we provide the client's data, code base and assets and will deliver it digitally. Files will be digitally compressed and grouped and delivered via a secure link.
• End-of-contract process: Altis will provide an offboarding package to the customer. This package includes a copy of the customer content (including the database and assets). The customer codebase is owned by the customer, and Altis uses a customer-provided GitHub repository. Altis provides WordPress and custom functionality as part of the platform, which is publicly-available open-source code licensed under the GNU General Public License. Customers may also take exports of data at any time from the self-service Altis Dashboard. Altis will retain customer data for 90 days after the end date of the contract to facilitate emergency situations, after which it will be securely deleted. Legal and contractual information may be retained for up to 10 years in line with relevant legal and taxation requirements.

Using the service

• Web browser interface: Yes
• Using the web interface: Full details of the Altis dashboard can be found here: https://docs.altis-dxp.com/cloud/dashboard/; ; Users can make code deployments to their WordPress-based applications, download database and file backups, add domains, view application performance insights, manage their team access, view and download application logs such as PHP logs, Nginx or MySQL. Users are not able to set up new services / applications from the web interface. Doing so is a manual process with an Account Manager.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: We have not tested for accessibility yet
• Web interface accessibility testing: We have not tested for accessibility yet
• API: No
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Other
• Using the command line interface: Users of our platform can run complex and custom commands via our Command Line Tool.; ; Our command line tool is accessible via our Dashboard interface.

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Altis is a dedicated hosting solution that features application, database, caching, and search servers combine with load balancers and our CDN to automatically adjust your infrastructure dynamically, based on live traffic.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: Slack notification; PDF Reports

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • HTTP request and response status
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Response Time
  • Bandwidth
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • The database — CMS content like posts, custom post types
  • Uploaded files — such as images, PDF documents
  • Manual snapshots, ZIP archive containing a mysqldump SQL file
• Backup controls: Database and file backups are controlled through the Altis client dashboard.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Up to 99.99% uptime SLA depending on selected hosting tier. Should Provider fail to meet the agreed Availability SLA for a given calendar month, as Customer's sole remedy and Provider's sole obligation, Customer will be entitled to a service credit, calculated by: (a) the monthly Altis platform fee, multiplied by (b) the sum of the SLA promised rate less the calendar month’s Service Availability Rate. The Service Availability Rate is expressed as a percentage calculated by: (a) the amount of wall-clock time in a given calendar month, as measured in minutes and rounded up to the nearest minute during which the Service Availability is considered Available, divided by (b) the number of total minutes in a given calendar month.
• Approach to resilience: The Altis Cloud architecture is a highly-available, resilient, autoscaling cloud system built to handle any level of traffic. Altis Cloud has been designed from the ground up to be flexible, scalable, and performant, while minimising cost. Redundancy: Altis' underlying datacenter provider ensures critical components have backups across data centers, zones, and regions, minimizing downtime from hardware failures or disasters. Auto Scaling: Altis adjusts compute resources dynamically based on demand, maintaining performance during traffic spikes and avoiding resource exhaustion. Fault Isolation: Altis isolates failures to specific areas, preventing cascading issues and ensuring system continuity. Continuous Monitoring: Altis proactively detects potential issues and anomalies, taking preventive measures to maintain service availability. Disaster Recovery: Altis provides robust solutions like Altis Backup and Disaster Recovery, enabling data and application protection across regions for business continuity. High Availability: Altis features built-in redundancy and failover mechanisms, distributing traffic and replicating data across zones for consistent performance and accessibility.
• Outage reporting: The client will receive email alerts that is typically linked to a service ticket that is created by our cloud engineers. Service ticket is accessible via the client dashboard as well.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: For the Altis platform, management interfaces and support channels we require our clients to have an account on our communication platforms, which requires 2FA. For access to WordPress, custom access restrictions can be applied, including custom user roles, area access restriction, single sign on and 2FA.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: OSPAR Attestation (Singapore Banking Standard)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: OSPAR - ABA financial services organisation audited systems for financial services.
• Information security policies and processes: We follwo a set of security rules outlined in the Altis documentation (https://docs.altis-dxp.com/security/) which includes: 2FA, Audit Logging, Standard HTTP and Basic Authentication, Browser Security, Account Disablement and Password Strengthening.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes made to Altis infrastructure follow a specific change management process, including risk rating, testing, and approval steps as appropriate for the risk level. Regular maintenance is performed during a weekly time slot.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Altis have policies and processes for Vulnerability Management, Vulnerability Reviews and Penetration Testing. The Altis team performs annual vulnerability assessments and penetration testing following established processes. The Altis team assesses vulnerabilities across many systems, services and applications using a combination of Machine Image scanning, Docker Image scanning and AWS Config. Issues are tracked in the product development backlog, and prioritized according to risk and impact. Altis will perform annual penetration testing according to established processes and activities. Results are reviewed and prioritised for remediation. Altis has penetration test reports available upon request
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Altis continually collects and monitors logs from customer applications and systems. SSH authentication logs are tracked off-server, and only accessible to authorized individuals. Customer’s web server access logs are collected to a centralized logging service for future analysis and investigation. Access logs include request IP addresses, date, URLs and more. Actions and resource changes in AWS are tracked in AWS Config which act as an audit log of all changes to FI’s systems. Virtual Machine Systems are monitored using AWS Security Hub using CIS Benchmarks. Response to incidents are defined by the selected support tier.
• Incident management type: Supplier-defined controls
• Incident management approach: Altis operates a robust incident management process. Incidents can be triggered by automated alerts and monitoring which Altis has in place, or by customer-reported issues. Customers may contact Altis by filing an urgent support ticket (either through the Altis Dashboard or via an emergency email address). Urgent support follows the urgent SLA of 2 hours, with typical response times of 15 minutes. For incidents triggered by Altis engineers, proactive communication is established as an early first step. Any triggered incident will immediately page the on-call engineer. Altis has a global team geographically distributed around the world with engineers always available.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: AWS Nitro
• How shared infrastructure is kept separate: AWS Nitro is used to separate VMs. https://aws.amazon.com/ec2/nitro/

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Altis Cloud is fully built on top of Amazon Web Services (AWS), and we use their services end-to-end to serve pages to users. AWS is actively working on sustainability efforts, including achieving carbon neutrality by 2025. This includes a variety of regions powered by 100% renewable energy, including all of our European and American regions. Altis customers can select one of these green regions, with our prices the same across every region. More information available at https://www.altis-dxp.com/sustainability-with-altis-cloud/

Pricing

• Price: £20,400 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@humanmade.com. Tell them what format you need. It will help if you say what assistive technology you use.