Answers and Solutions ltd

Hosting of Websites, WordPress and Cloud Apps. A Shared Service

To install 3rd party cloud apps your administrator needs servers online and in the cloud. These servers require workspace(s) and tooling. This service provides both, allowing the installation and manage the majority of cloud solutions. Complementing our Web software, Cloud and Consulting service, you can take "hosting_only" or multiple services.

Features

• ------ Solution managed via Microsoft's Windows Internet browser. -----
• Fully scaleable; Server Clustering and Storage networks give vast capacity
• Our Graphical Interface makes deploying low-cost Cloud apps easy.
• Suitable for WordPress, Auction software, Service Desk Systems.
• Suitable for time and attendance systems and almost anything else.
• All the underlying infrastructure for your Website or other application.
• Pen Testing. PenTesting during Onboarding available for GDPR security
• Vulnerability Scanning

Benefits

• Enables the utilisation of low cost, high performance commercial solutions.
• The Commercial sector frequently uses these Commercial Solutions.
• 95% of the top million websites are on Linux Servers.
• Our Graphical Interface for Linux means anyone can easily setup.

£500 to £1,000 an instance a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Christopher.Wainwright@letsdiscuss.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

483992289820265

Contact

Christopher Wainwright
02920733722
Christopher.Wainwright@letsdiscuss.co.uk

Service scope

• Service constraints: Being a shared system, you are unable to alter Operating System settings, and many management settings cannot be changed. Those are available on our Private Hosting service.; ; None of the entry level email systems available offer GDPR compliant messaging, ours is no exception. This can be turned on if requested. A chargeable GDPR compliant email system can be added as an extra.
• System requirements:
  • You will need suitable domain name(s)
  • You will need suitable SSL Certificates (We can provide these)

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Online support requests will be acknowledged and users will be able to view the status of tickets. It should be noted that support is not a substitute for training.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The entire system will be hosted off-site, and all system parameters can be "configured over the wire". However, the line between an underlying platform and the installed application can get blurred. If required, we are able to provide the initial support required by most users to quickly setup and configure their systems. Chargeable telephone support, arranged via the ticking system is by appointment. ; ; This is charged at our hourly rate to ensure that those employing highly skilled staff are not being asked to subsidize those who require onsite training.; ; Re: Support to 3rd parties. This raises security, authorisation and data protection issues. Support to 3rd parties is therefore provided in limited circumstances to assist integration of a 3rd party system, rather than explaining how to alter our platform. We do not support API programming. 3rd party support only is provided to named staff and is billable.; ; Support should not be confused with training. When appropriate, we may signpost people to appropriate supplier resources.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will provide onsite requirements gathering and service expectations consultancy. This will allow the configuration engineer to build they system with the correct configuration, and to generate appropriate documentation. If the buyer has domain name details, we will set these up on the system and install any software chosen from our software services schedule. We will return to site a few days later to provide onsite training. The remit of onsite training covers operation of the hosting platform, rather than any installed cloud apps. Service(s) for installed cloud apps are attached to the subscriptions to those apps. We can also offer a data migration service should a customer be coming to us from a previous supplier.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data transfer to a new location will always be possible. Basic end of contract costs are included in the setup fee.; ; The incoming service buyer may install their equipment or subscribe to appropriate services as part of their onboarding and our exit plan.; ; The standard monthly transfer data transfer allowance is of course provided free of charge during month 12.
• End-of-contract process: The provision of professional services at our datacentre will probably be required. This shall be charged as per the pricing document.; ; We will offer free of charge storage of data backups made during the contracted period for a further 60 days. Once the data is 60days old it will be stale and will be deleted.

Using the service

• Web browser interface: Yes
• Using the web interface: To maintain system security, we will not supply logon credentials until after system setup. After the order has been validated and finalised the service does not take long to setup. From then on, users can make configuration changes to those settings relevant for most types of website hosting.; ; Users can create internet domains, subdomains, domain pointer records etc and upload most typical website application software etc. They can create FTP accounts for multiple staff if required. Users can make backups, but cannot restore without our assistance. This is to avoid "accidents". ; ; Note #1: Domains must first be registered elsewhere.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: The interface has been well designed. Our company selected the platform in question several years ago based on the quality of the interface. Eight years on, it remains superior to others on the market, and we continue to use it on account of the quality that it was built-in.; ; I cannot however at this time advise whether it has been formally certified to the standards above.; ; A new interface is planned for released during the lifetime of G-Cloud. 12
• Web interface accessibility testing: 1 in 12 men are colour blind and we are very aware of this issue. We tested all the available interfaces with a colour blind user. We use the system our user preferred.; ; There are several interfaces on the market, the one we selected and offer to clients is the best we could find; we also tested it for clarity and simplicity, ensuring the options and features are logically located and easily found.; ; Most vendors submitting offerings to G-Cloud will be offering cPanel or Plesk branded systems, systems we rejected for technical reasons as well as the inferior interface.
• API: No
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: There are few if any reasons to use the command line interface. We provide a competent application which includes PHPAdmin as standard. Because this is a shared platform, we do not allow the use of the CLI. This is because we do not want to see your system compromised.; ; If you wanted to access these commands you could subscribe to our Privet Hosting Platform instead. Software licensing and other costs then need to be borne by you on a sole basis rather than a shared basis. Virtualization is taken to the next level.

Scaling

• Scaling available: No
• Independence of resources: This service is scaled to suit the expected workload. Virtualisation technology offers many advantages, including fast and rapid scaleability. The solution we use also supports clustering and so can spread its workload across multiple physical servers if required.; ; Thresholds will be set on parameters such as network traffic and maximum emails sent per hour to mitigate against mis-use by a small few.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Disk
  • Network
  • Other
• Other metrics: Qty of MySQL databases, FTP Accounts, Domains and subdomains
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • The Platform has an internal backup system.
  • The DR system replicates the entire platform.
  • Databases can be backed up to an agreed schedule.
  • The backup stategy shall be agreed between supplier and buyer.
• Backup controls: This will depend of the software chosen during setup consultation
• Datacentre setup:
  • Multiple datacentres
  • Single datacentre with multiple copies
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: An IPsec or TLS VPN gateway can be configured at extra cost. If required, this would also indicate that the client has security concerns above the usual run-of-the-mill and may need one of our other solutions with higher levels of isolation implemented.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Our networks systems are within a datacentre with the minimum of physical access. Virtual networking can be deployed, but if required, this would also indicate that the client has security concerns above the usual run-of-the-mill. They may need one of our other solutions with higher levels of isolation implemented.

Availability and resilience

• Guaranteed availability: The buyer will be eligible for one free days hosting for every hour the service was inaccessible to the buyers users, capped at 100% of the days in a free month. Planned maintenance events taking place at weekends or overnight are excluded. Details are in the service description document.
• Approach to resilience: The approach to resilience within the datacentre and our equipment therein is based on the elimination of single points of failure. In techno-speak this is called n+1 , which means that if an item failed a spare one takes over. Full details on request
• Outage reporting: A public dashboard available to customers will indicate any outages.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: There are two levels here. The management interfaces to the clients side and those interfaces with heightened permissions that we use to administer the client side. ; ; The customer logon screen to our PaaS requires two entries in addition to the password, making it very secure. 2 factor authentication is available.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: Other techniques are available with our private hosted system that we cannot implement on a shared platform
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: WorldPay
• PCI DSS accreditation date: 31/12/2019
• What the PCI DSS doesn’t cover: We do not store CC details on our servers; CC details are processed by our bank on their PCI DSS certified servers. Our PCI certification was issued with this processing method declared. Most payment processing applications handover to an external CC payment provider, who accepts payment before handing purchase approval back to the application that you would be running on our system. This means that our PCI DSS certification is suitable for eCommerce solutions used by most organisations . If you want to store people CC details on our servers, that can be arranged and our PCI DSS would be amended to suit. Your software solution would need to be PCI DSS compliant.; ; Using a 3rd party processor such as Worldpay [or one of their numerous competitors] is by far the best way to handle the GDPR aspects of Credit Card processing.
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Good Practice security governance is practiced. Our Physical server(s) are located in a restricted access datacentre. Strong passwords are enforced and stored safely.; ; ID's of clients appointed officers are stored and will be used to validate requests for support and assistance.
• Information security policies and processes: The staff at our office do not have physical access to the hardware, ensuring that data at rest is protected.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We operate a minimal environment for the common stack which minimises the numbers and types of software patches we need to install. Software patches are those recommended by the relevant supplier(s).; ; Clients requesting bespoke configurations are placed on fully segregated platforms. A necessary consequence of this is that clients may need to upgrade during the lifetime of a contract if bespoke settings are required after initial setup. ; ; A test environment is maintained separately from our production environment for the purpose of software patch testing.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We have selected products recognized within the industry as having an appropriate level of security and vulnerability management. Vulnerability management is based upon notification to us by our suppliers and the installation Patches.; ; The biggest vulnerability comes from clients installing outdated and un-patched software, rather than the PaaS platform. Segregation of shared resource minimizes risks, but if this is a concern customers may signup for the fully isolated VPS service we also offer. ; ; Clients on the shared platform are required to notify us of applications prior to deployment. Legacy apps carrying requiring depreciated infrastructure may need hosting on a VPS.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: For security reasons, we do not publish details of protective actions taken since such details substantially increases the risks we face.
• Incident management type: Undisclosed
• Incident management approach: TBC

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: KVM hypervisor
• How shared infrastructure is kept separate: Virtualization keeps systems separated. Within the Platform segregation is further enforced by the operating system. ; ; Data in transit will also be encrypted via SSL

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Renewable or nuclear energy is used as much as possible at our datacentres. Coal derived power has virtually been eliminated, and will be gone completely during the lifetime of a G-Cloud contract. The biggest consumption of energy within the Datacentre is server hardware. Server virtualisation minimises the number of physical servers permanently running. Our equipment is housed in multiple 3rd party datacentres. On request, datacentre space is available in northern (arctic) climates, and we can locate your service in Finnish DC's.

Social Value

• Fighting climate change:

  Fighting climate change

  Climate change is minimised by reducing CO2 emissions. We use an energy provider that has minimized its reliance on fossil fuel power generation and sources as much nuclear energy as possible. Renewable energy is included in the mix (hydro, solar and wind). Any shortfall is topped up by a small top up from fossil fuels. We also minimise power consumption by using shared infrastructures for some clients, and where a client requires a non-shared infrastructure, we minimise energy consumption using virtualisation techniques.; ; All hardware purchases are required to meet current energy efficiency targets.
• Covid-19 recovery:

  Covid-19 recovery

  As part of our commitment to CO2 reduction and our commitment to Covid-19 recovery, we allow home working and use virtual meeting technologies as much as possible.
• Tackling economic inequality:

  Tackling economic inequality

  We place as much business as possible in areas that are short of opportunities. The economic advantages are obvious, but additional business advantages include those that accrue from having a stable workforce.
• Equal opportunity:

  Equal opportunity

  We provide equal opportunity and recruitment is based solely on ability. Individuals are free to hold any personal view they wish and no discrimination is permitted on those grounds
• Wellbeing:

  Wellbeing

  All staff are encouraged to have a healthy work-life balance. Staff are encouraged to exercise regularly and hold diverse interests. We offer a salary sacrifice scheme for all physically active recreational activities that meet this requirement, and undertake occasional team-building events in pursuit of the wellbeing criteria.

Pricing

• Price: £500 to £1,000 an instance a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: This is a free demonstration, not a free trial. The system is reset every fortnight. Installations generating abusive traffic levels will be deleted without notice. 30-day free trial if a day's training is purchased. No access to the email / advanced features. Logon credentials provided on enquiry.
• Link to free trial: Provided On Request

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Christopher.Wainwright@letsdiscuss.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.