Prolinx Ltd

Prolinx Assured Cloud (PAC), Secure Platform as a Service (PaaS), up to Official Sensitive

Prolinx PaaS is a UK hosted assured Cloud Service that delivers a fully managed UK Sovereign secure and scalable application hosting and development platform. It features an agile storage and consumption model and is supported by a 24/7 Service Desk. Available up to OS with secure email to the MOD.

Features

• Multi-functional environment
• Secure, simple, and highly scalable hosting platform to aid collaboration
• Delivered as a fully managed end-to-end service
• ISO9001, ISO14001, ISO20000-1, ISO27001 certified and ITIL service management framework
• Securely operated in UK by appropriately Cleared Personnel
• Supported by a 24/7 UK-based Service Desk
• Option to access database, application and specialist support services
• Secure and hardened identity management service
• Prolinx is compliant with the Public Services (Social-Value) Act 2012

Benefits

• Reduces cost and complexity of managing technology and resources
• Can handle Official (including caveats).
• Service hosted in the UK ONLY locations for data sovereignty
• Increases operational efficiency through provision of Prolinx expertise
• Allows customer focus on core business values (application and data)
• Simple application on-boarding process
• Flexible replication and backup options
• OS patching/AV/Anti-Malware delivered as part of the fully managed service
• Securely operated in UK by appropriately Cleared Personnel
• Opex billing model allows for stable and predictable financial forecasts

£0.24 a virtual machine an hour

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pubsecfw@prolinx.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

488641760034598

Contact

Sam Howells
+44 (0) 330 180 0000
pubsecfw@prolinx.co.uk

Service scope

• Service constraints: A constraint is each individual new service cannot operate without CyDR accreditation (for MOD clients). We agree to represent the proposed services to the accreditors addressing the approach and risk control.
• System requirements:
  • Application licencing is the responsbilitiy of the Application Owner/Customer.
  • Need to gain relevant authority approval and accreditation

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Gold:; P1 - Response within 30-mins, Resolution within 4-hours.; P2 - Response within 1-hour, Resolution within 8-hours.; P3 - Response within 3-hours, Resolution within 24-hours.; P4 - Response within 5-hours, Resolution within 40-hours.; Silver:; P1 - Response within 1-hour, Resolution within 8-hours.; P2 - Response within 2-hours, Resolution within 16-hours.; P3 - Response within 3-hours, Resolution within 24-hours.; P4 - Response within 5-hours, Resolution within 40-hours.; Bronze:; P1 - Response within 2-hours, Resolution within 12-hours.; P2 - Response within 3-hours, Resolution within 24-hours.; P3 - Response within 4-hours, Resolution within 40-hours.; P4 - Response within 5-hours, Resolution within 72-hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: As incidents come into the Service Desk they will be allocated a priority associated target response time which is in line with the agreed priority definition. We offer Gold, Silver and Bronze service packages that can be aligned to your requirements. Each service that Prolinx provides will have a Customer Service Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: An Application Requirement Document (ARD) is provided to the Application Owner to complete; this will define the requirement.; ; The on-boarding process will be initiated that will end with the provision of Administrator account(s), access the VM(s) and to a platform Dashboard.; ; Prolinx can provide on-line supporting material (User Guides) to assist customers to maximise the benefits of the Official Connections collaborations tool. On-site training can be provided and our Service Desk can be available to provide assistance and guidance to customers as required. More formal classroom training can be provided which Prolinx would be happy to facilitate.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Termination or migration will necessitate a four week period prior to any expiry of the contractual agreement; Prolinx and the customer will agree an exit plan which will include a mandatory service migration meeting covering: • The return of user generated data most appropriate to meet the exit and security requirements • Whether they wish their data to remain available for future use (i.e.; persistent storage). If the data is not required, it will be purged and destroyed in accordance with the requirements associated with the data BIL rating. • Whether they wish to extract their data. If the data is rated at Official including caveats (BIL3), precautions will need to be put in place to ensure that the security of the data is not compromised. Data can be extracted in a variety of formats including XML, CSV and TXT. • Exit project plan • The compliance requirements for secure destruction of important data and storage media • Risk Assessments and agreed service cessation milestones • Final commercial reconciliation. Prolinx will agree a price for delivering the exit plan and will have fifteen days to transfer or destroy all user generated data within the Prolinx Assured Cloud Service.
• End-of-contract process: In line with G Cloud T&Cs at least 90-days notice of termination must be provided in writing. In the event of termination, all/any remaining service charges will still apply and will be payable on or before the termination date. Termination or expiry of the contractual agreement will initiate the Exit Project Plan as set out in the off-boarding section of this document.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them.; ; Services which provide virtualized operational environments to customers ensure that customers are segregated via security management processes/controls at the network and hypervisor level.; ; Prolinx continuously monitors service usage to project infrastructure needs to support availability commitments/requirements. Prolinx maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, the Prolinx capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Custom metrics generated by customers’ applications and services.
  • Metrics associated with log files generated by the application.
  • Security metrics associated with Anti-virus and/or user activity.
  • Infrastructure availability.
  • Operating System event log entries.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Machine image only.
  • Machine image and defined storage volumes.
  • Machine image and all associated storage volumes.
  • Flexible backup of storage volumes available.
  • Backup exclusion policies can be applied.
  • Customer-defined backup retention period available.
• Backup controls: The back up and data recovery SLAs are more likely to be pre-agreed with the customer, rather than user initiated. However, manual or scheduled backups are possible but need to be pre-defined.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Prolinx currently provides SLAs for several services for Government Departments. SLAs will be pre-agreed to satisfy the user requirements. Prolinx offers well-architected solutions that leverage unique capabilities such as multiple Secure Data centres built in accordance with Uptime Institute criteria easing the burden of achieving specific high availability requirements. The service is backed by a 24/7 support desk.
• Approach to resilience: The Prolinx Business Continuity Plan details outage processes. Prolinx has developed a three-phased approach: Activation and Notification, Recovery, and Reconstitution Phases. This approach ensures that Prolinx performs BCP efforts in a methodical sequence, maximizing the effectiveness of recovery and reconstitution thus minimizing system outage time. Prolinx maintains a ubiquitous security control environment across all data centres. Each datacentre is built to physical, environmental, and security standards in an active-active configuration, employing an N+1 redundancy model, ensuring system availability in the event of component failure. In case of failure, sufficient capacity enables traffic to be load-balanced to the remaining sites. Customers are responsible for implementing contingency planning, training and testing for their systems hosted on PAC. Prolinx provides customers with the capability to implement a robust BCP, including the utilization of frequent server instance back-ups, data replication, and the flexibility to place instances and store data within multiple geographically separated datacentres. Prolinx conducts due diligence when on-boarding and managing suppliers and, where possible, implements dual-sourcing; ensuring continuity of service from our critical suppliers. This supplier management procedure offers dual resiliency, ensuring that our sites are served by different suppliers guaranteeing both physical and corporate resiliency of supply for our critical systems.
• Outage reporting: An email alert and direct conversation with the Global Operations Security Control Centre (GOSCC) for MoD clients.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Prolinx make use of trusted roles and have separation of duty and limits on each transactional privilege set. All these measures combine to an accepted standard practise which has satisfied already provisioned MoD and other Government contracts.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 09/05/2021
• What the ISO/IEC 27001 doesn’t cover: Prolinx does not write software. Prolinx does carry out 'scripting'.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Secure by Design

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow information security policies as defined within GovS 007 Security, ISO 27001 and NIST Cybersecurity framework all of which advocate a risk managed approach to security. Each project or product undergoes a concept of use driven risk assessment which results in security controls being assigned to reduce the risks. Security controls are all assigned from either NIST 800-053, ISO 27002 and NCSC architecture patterns and guides. All design work is subsequently undertaken using these requirements which culminates in independent test and validation. Any change triggers a need to undertake a risk assessment and assignment of security controls.; ; Subsequently control effectiveness is continuously assured via testing to ensure adherence to policies and derived security controls. ; ; The SRO is the Managing Director who delegates security authority to the Head of Cyber Security who in turn behaves as the Security Assurance Coordinator and ITSO for the products and projects. The Security Controller is responsible for managing all aspects of the Facility Security Clearance requirements including aftercare of all employees and reports to the SRO. The Crypto Custodian is responsible for all aspects of HMG Crypto and also reports to the SRO. We work with external authorities for management of security incidents.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Prolinx has a variety of methods already in use to support change and configuration management to track and identify components from cradle to grave. The design and change of any function is managed via key stages from initiation, planning and co-ordination through to validation and testing and early life support. This will be managed using ITIL methodologies and best practices.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Through a process of business based risk assessments we identify potential threats to our services. The risk assessment is regular updated to account for new threats.; Additionally we undertake regular IT Health Checks of all of our services using CHECK testers who help us understand any technical threats.; Patching is undertaken on a regular basis but generally within 14 days for routine patches and within 72 hours for critical patches. Antivirus patches and DAT updates are applied on a daily basis.; Our primary source of threat information is the NCSC and CPNI.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: The Prolinx monitoring platform can provide real-time views of availability statistics, as well as detailed monitoring and analysis of data from virtual switches, routers, servers and any other network devices. The Prolinx monitoring platform includes availability, security and integrity monitoring of the applications and infrastructure.; We continuously monitor for indicators of compromise (IoC) through the use of SIEM tooling which are kept updated within the tool. ; With a 24x7 service desk, we respond to incidents almost immediately as soon as an IoC is discovered through the use of detailed instructions to reduce the impact.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Service Desk manages incidents using a dedicated service management tool suite. These can be raised by a telephone call, email or from an automated alerting system. Incidents are classified and prioritised in accordance with the agreed SLAs. There are multiple types of service level classification and ticket prioritisation that can have different response and resolution characteristics ranging from 30 minute responses with 4 hour resolutions to 5 hour responses with 72 hour resolutions with several levels in between. Incidents are reported to the customer on a monthly basis via a Service Management Review.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: We use a blend of the most popular technologies such as VMware, Hyper V, Red Hat etc and have suitably qualified and and experienced personnel competent in these technologies to bespoke secure PaaS solutions to our customers.
• How shared infrastructure is kept separate: Customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualised operational environments to customers, ensure that customers are segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Prolinx complies with the guidelines within the EU Code of Conduct for Energy Efficient Data Centres. The Datacentres utilised by Prolinx use electrical and cooling systems that are certified by their M&E Design & Construction contractor to exceed the UTI Tier III uptime percentage. They offer the highest levels of sustainability across their data centres without compromising security and availability. In accordance with EU guidelines, the Datacentres have implemented and exceeded the requirements of the HMG Greening Strategy, designed to ensure the lowest possible environmental impact. The direct air-cooled data centre is considered best-in-class, requiring no mechanical cooling >99% of the year. Because the Datacentres are factory-built offsite, the embedded carbon footprint and construction waste are greatly reduced – and have BREEAM accreditation indicating we recycle over 90% of this waste. We responsibly source power through competitive tendering that favours renewable energy. The data centre building has photo voltaic cell installations on the roof to capture solar energy. We have also introduced rainwater harvesting at the site to offset water consumption. Our own Datacentre benefits from cold isles which supply cooling only to the area that requires it. DCs have a PUE of 1.2.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Prolinx is committed to influencing our environment evidenced by our Environmental Policy to ensure that our operations are carried out with a commitment to protecting and enhancing the environment. We seek to comply with all relevant environmental legislation/regulation and aim to establish higher standards of environmental performance where these are practicable and appropriate. We have introduced energy policy drives for constant improvement in Power Usage Effectiveness (PUE). The industry benchmark is currently 1.8 and we currently achieve a PUE of 1.2.; ; All staff comply with our Environmental Policy, each having a legal and moral obligation to carry out duties with concern for the environment. All contractors are also required to adopt environmental standards fully consistent with those of the Company and they are expected to achieve comparable levels of performance as a condition of their contract.; To implement our Environmental policy to support Climate Change we follow these practices:; 1. Minimise waste by evaluating operations and ensuring they are as efficient as possible.; 2. Minimise toxic emissions through the selection and use of its fleet and the source of its power requirement.; 3. Actively promote recycling both internally and amongst its customers and suppliers.; 4. Reduce to a minimum the environmental effect on all future developments and carry out an appraisal of the environmental effect of sourcing of raw material.; 5. Advocate employee involvement in all environmental matters, providing suitable training and support to all employees with regard to this environmental policy.; 6. Minimise any adverse environmental effects caused as a result of our activities, products and/or services adopting the principle of BATNEEC (Best Available Technique Not Entailing Excessive Costs).

  Covid-19 recovery

  Driving employment post Covid 19 is vital to us as a Small Medium Enterprise (SME) business. We have therefore created a standardised and complete approach to incorporating social value in our procurement of new contracts, through-life service delivery and commercial practice to support Covid 19 Recovery Employment initiatives. An example of a recent won contract; through evidence of SVS compliance to Employment Prolinx was able to recruit 2 new STEM roles.; Whilst increasing Employment plays a part in Covid 19 recovery Modernising Delivery and Increasing Productivity means that Prolinx also concentrates on how we can become more efficient. Prolinx is focused on becoming more efficient rather than more complex looking at key certifications and approaches that provide agility and a “common approach”.; Modernising our Delivery through MSP Principles allows us to structure SVS to address corporate performance and anything from a simple project to a complex programme by assuring Governance, Process, Tooling, Management Information (MI), Key Performance Indicators (KPIs) and most importantly People. Service delivery through ITIL4 ensures we integrate Social Value Management ‘as-a-Service’ within contracts and that the SVS can be adapted on an agile basis through Continual Service Improvement (CSI).; Prolinx has developed its own internal test and development environment where innovation and experimentation is encouraged, both to develop current technological patterns to find better ways to utilise the capability, but more importantly, to develop internal skillsets. These Innovation and Disruptive Technologies support Covid 19 Recovery.; Prolinx manages Cyber Security Risks through Cyber Essentials plus and ISO27001 certification to protect Prolinx as a company and its customers. This is vital for the ongoing growth and Covid 19 recovery.

  Tackling economic inequality

  Social economic inequality relates to disparities that individuals might have in both their economic and social resources that are linked to their social class. These disparities include, but aren’t limited to, their earnings, education, and/or income.; As a SME, we rely heavily on our people as they are the foundation of our company. We want everyone to have equal opportunities to succeed through training, personal development and in-work progression. Prolinx promotes economic equality by:; 1. Targeting harder to reach under-represented groups and communities.; 2. Providing entry-level employment and training opportunities for local people and develop future talent.; 3. Promoting fairness, inclusion, and respect (FIR) principles.; 4. Identifying/Managing modern slavery risks; Prolinx’s Ethical Policy is its commitment to ending slavery in all forms; cruel, inhuman, or degrading punishments; and any attempt to control or reduce freedom of thought, conscience and religion. Prolinx ensures that all employees, agents, and contractors are entitled to their human rights as set out in the Universal Declaration of Human Rights and the Human Rights Act 1998. Prolinx will not enter any business arrangement with any person, company or organisation which fails to uphold the human rights of its workers or who breach the human rights of those affected by the organisation’s activities.; In supporting economic equality Prolinx is committed to employing ex Armed Forces where possible supporting the Armed Forces community and honoring their commitment to the Armed Forces Covenant. We evidence this by several ex Armed forces employed within the company providing insight and wisdom of the Armed Forces community.; Prolinx is committed to ensuring economic equality by ensuring employment and labour rights, social protection, care and family leave are supported by our compliance to Health, Financial and Education regulations embedded within our processes and procedures such as Health and Safety Documents and Employment guides.

  Equal opportunity

  The Prolinx SVS is founded on our core values and responsible leadership principles, underpinned by our Ethical Policy, and applies to all our employees/ party who undertakes activity on our behalf. It follows the national TOMs framework and outlines our commitment and accountability to our internal and external stakeholders for the role we play in their lives.; Tackling inequality in the contract workplace underpins our best practice.; Our People come first. We want everyone to have equal opportunities to grow and succeed through training, personal development and in work progression. Prolinx promotes workforce diversity by:; 1. Targeting harder to reach under-represented groups and communities.; 2. Providing entry-level employment and training opportunities for local people and develop future talent.; 3. Promoting fairness, inclusion, and respect (FIR) principles.; The Armed Forces Covenant is an agreement between the armed forces community, the nation, and the government. The covenant’s twin underlying principles are that members of the armed forces community should face no disadvantage compared to other citizens in the provision of public and commercial services; and that special consideration is appropriate in some cases, especially for those who have given the most such as the injured or the bereaved. By signing this covenant, Prolinx is committed to support the Armed Forces community and has evidenced this by employing several ex Armed Forces personnel who are valuable members of the company.; We have a contractor process in place to ensure that in line with the modern slavery act we ensure that, in times of need, we can bring in short term hires. Prolinx does not discriminate on the basis of race, religion, colour, sex, age, disability or sexual orientation therefore recruitment decisions are based solely on qualifications, skills, knowledge and experience and relevant business requirements.

  Wellbeing

  Social values are taken from government priorities, strategies, business cases for programmes and projects, through to procurement specifications, which includes people and their wellbeing.; Prolinx understands the need to consider the collective benefit to the community when assessing approaches to procurement however as vitally important is the support to the physical, emotional, and social wellbeing of our employees, sub-contractors and customers. By promoting a socially healthy environment this enables respectful and empathic engagements across the supply chain managing the effects of actions on others. By being aware of rights and responsibilities and able to manage emotions in a healthy way, Prolinx as a company lives and breathes a wellbeing ethos in its engagement with other communities. Physical and emotional wellbeing is equally important to us. We encourage a work life balance to support physical strength and mental strength as being able to recognise and express feelings promotes a healthy work environment.; Prolinx also ensures that Education and Training is in place to support our people.; Education and training gaps are identified through annual Personal Development Plans, which are captured in consultation between individuals and line managers. Education and training enables Individual Autonomy, Mastery and Purpose as key tenets of Wellbeing and preserves high company retention rates.; Prolinx as an SME believes work progression is key to employees being engaging and committed to their jobs. Promotion, upskilling through education and training supports work progression, keeps internal skillsets maintained and helps Prolinx retain our people.; Prolinx also provides and maintains safe and healthy working conditions, equipment and systems of work for all our employees, and to provide such information, training and supervision, as they need for this purpose. We also accept our responsibility for the health and safety of other personnel who may be affected by our activities.

Pricing

• Price: £0.24 a virtual machine an hour
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pubsecfw@prolinx.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.