Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 1: Cloud hosting
  3. Patch Management as a Service (PMaaS)

Patch Management as a Service (PMaaS)

Vulnerability Management patching service is designed to proactivelty update and secure common vendor operating systems and applications. It is a cloud and Hybrid service that automates and delivers software patches and fixes across Wintel and Middleware platforms. Wintel Vulnerability Management, Middleware Vulnerability Management.


  • Continuous monitoring of patch sources and real-time notification from ISVs
  • Testing and deployment of patches prior to deployment
  • Agreed release schedule to production environment
  • Analysis and recommendations for monthly patch cycle
  • Reporting at the end of each patching cycle


  • Ensures security through automated patching
  • Improves security posture
  • Customised release schedule that meets your organisation’s requirements
  • Removes the burden of onerous and resource intensive activities
  • Representation on your organisation’s Change Advisory Board if required
  • Reduce security management costs


£47 a virtual machine a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

5 0 0 4 8 3 1 2 7 2 8 7 4 9 6


Telephone: 07799894781

Service scope

Service constraints
Patching can be applied to all applications and devices that are on our HCL and SCL
System requirements
We will require access to all devices/applications to be patched

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Dataquest will monitor, manage and maintain the underlying hardware infrastructure and Hypervisor. The Customer has 3 options for managing the virtual machines that sit on the hyper visor:

1. Self-Service (Customer's IT Team manage, patch and troubleshoot the virtual server estate)
2. Fully Managed Service - The Customer Purchases a Fully managed service from Dataquest with a defined Service Level Agreement.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
The Dataquest Helpdesk is available to provide 1st and 2nd line technical support over the telephone, through our online helpdesk, and our remote management tool . This is a paid for service see rate card for Pro-Active or Reactive support.

A call is recorded, triaged, and classified as an Incident, Request, Change, Complaint, or other piece of demand in accordance with ITIL guidance. Alerts are monitored by Dataquest's Integrated Operations Centre.

Depending on the contract that is entered into the support desk is available 24x7x365 or during Normal business hours.

Dataquest Normal Business Hours are defined as:
Monday to Friday 08:00 to 18:00 excluding public holidays.

Dataquest has 4 Incident SLAs:

Priority 1 - High impacting incident - response within 1 hour
Priority 2 - Moderate to high impacting incident - response within 2 hours
Priority 3 - Low to moderate impacting incident - response within 4 hours
Priority 4 - Very low impacting incident or service/information request - response within 5 working days.

Each Customer has a Customer Excellence Manager who manages the relationship through regular Teams or face to face meetings. Furthermore the Customer will have access to a technical account manager or cloud support engineer, if required.
Support available to third parties

Onboarding and offboarding

Getting started
All of Dataquest's managed cloud service contracts start with an initiation meeting, it is at this point that the Customer will be trained on how get started and how to interact with Dataquest 's service desk. This training will take the form of either remote or onsite training dependent on the customer's preference. Documentation will also be provided.
Service documentation
Documentation formats
End-of-contract data extraction
Before the end of a contract is reached the assigned Service Delivery Manager at Dataquest will reach out to the customer to discuss and agree on a contract exit strategy. Part of the agreed strategy will include data extraction and deletion from the Dataquest infrastructure. Furthermore the customer can add change or remove their data at any time with or without Dataquest's input.
End-of-contract process
Where a client chooses to terminate their subscription with Dataquest, we are able to provide support for data extraction and/or migration where reasonable. We will agree a point of service termination with the client when the transition is complete. At this point, our dedicated support and technical teams will cease to provide any services. We will work to ensure that this transition is seamless.

Using the service

Web browser interface
Using the web interface
Where a Buyer opts for Dataquest's self-managed IaaS they will be able to configure their environment by using Dataquest's orchestration tool OnApp, This will allow them to allocate CPU, RAM and disk space to their virtual servers. They can also create, delete and reboot servers without having to contact Dataquest Support

If the customer does not want to utilise OnApp then we can provide limited access to vCentre, where they can only see their estate and they have the ability shutdown/reboot servers.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
They can not increase the size of their resource pool; any increase of CPU RAM or disk would require a signed sales order from the Customer.

They can not access anything other than their own environment. They will have limited access to vCentre
Web interface accessibility testing
Command line interface


Scaling available
Independence of resources
We use tools a number of tools to monitor our infrastructure and alert the support team accordingly. Furthermore we use tools within VMware to dynamically load our infrastructure.
We also do not over sell the capacity - vCPU is on a 4:1 ratio, RAM is on a 1:1 ratio and we do not thin provision the SAN
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Microsoft or Linux Virtual Machines
  • Active Directory and System State backups
  • MySQL, MS SQL, SAP HANA, Oracle, AAG and DAG
  • Microsoft Exchange, Microsoft SharePoint
  • Microsoft 365 suite
  • File data
  • Bespoke backup and retention plans
  • Disaster Recovery as a Service
  • Safe Recovery and Instant Restore available
Backup controls
Users have access to a web portal where they can administer their tenancy. They can create bespoke backup schedules for individual servers or groups of servers.

We can provide advice on what retention cycle to follow based on the data protection objectives along with any compliance requirements.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Each service is provided with a guarantee of availability at contract level and sanctions in case of the service availability dropping below guaranteed level.
Approach to resilience
Available on request
Outage reporting
An API, email alerts, SMS

Identity and authentication

User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces and support channels is restricted through a combination of username and passwords, multifactor authentication, firewalling, IP restrictions, the use of bastion hosts as appropriate.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institute (BSI)
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Software development
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
A mature security program is in place. Head of Compliance manages the company’s risk through security technologies, auditable work processes, and documented policies and procedures such as; Acceptable Use Policy (AUP), Access Control Policy (ACP), Change Management Policy, Information Security Policy, Incident Response (IR) Policy, Remote Access Policy, Email/Communication Policy, Disaster Recovery Policy, Business Continuity Plan (BCP). These policies are just some of the basic guidelines Dataquest use to build successful security programs.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
The key elements of Dataquest's configuration management are:
version control, baseline and release information, audits & review
documented process and build, integrate and deploy scripts.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Evaluated and appropriate measures are taken to address any associated risks; management of technical vulnerabilities, restrictions on software installation, information systems audit controls. In accordance with Dataquest’s ISO 27001 ISMS (technical vulnerability management) testing is carried out at least once annually and when applicable patches to the system are introduced to the main systems, when new network infrastructure or applications are added, if significant upgrades or modifications are applied to infrastructure or applications and end user policies are modified.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
PMCs used to assist Dataquest in the protection of its staff, assets and information and to assist in the investigation of misconduct or criminal activity. Accurate time in logs, recording relating to business traffic crossing a boundary,recording relating to suspicious activity at a boundary,recording of workstation, server or device status, recording relating to suspicious internal network activity,recording relating to network connections,recording of session activity by user and workstation,recording of data backup status,alerting critical events, reporting on the status of the audit system,production of sanitised and statistical management reports and providing a legal framework for protective monitoring activities.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
As part of Dataquest's service operation, incident management aims to manage the lifecycle of all incidents. Our primary objective is to return the IT service to users as quickly as possible. The incident management sub-processes and objectives are aligned to ITIL and ISO 27001:2013 standard. Incident management support, incident logging and categorisation, incident resolution, incident monitoring and escalation, incident closure and evaluation, pro-active user information and incident management reporting.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
VMware's vCenter uses a layered approach with security controls, isolation mechanisms, and monitoring controls embedded in the network, compute, and storage layers of the service stack.

This layered approach provides secure access to the hosts, guarantees resources to tenants, and provides abstraction to the physical components. The VMware software-defined solutions at different layers allow the infrastructure to provide isolation of resources.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
Telehouse West saves up to 1,110 tonnes of CO2 emissions per annum and provides up to nine megawatts of power for the local neighbourhood. The energy savings equate to boiling 3,000 kettles continuously. The disposal of waste heat from cooling systems is one of the most significant sustainability issues associated with data storage. This is the first time a heat export strategy has been introduced in the UK for this type of data centre facility.

Social Value

Fighting climate change

Fighting climate change

Dataquest operates an Environmental Management System (EMS) that has gained ISO 14001: 2015 certification. Our EMS is a continual cycle of planning, implementing, reviewing, and improving Dataquest’s processes and actions to meet environmental obligations and objectives. Energy efficiency makes a significant contribution to environmental sustainability and helps us to reduce our operating costs. We monitor our use of key sources of energy (electricity, gas,) with the aim of reducing our carbon emissions.
Covid-19 recovery

Covid-19 recovery

Dataquest continues to follow and update our business continuity plan with a focus on protecting the health and well-being of our colleagues, while keeping the business running, supporting our partners and continuing to provide the best possible service levels. In line with our ISO 27001 Standard, we have a robust disaster recovery and business continuity plan in place. This includes significant investments in technology and infrastructure to ensure we can continue to operate the business in a variety of unforeseen scenarios. We have extensive online collaboration capabilities to help ensure business continuity and we’re working tirelessly to help everyone stay safe while at the same time continuing to serve our customers.
Tackling economic inequality

Tackling economic inequality

Dataquest is committed to tackling economic inequality at root, from creating new businesses and new employment opportunities, to improving education and training, Our overriding vision is to help lower the unequal distribution of income and opportunity between different groups in society.
Equal opportunity

Equal opportunity

Dataquest is an equal opportunities employer and in general would wish to go beyond the strict legal requirements as determined by statute in order to be seen to promote sound and fair management practices and procedures at all times.

It is therefore the Company’s aim to provide equality of opportunities for all employees by providing a working environment free from unlawful discrimination, harassment, bullying or victimisation on the grounds of sex, marital status, sexuality, disability, age, race, colour, ethnic origin, nationality, religious or political beliefs. This principle will equally apply to recruitment, training, promotion, dismissal, transfer and all benefits, terms and conditions of employment.

The Company will not tolerate acts which breach policy and all instances of such behaviour will be taken seriously, be thoroughly investigated and in proven cases, will be subject to the Company’s disciplinary procedures. Policies for recruitment, selection, training, development and promotion are designed to ensure that individuals are selected, promoted and otherwise treated solely on the basis of their relevant aptitudes, skills and abilities.


We encourage vitality, a healthy quality of life, and a positive working environment in which people thrive. Our priority is to be proactive, so employees can gain awareness, education, and support to successfully function at work and at home, free from factors which may negatively impact upon their health.


£47 a virtual machine a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.