Zodiac Media Ltd

Drupal CMS website

We can customise or develop from scratch Drupal 7, 8, 9 and 10 websites. This includes extending Drupal's functionality, adding security layers, or streamlining Drupal's user interface. Full Drupal training and post-release support can be provided on request.

Features

• Mobile-first design approach
• Separate staging and live development servers
• System event logging for security
• UK based data centre hosting provided at cost
• Content presentation can conform up to WCAG 2.2 AA standards
• Granular role-based permission systems developed on request
• We are an ISO 27001 information security certified company

Benefits

• Mobile-compatible as standard
• Fast turnaround with multiple opportunities for feedback
• Reduce resource overheads and technical debt
• Fully customisable to meet your precise requirements
• Inherently modular and scalable design
• Security compliant up to ISO27001 standards

£805 to £805 a unit a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

587155725098591

Contact

Billy Davies
0203 813 8430
info@zodiacmedia.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: For security and stability purposes, we do not allow access to the servers which run client sites (i.e. SSH, SFTP, SCP etc).
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any support inquiries have the following response times based on their severity:; * Critical - 2 hours; * Major - 4 hours; * Minor - 2 working days; * Trivial - 4 working days; ; We split the working week up into ‘Normal Working Hours’ (09:00-17:00 Mon-Fri for UK working days) and ‘Antisocial Hours’ (all other times including weekends and UK bank holidays).; ; Only Critical inquires are responded to during Antisocial Hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: The same level of support is offered for all subscriptions, with only the amount of support time allocated per month varying. Additional support time can be purchased in 1 day increments at a rate of £805 ex VAT per day.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Clients should have at least a basic set of requirements, technical specifications, and design goals. We would then kick-off a meeting to exchange information and begin constructing site prototypes.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data extraction is possible via SQL export, RESTful APIs, or CSV export.
• End-of-contract process: Hosting migration is coordinated between us and the client's new development contractors or in-house team. All user credentials are then transferred to the new team and any client owned data on our systems is destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Functionality is identical. Appearance changes depending on screen size to be accessible.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: A backend Admin system allows authenticated users to add, change, and delete content and settings for the website.; ; The frontend is accessible to all users and allows them to navigate and view content, and submit information via webforms and comments.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We operate an accessibility scanning service called Publica11y (https://www.publica11y.org/). This service is used to test sites for WCAG AA 2.2 compliance issues. The service is built on software that received the highest Guidance rating in the government’s Accessibility Tool Audit. Further testing is done using SiteImprove and Axe accessibility tools.; ; All sites are WCAG 2.2 AA compliant at time of handover.
• API: No
• Customisation available: Yes
• Description of customisation: New functionality can be added on request, with a wide array of modules available. Client staff can use Drupal's admin system to customise the content and appearance of their sites.

Scaling

• Independence of resources: We always use a dedicated VPS or physical server for each client site hosted. Staging environments are also provisioned on separate servers from the production environment. This ensures that sites are kept physically separate, removing the possibility of client sites having a negative impact on one another.

Analytics

• Service usage metrics: Yes
• Metrics types: Sites can be integrated with third party analytics platforms such as Google Analytics. All data collection and processing is GDPR compliant.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data export is possible via an SQL database, RESTful APIs, or CSV export.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We offer a 99.9% uptime guarantee, evaluated on a monthly basis. If we fail to meet this SLA service credits are offered as follows:; ; - Less than 99.9% but equal to or greater than 97% - 20% credit; - Less than 97% but equal to or greater than 96% - 40% credit; - Less than 96% - 60% credit
• Approach to resilience: Available on request.
• Outage reporting: Service outages are reported via a shared private dashboard.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Server access is restricted via SSH key in conjunction with password protection and is only available from whitelisted IP addresses across uncommon port numbers.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 02/03/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow an ISO27001 certified Information Management Security System. This includes policies for: employees, clients, suppliers, physical security, network security, secure development, teleworking, access control, data classification, how to store, access, and retain data depending on its classification. It also includes an information asset register and a regularly updated risk treatment plan.; ; An internal security audit is conducted every quarter, and an external audit by an accredited 3rd party body every year.; ; Employees are onboarded with the reporting process and are instructed to report any issues to the Director or Information Technology Security Officer as soon as they are aware of them. The Director and ITSO hold regular security management review meetings to deal with reports. A formal incident response process and contact links with the relevant authorities are maintained.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our Drupal sites store their configurations in the site’s codebase, which is under version control. We also control the server provisioning of Council Platform’s servers using the automated scripting language Ansible, and these scripts are also under version control. All changes are assessed for potential security impacts via a peer review prior to acceptance into the codebase.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: A formal Risk Treatment Plan is maintained and updated periodically with identified risks treated, transferred, or terminated. All Information Assets are categorised based on the impact and likelihood of its confidentiality, integrity, or availability being compromised with the resultant category dictating how it can be stored, accessed, and retained.; ; Links with professional bodies are maintained with security notifications automatically dispatched in group IM channels. Security releases are deployed within 2 weeks of release.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Production site servers are integrated with our enterprise performance and security monitoring systems. Critical level notifications from these systems are instantly published to channels in our internal Instant Messaging system for immediate address. Data from these systems is regularly reviewed by our Information Technology Security Officer (ITSO) as part of our ISO27001 security framework. Response times vary between immediate and two weeks depending on the severity of the reported issue.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Employees are instructed to notify the designated staff members. If applicable, a compromised user account will be blocked and all associated login info changed. If applicable, the affected client will be notified. Should the data breach involve protected data, the breach will be reported to the Information Commissioner’s Office within 72 hours in compliance with the GDPR. Evidence of the breach will be gathered and, if applicable, will be reported to the police. With reference to the Risk Treatment Plan, the impact of the incident will be assessed. Contributing weaknesses in company policy will be identified and rectified.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  The data centres used for this service run on 100% renewable energy.

  Tackling economic inequality

  All employees are paid above the living wage regardless of role or experience.

  Wellbeing

  We hold frequent recreational team-building activities. All employees have the option to work from home, enjoy flexible hours, and are entitled to 24 days of annual leave.

Pricing

• Price: £805 to £805 a unit a day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.