Isotoma Ltd

Wagtail hosting

We provide secure, resilient, highly available UK based public cloud hosting for sites developed using the Wagtail CMS. The service is hosted at Amazon Web Services and is specifically designed for Wagtail. Our team is made up of experienced Wagtail developers and Certified AWS Architects.


  • Fully resilient. No single point of failure
  • Highly available. Automatic failover of any failed component
  • Scalable. Our cluster grows with your traffic. No limits
  • Secure. Web Application Firewall tuned specifically for Wagtail
  • Secure. DDoS protection built in
  • Real time monitoring of web site performance
  • Everything open. No proprietary components
  • Stage environment included by default
  • Developers in control. Deploy from the command line
  • All major releases of Wagtail supported


  • Be sure of your site’s stability regardless of load
  • Get the benefits of public cloud without the hassle
  • Easily meet all your security requirements
  • Deploy new versions of your site with ease
  • Get support from a highly experienced team
  • Integrate security and load testing into your development lifecycle


£250 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

6 0 1 4 7 9 5 9 9 4 5 8 7 8 5


Isotoma Ltd Andy Theyers
Telephone: 01904313980

Service scope

Service constraints
This service is designed for hosting Wagtail based websites. All production versions of Wagtail are supported.
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA dependent
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
Service monitored 24x7. Telephone and email support available UK office hours only. 99.9885% availability. Critical incidents responded to 24x7. Non-critical incidents responded to within 4 working hours.

Technical account manager included as part of the service. Cloud support engineer included at take on and contract end. Cloud support engineer available on request (at standard hourly rate) throughout contract.
Support available to third parties

Onboarding and offboarding

Getting started
We will liaise with your development team to guide them through any changes necessary to make their Wagtail system deployable to our environment. This liaison is included in our standard costs and we guarantee that the changes we ask them to make will not affect their ability to continue development.

Liaison is done via video conference and email.
Service documentation
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
All volatile data is made available in a dedicated S3 bucket that the user has access to at all times. This includes database dumps and all media assets.
End-of-contract process
Users are encouraged to renew, however if they wish to migrate to an alternative provider all assets required for the new provider to take on the service are automatically available to the user. 4 hours of consultancy is included - any additional consultancy is charged at our standard hourly rate.

Using the service

Web browser interface
What users can and can't do using the API
Users may make deployments to both the stage and production instances of their web site via the API
API automation tools
Other API automation tools
API documentation
API documentation formats
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Users may make deployments to both the stage and production instances of their web site through the command line


Scaling available
Scaling type
Independence of resources
Each user is partitioned from all other users, and each user is placed in their own AWS AutoScaling Group (ASG)
Usage notifications
Usage reporting
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • HTTP request and response status
  • Number of active instances
Reporting types
Real-time dashboards


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Amazon Web Services

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • All volatile data relating to the operation of the service
  • The content database
  • Media assets
Backup controls
Backups are performed once every 24 hours between 0200 and 0600 UK time. Users can request alternative schedules at no additional cost.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
IPsec or TLS VPN gateway
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We guarantee our infrastructure to be available 99.9885% of the time, calculated annually. This equates to 1 hour of unplanned downtime per year. Service is credited at 2% of the annual fee per complete hour outside this target.
Approach to resilience
Our infrastructure is 100% resilient, with every single component in more than one AWS Availability Zone. The exact configuration is available on request.
Outage reporting
Users will receive email notifications should their service fail, and then regular emails until the service is restored.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
Access restrictions in management interfaces and support channels
Our service implements role based access control. Users and roles are defined by customers as part of service take on
Access restriction testing frequency
At least every 6 months
Management access authentication
Description of management access authentication
We are hosting your application, so can support any authentication method your application supports
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
QMS International
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 27001 covers our entire business
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a Information Security Policy which is available on request. We have rigorous induction and training methods which ensure policies are followed. Reporting Structure is also available on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our configuration and change management processes, including component life cycle tracking and security impact assessments, are aligned with the ITIL v3 Framework Guidelines.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We monitor for potential threats through multiple sources, including external repositories and vendor feeds. Each patch and hotfix is assessed by severity, client requirements and/or vendor recommendations.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We rely on AWS GuardDuty for intrusion detection and regular automated vulnerability scanning for potential threats. Every incident is responded to within 4 hours, regardless of time of day or night.
Incident management type
Supplier-defined controls
Incident management approach
Users can report incidents via telephony, web and email. We have predefined processes for common events and leverage the guidelines defined by the ITIL v3 Framework.

Incident reports are delivered as ODF documents as agreed with the user on a case by case basis, depending on severity and user requirements.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Other virtualisation technology used
Docker containers
How shared infrastructure is kept separate
Docker containers are used to separate each instance of users' applications, and network access policies are applied within the hosting cluster to ensure users are unable to access each other's data or applications.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres

Social Value

Equal opportunity

Equal opportunity

Our employment decisions are based on the principle of equal employment opportunity.

Accordingly, we do not discriminate on the basis of race, colour, creed, gender, national origin, disability, age, veteran status, citizenship, marital status or sexual orientation.

To support this policy we do the following:

All vacancies within the organisation are advertised both internally and externally, and equal weight is given to internal candidates as to those applying from outside the organisation

There is a published career progression pathway for each role within the organisation, and all staff are actively encouraged and supported to progress along their chosen pathway

All staff are encouraged to promote the vacancies to any and all social spaces and professional communities - both physical and virtual - that they belong to, to encourage a diverse range of applicants

All vacancies are promoted to those professional communities within the York and Yorkshire regions that provide support to sections of the community that do not usually have access to software development (and related) roles

The wording of each job advert is assessed to ensure that it does not include unconscious bias in the expectations it sets for applicants

Equal weight is given to those applicants with life experience rather than formal qualifications

We actively encourage applicants who are undergoing a career change through relationships with local retraining organisations


£250 an instance a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.