GRAVITEE TOPCO LIMITED

Gravitee API Management

Gravitee API Management (APIM) is a flexible, lightweight, and highly-performant event-native API management platform that accelerates and streamlines the governance and security of both synchronous (HTTP, REST, SOAP, gRPC, GraphQL, WebSockets, Webhooks, Server-Sent Events) and asynchronous APIs (Kafka, Confluent, Solace, MQTT, RabbitMQ), including both HTTP and TCP Proxy capabilities.

Features

• API Designer for API contract, adopting "Design-First" approach
• Protocol Mediation between backend services (REST/SOAP, gRPC, Kafka, MQTT, etc)
• Identity&AccessManagement to secure APIs using OpenID Connect/OAuth2/etc
• API Developer Portal for discovery, subscription and consumption of APIs
• API Debug allows deep API analysis capturing bugs and bottlenecks
• Analytics dashboards provide performance and monitoring visibility into your APIs
• Log inspection for end-to-end API traffic tracing
• Flow Designer enables message transformation and securing APIs
• Support for both OpenAPI & AsyncAPI specifications
• Service Management Ecosystem connects APIs to anything

Benefits

• Easy to use API Management. Deploy an API in seconds
• Achieve cross-functional collaboration with visual API Designer
• Run anywhere, on Gravitee SaaS, on-premise or private cloud
• Open-source core and heritage (avoid vendor lock-in)
• Low Total Cost of Ownership
• Reduce MTTI and MTTR with end-to-end log tracing
• Advanced security with FAPI Certified solution
• No-code, low-code approach to API management
• Build future-proof APIs with support for streaming (AsyncAPI)
• Premium Support with dedicated Slack/Teams channel

£0 to £199,999.99 an instance

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.dyson@graviteesource.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

621338081531117

Contact

Charlie Dyson
+44 7950609103
charlie.dyson@graviteesource.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: None.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Depending on the selected level of support: Response times (times and days) ; ; - GOLD: 8hrs/day, 5 days/week during Business Hours 9am-5pm, Paris time Time taken to log a P1 call or ticket 2 hrs Time taken to log other priority calls or tickets 4 hrs ; ; - PLATINUM: 24hrs/day, 7 days/week Time taken to log a P1 call or ticket 1 hr Time taken to log other priority calls or tickets 2 hrs
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Gravitee prov ides three different levels of support. ; ; - COMMUNITY EDITION: Supported provided by the open source community on API Management and Access Management. This is free of charge. ; ; - STARTER EDITION: Includes Customer Success program and provides: - Office Hours Support - Three Cockpit Environments - Two Enterprise Plugins - Initial Enablement & Training - Ability to add Alert Engine & API Designer. ; ; - ENTERPRISE EDITION: Includes Customer Success program and provides: - 24/7 Support - Dedicated Slack Channel - All Advanced Modules - All Enterprise Plugins - 4 x Gateways, Production/ Non-Production. ; ; - SUPPORT COST: Support is included in the price for Starter and Enterprise Editions
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Gravitee will provide onsite as well as online training (depending on what is required by customers) whenever required. In addition to the training, a Customer Success Manager will be assigned, becoming the main point of contact for any question that might arise. In addition, the Customer Success Manager will ensure organizations are getting the most value out of Gravitee by providing guidelines and best practices on how to use the product.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Gravitee includes an underlying Management API (REST) that enables customers to export any data and configurations. This allows any of our Customers to extract all APIs from an instance of Gravitee API Management (using industry-standard JSON schema).
• End-of-contract process: The Gravitee Subscription Agreement outlines standard terms and conditions for expiry and termination of software components licensed as part of Starter and Enterprise Edition. Clients would of course be free to continue to use Open Source Software (OSS). Client can export any data and configurations from the platform. After the End of Contract any data will be safely erased from Gravitee platform.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Any action performed within the UI can also be performed via the underlying Management API (REST). The management API (mAPI) enables you to integrate with 3rd-party solutions and to automate the entire API lifecycle (from importing an API definition, applying policies, securing your API, and publishing it to Gravitee's API Portal). A service account can be created to authorize the API calls so that CI/CD pipeline can automate the process of managing APIs.
• Accessibility standards: None or don’t know
• Description of accessibility: Any action performed within the UI can also be performed via the underlying Management API (REST). The management API (mAPI) enables you to integrate with 3rd-party solutions and to automate the entire API lifecycle (from importing an API definition, applying policies, securing your API, and publishing it to Gravitee's API Portal). A service account can be created to authorize the API calls so that CI/CD pipeline can automate the process of managing APIs.
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: Any action performed within the UI can also be performed via the underlying Management API (REST). The management API (mAPI) enables you to integrate with 3rd-party solutions and to automate the entire API lifecycle (from importing an API definition, applying policies, securing your API, and publishing it to Gravitee's API Portal). A service account can be created to authorize the API calls so that CI/CD pipeline can automate the process of managing APIs.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Developer Portal logos, branding and themes.

Scaling

• Independence of resources: Gravitee supports true multi-tenancy and can also support individual instances. All instances have guardrails configured to never inhibit performance of other instances.

Analytics

• Service usage metrics: Yes
• Metrics types: Platform metrics:; Online/offline, availability, throughput, requests per second.; ; For specific API's deployed on the Gateway:; API response time; API requests per client; Geolocation; API calls by browser; API calls by operating system; Request payload size; Application Identity associated with API request; API status code
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can either export from the UI or Management API.; ; Gravitee includes an underlying Management API (REST) that enables customers to export any data and configurations. This allows any of our Customers to extract all APIs from an instance of Gravitee API Management (using industry-standard JSON schema).
• Data export formats: Other
• Other data export formats:
  • JSON
  • OpenAPI spec
  • ASyncAPI spec
• Data import formats: Other
• Other data import formats:
  • OpenAPI spec
  • ASyncAPI spec

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Gravitee SLA 99.95%
• Approach to resilience: Gravitee SaaS platform is implemented in a high-available configuration distributed through three different datacenters in the region/country of deployment. All systems are deployed as code, as this shortens the recovery time from hours to minutes in case we have to rebuild the full or just part of our infrastructure. Configuration and client data is also stored and backed in a multi-array of databases.
• Outage reporting: Gravitee reports any scheduled outages in advance. Most updates do not cause any outages. Exceptional situations or incidents are immediately reported to our clients using the preferred method of communications for the client (i.e.: ticket, e-mail, phone call, sms, Slack/Teams).

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Defined by the client using a variety of methods to achieve role-based access control (RBAC) efficiently either by receiving it from the Identity Provider (IdP) of the client or by creating one in the Gravitee platform.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA/ UKAS
• ISO/IEC 27001 accreditation date: 08/01/2024
• What the ISO/IEC 27001 doesn’t cover: None.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 01/08/2021 and updated 01/01/2022
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: On-Prem deployments, Gravitee SAAS is fully covered by the CSTAR
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Financial API - Level 3
  • ISO 27701 (Extension to Data Privacy of ISO 27001)
  • SOC Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISO27001, ISO27701 and SOC 2 Type 1 (working towards Type 2).
• Information security policies and processes: Gravite have in place a mature ISPIMS (Information and Data Privacy Management System) and our policies, processes and procedures were audited and certified in alignment with ISO 27001 and ISO 27701.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Operational/access changes, modifications to the Procedures, creation of new users and permissions. Changes to internal /external systems components including SaaS. Change that have an impact to the confidentiality, integrity, availability and accountability of systems or information within the scope of the ISPIMS. Threat modelling and risk assessment is performed and documented. A Data Protection Impact Analysis (DPIA) is done if the processing of data might result in a high risk to personal data being processed. Information Security and Data Privacy risks are identified and mitigated Management approval is needed for risks with High or Critical risk.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All vulnerabilities from any source are documented and addressed Vulnerabilities fixing or updates will be done after risk triage Vulnerabilities triaged shall be fixed/mitigated/updated within the following amount of days: Critical - within 15 days High and Medium within 28 days For Gravitee Vulnerability Management we collect information from: Penetration Testings, either lead by us or Clients Vulnerability scans from tools such as SAST/DAST and others Bug Bounty
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Gravitee implemented state of the art Extended Detection & Response (EDR) to end points and SaaS systems including a 24/7 Managed Detection and Response system that provides triage and alerts of indicators of compromise to the InfoSec team. Average response times are within 30 minutes or less from the first alert.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Gravitee have policies and procedures for Incident Management aligned with NIST Cybersecurity for Critical Infrastructure and as part of the ISO 27001, ISO 27701, and SOC Type 2 certifications. This includes not only Information Security but also Data Privacy incidents. Users report directly incidents by e-mail, slack or call to the InfoSec team. Reports of the incident are done using tickets, email or other means.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  At Gravitee, no employee or applicant, client, colleague or supplier, will be treated less favorably on the grounds of their sex, marital status, race, color, nationality or ethnic or national origin, disability, gender, sexual orientation, gender identity, age, pregnancy or maternity, marital or civil partner status, or religion or belief. Our aim is to ensure that everyone who works here has an equal opportunity to develop a successful career, where everyone is treated with respect and dignity and decisions in the workplace are made free from the effects of bias and prejudice.

Pricing

• Price: £0 to £199,999.99 an instance
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Gravitee is an open-source platform and the core components can be installed free of charge for an unlimited time. The core components included are the API Management Gateways, console and portal and the Access Management Gateway and Console.
• Link to free trial: https://www.gravitee.io/downloads?hsLang=en

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.dyson@graviteesource.com. Tell them what format you need. It will help if you say what assistive technology you use.