Causeway Technologies Limited

Buchanan Hosting PaaS

Cloud-based platform specifically designed for hosting Buchanan and other third party applications. Services are housed within ISO27001 UK data centres. These resilient environments are fully maintained, kept up-to-date with regular security patches, hardware upgrades. Designed to meet government guidelines on cloud computing, and meeting Buchanan Computing’s stringent Information Security Policy.

Features

• Cloud-based PaaS
• Designed for memnory intensive applications
• Windows based enviroment
• Microsoft Hyper-V
• Citrix Virtual Apps
• Comprehensive backup and restore options
• UK based data centres
• ISO 27001 certified data centre
• Comprehensive Service Level Agreement with service credits
• Flexible File store (initial allocation of 80G)

Benefits

• Centralised service enabling better cross departmental working
• Cost effective, built by blending open and propriatory technologies
• Secure highly resilient environment with a high level of redundancy
• Fully supported and maintained by an experienced team of engineers
• Programmed hardware upgrades, long term reliance
• Optimally configured for high performance
• Fully scalable platform
• Users access applications after passing secure access controls

£20.00 to £1,250.00 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@buchanancomputing.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

760094185013302

Contact

Sales
02088463220
sales@buchanancomputing.co.uk

Service scope

• Service constraints: The service is built to work in a Microsoft Windows environment.
• System requirements:
  • Citrix Work space App - latest recommended version installed
  • Internet browers - standard internet browser, IE, Chrome, FireFox
  • Security certificate - DomainSSL SHA-256-G2

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Initial response is with an automatically-generated ticket number and requests are then prioritised and responded to in accordance with our SLA response times, which range from 30 minutes to 2 working days. Normally, response times are faster. Support desk core hours are 09:00 to 17:30 Monday to Friday (excluding bank holidays), during which time you can call the first line support team.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Buchanan Computing’s management policies and procedures are driven by a communication channel accessible through the support team as first points of user contact. ; ; The escalation process is tiered from first line->second line support to the development team as third line of support.; ; Handling parameters:; • First and second line support-user errors, assistance with following routines to manage or analyse information, report generation errors, data format errors.; • Third line support-issues relating to general software bugs that require developer attention.; • Support manager- service performance levels, system and application configuration, addition of modules and users, complaints about first, second and third line support staff.; • Director-addition of services, general commercial issues, compliance, policies and procedures, client director to director engagement.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training is provided to users at the commencement of the contract. Various training courses are delivered to users depending on level of user ranging from a entry level training course, advanced user course and administration level course. Training can be delivered either a) at Buchanan Computing office in Hammersmith London, or b) onsite at client offices or c) remotely. Hard copy training manuals and exercises are provided to delegates that attend a training course. User guides / helps files are provided and are accessible by users through the file menu.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: CHM
• End-of-contract data extraction: At the end of the contract and including at anytime during the contract, designated users are able to export data in standard formats such as MapInfo Tab, MapInfo Midmif, ESRI Shp files. These exports can be saved local networks or on specified FTP or SFTP sites. These exports can then be imported by other systems for use elsewhere.
• End-of-contract process: One month prior to the end of the contract, users will be notified that the contract will be coming to an end. Designated users will be advised to carry out an export and copy all data that has been generated during the contract to local networks or FTP/SFTP site. At the end of the contract date, all user logins will be deactivated. Other associated such as base-mapping and address gazetteers will be provided back to the client in the standard/native format. There are no additional costs for supplying the data to the client at the end of the contract into the above mentioned standard formats. Costs may apply if the client requires data to be provided in the other formats.

Using the service

• Web browser interface: Yes
• Using the web interface: The web interface for accessing the back office service is to control user access only. Once access has been granted, Citrix ICA protocol is used from the secure link of the end user and the back office service. The web interface provided for sharing information with the public is used primarily to view data and to send comments, such as objections as part of public consultations or to report a fault.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: Limited testing has been carried out on how our web interface operates within different standard browsers and different operating systems, in particular Chrome, Firefox, Safari, Edge in conjunction with Windows 10, Android Lollipop and up, and iOS 9 and up.
• API: Yes
• What users can and can't do using the API: Users can select key data sets for publication to the web service, from which it can be accessed via an open restful API.
• API automation tools:
  • Ansible
  • OpenStack
  • Terraform
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Performance of applications within the solution to is monitored and regularly assessed. BC ensures to provide optimum level of service and performance to the authority and the other clients using this service. Assessment is carried out on an individual client level and as a full service capacity levels. ; ; Central to hardware and software is monitoring is Nagios software. In the instance an issue is identified, the support staff will take steps to rectify these before the issues reach critical levels. Additionally number of other monitoring tools are used, XenCentre and Dell.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Disk
  • Memory
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Database
  • GIS files, ESRI shp, MapInfo Tab
• Backup controls: Buchanan Computing back up data on the hosted services daily, incremental and weekly full backups. There are three tiers of back up, with the second tier being a backup off site and the third being another back up of the second offsite back up.; ; All data is backed up as above.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability is measured as a percentage of the total time in a service period: Service Availability % = (((MP - SD)*100)/MP) where MP = Total number of minutes (derived from Service Core hours), excluding permitted maintenance, within the relevant Service period; and SD = Total number of minutes of Service Downtime, excluding permitted maintenance, in the relevant Service period. 4 days of planned maintenance allowed per year. Service core hours for Citrix solution - 08:00 to 18:00 from Monday to Friday, excluding bank holidays. Availability levels will be determined separately for Citrix systems; they will be by calendar months, based upon all accountable downtime (excluding plan maintenance periods). If the levels of availability during the Services Core Hours (eg 08:00am to 18:00pm hosted service, and 9:00 – 17:30 for the Support Desk) for a calendar quarter are below 99%, then a Service Credit shall be payable for a degraded services using calculation below where 1 (one) point equals 1% of the quarters contract value for the support and hosting services: .> 99.00% O points; 97.00% to 98.99% 1 point; 96.00% to 96.99% 2 points, < 96% 3 Points, then 1 further Point for every other full hour of service unavailability.
• Approach to resilience: The resilient design of the system is deemed confidential and is available upon request, and as commercial-in-confidence. Generally, Single points of potential failures have been overcome, with a high degree of dual failsafe's such as: Power and comms, firewalls, switches, and servers, allowing for at least two VMs to be provided for each client on different physical hosts. Support desk has back up communication routes in order to protect against any potential loss of their service.
• Outage reporting: Service outages are reported to designated users of the service by, a) email alerts, b) telephone call and if required c) on the company website.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Online support portal is accessed via registered users. For simple support questions through telephone support, the caller needs to provide a name and this is checked against a named user list.; For support requests that are deemed more sensitive, the request must be sent by email and from a client originating email domain.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA Certification Limited
• ISO/IEC 27001 accreditation date: 25/04/2022
• What the ISO/IEC 27001 doesn’t cover: End user IT infrastructure
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: ISO27001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: An information security policy is in place, and is available for inspection upon request. It details: - information provision -use, disclosure and publication -data protection -confidentiality -retention, review and deletion Security -baseline security for data processing personnel -information security organisation -assets classification and control -personnel security -physical and environmental security -system access controls -business continuity planning The governance structure relating to information security within BC has been implemented and is in place. Information security is governed through a company hierarchy (Managing Director, ICT and Support manager, Hosting Manager). It is the responsibility of the ICT and Support Manager to draft these policies and manage their deployment. They are reviewed by relevant directors and managers. All staff are responsible for being aware of the policy and working within its guidelines.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change control procedures are in place regarding changes to the service which is a managed process for carrying out software updates and security patches: • Application Software: Planned updates agreed with the customer. • Operating System Patches: regularly / automatically downloaded. Then reviewed prioritised and if appropriate, installed. • Quarterly maintenance schedule. Issued annually and agreed with client. Internal software changes are carried out in-house, with version control and audit trail. Changes tracked to source code. Hardware configuration is held in-house and updated when required. Software changes and updates are tested in house prior to ‘going live’.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The managed and considered process for carrying out software updates and security patches: • Software: Planned updates, as agreed with the customer. • Operating System Patches: regularly / automatically downloaded. Then reviewed prioritised and if appropriate, installed. Scheduled tasks are set at regular intervals to assess latest available security updates. These include Microsoft 'patch Tuesday' releases, Cisco security updates, Dell firmware updates and the Citrix site latest hotfixes. Depending on the nature of the updates available these are scheduled and prioritised accordingly.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Protection from untrusted networks by standard boundary controls consistwith perimeter network and intrusion detection systems -Via DMZ controlled access. All critical infrastructure is monitored using Nagios. Staff alerted as incident occurs and during the working week round the clock coverage is available so that incidents can be address immediately. Controls protect against malware and viruses. Kaspersky Endpoint Security for Windows installed on every server. Configured to monitor and scan for viruses, worms, Trojans, malicious tools, malware and auto-diallers. Virus definition files are updated every 2 hours. Suspicious/infected files are quarantined and reports are available detailing instances of detection, attack etc.
• Incident management type: Supplier-defined controls
• Incident management approach: There are pre-defined and documented processes to deal with common incidents and these include client notification and escalation stages. Users report incidents by contacting the first line support team either by email or telephone. Alternative contact details (mobile number) are made available in the unlikely event of a complete email service or telephone exchange failure. Incident reports are provided as part of quarterly reports, available upon request.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Hyper-V
• How shared infrastructure is kept separate: Each authority runs sessions from private dedicated servers. Typically this will be a Citrix Virtual App private site comprising two load balanced application servers. ; ; In addition the authority’s data is held on its own dedicated virtual hard disk. Stringent group policies are setup to ensure that a comprised user does not have ability to elevate privileges and compromise other users.; ; Access to the system is through secure usernames and passwords. Only users assigned to the authority’s solution can log in and will only have access to the authority’s application and associated file store.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Our datacentre 4D follows the EU code of conduct with specific focus on efficient cooling equipment design & selection: traditional mechanical cooling is eschewed. ASHRAE guidelines are adopted for a more efficient range of supply air temperatures.; LED lights and PIR control are used to reduce energy consumed for lighting. Modular UPS systems are installed and can be expanded one unit at a time. A BMS monitors power usage, temperatures and plant status. ; Lean provisioning of power and cooling is achieved by modularly rolling out capacity to meet projected demand. This allows 4D to keep power and cooling systems working within efficient operating bands. Grid mains power is provided from 100% renewable sources.; A robust PPM schedule ensures M&E assets are regularly maintained to manufacturer standards by appropriately trained engineers. Stakeholders meet regularly to discuss and peer review any planned changes to be undertaken within the datacentre.; ; Similarly, our datacentre Sovereign complies with many aspects of the EU Code of Conduct on Data Centre Energy Efficiency (expected & optional) as a Colocation Provider: these include cold-aisle containmen, electricity consumption monitored on a daily basis, energy provided from sustainable sources and 100% renewable when possible.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Buchanan Computing takes responsibility for its actions and endeavours to achieve a positive impact through its activities on the environment, customers, employees, and the public, including future generations. ; ; We provide professional services, whose main direct impact on the environment is limited to office work, printing and the cloud services we provide. Through our environmental policy and purchasing policy, we aim to reduce our impact on the environment, including reduction in our Carbon emissions. Power used to power our office and cloud services all comes from 100% renewal able green energy. In addition, zero percent of waste produced within our office building, ends up in Landfill. We are actively recycling and repurpose redundant equipment, such as IT equipment. ; Buchanan Computing purpose is to build applications and services that have a positive impact on the natural and social environment, and help local authorities achieve their environmental and social value goals, including: ; ; • Directly, by reducing road collisions, providing clear navigation aids and optimal designs for the most efficient safer use of the road space. ; ; • Indirectly, by bringing a set of benefits to residents and local businesses, such as reducing congestion, making safer streets, and lowering emissions; ; We have championed the use of API services, to be used in order to reduce the need for unnecessary data replication. We estimate that data is commonly replicated over 100 times. If by using APIs and webservices, the power required for holding these replicated versions was removed, it would make a significant reduction in the country’s power consumption requirements, and help the UK achieve its NetZero goal .

  Covid-19 recovery

  Numerous measures have been taken to enable the Company to operate fully as well as to support staff and clients during the Covid-19 pandemic and the on-going recovery. These include operational changes to enable Hybrid working (Home and Office), replacement of staff desktop computers with laptops (which are recycled), installation of software and hardware to support secure and functional remote working, installation of a dedicated meeting booth in the office. The Pandemic is continually monitored and further actions will be taken if necessary.

  Tackling economic inequality

  As part of our Social Values policy we are committed to helping our customers reach their Social Values goals, by contributing towards local issues by improving economic, social and environmental well-being within their local area.

  Equal opportunity

  Buchanan Computing is an equal opportunities employer. The first aim of our policy is to ensure that no job applicant or employee receives less favourable treatment on the ground of race, colour, nationality, ethnic or national origins, religious beliefs, sex, marital status, and sexual orientation, or is disadvantaged by conditions or requirements which are not essential to the performance of the job. There will be no discrimination against persons with disabilities who have the necessary attributes for a post.; ; The second aim is to ensure that we have a diverse workforce that reflects the make-up of its catchment area, and to offer employment opportunities and work experience to local people whenever possible.; ; To ensure that such direct or indirect discrimination is not occurring, recruitment and other employment decisions will be regularly monitored to ensure that they are not adversely and unjustifiably affecting the opportunities of persons from any of these groups. Selection criteria and procedures will be frequently reviewed to ensure that individuals are selected, promoted and treated solely on the basis of their relevant merits and abilities.

  Wellbeing

  Buchanan Computing is committed to a holistic approach to the wellbeing of all employees, including physical and mental wellbeing. Examples of our current approaches and include:; ; • Everyone has a clear growth framework and we support our employees with the appropriate learning and development plan to achieve their goals; • We operate an honest, flexible working model so that employees do not have to sacrifice on their personal commitments ; • Generous annual leave provision to ensure appropriate R&R; • Access to Occupational Health Services when needed. ; • Access to lifestyle breaks of up to 6 months; ; The Company’s Policy is to provide and maintain safe and healthy working conditions, equipment and systems of work for all its employees, and to provide such information, training and supervision as they need for this purpose. The Company also accepts its responsibility for the health and safety of other people insofar as they are affected by the Company’s activities.; ; Health and safety matters in the Company’s office are regulated under the Health and Safety at Work Act 1974, the Workplace (Health Safety and Welfare) Regulations 1992, the Electricity at Work Regulations 1989, the Display Screen Equipment Regulations 1992 and other rules and regulations. The Company’s procedures and organisation for Health and Safety are designed to fulfil these requirements and more generally to ensure safe and healthy working conditions in the Company’s offices.; ; Health and safety requirements and procedures also apply to site and survey work and to staff located in the offices of clients or other organisations from time to time. The specific requirements and procedures will vary according to the circumstances but in every case, they will conform to Government guidance, standards and/or best practice.

Pricing

• Price: £20.00 to £1,250.00 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A demonstration site that can be made available to interested clients for the purposes of trialling most elements of the service. It includes sample data with pre-configured restrictions, dummy legal documents and print templates. Typically limited to one week and up to 3 concurrent evaluators.
• Link to free trial: Available upon request

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@buchanancomputing.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.