OSG CLOUD LIMITED

Disaster Recovery as a Service (DRaaS)

Disaster Recovery as a Service (DRaaS) of your environments to a highly secure, off-site cloud back environment, with multiple copies, including 30 days immutability.

Designed to achieve 3-2-1-1-0 best practice for data backup adn recovery.

Ideally suited for customers focused on GDPR, governance, and risk reduction

Features

• Back-up Hypervisor, Virtual Machine or Bare Metal
• Veeam Cloud Connect
• Restore directly to Cloud Virtual Machines on your domain
• UK based datacentres
• Fully encrypted at source, transit and in-rest
• Multiple back-up and restore locations
• Enterprise SLAs for a Private Cloud environment
• Enterprise level security
• Compliant & audited
• Fully managed and security services available

Benefits

• Designed to fit your data loss prevention and availability requirements
• Simplifies Business Continuity and service assurance
• Monitored and verified for complete assurance
• Storage agnostic removing comparability concerns
• Setup and operational in minutes through the Veeam Management Console
• Enterprise level analytics to accurately forecast future backup storage needs
• Simple pricing calculator ensures you know exactly what your paying
• Full cloud-stack available in addition as fully-integrated suite of service
• Reduced financial risk enabled by predictable cost model

£0 to £10,000 a unit a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at brian.mccrory@osgcloud.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

772490045554231

Contact

Brian McCrory
02894485112
brian.mccrory@osgcloud.co.uk

Service scope

• Service constraints: Services delivered exclusively from UK data centre locations
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support tickets are responded to in line with agreed SLA based on priority, impact or escalation; and can be bespoke to each customers.; ; As an example, standard response times are based on:; ; P1 - 15 Minutes; P2 - 1 Hour; P3 - 4 Hours; P4 - 8 Hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support levels are dependant on the priority / severity of the support and aligned to service level agreement (SLA); ; Depending on the complexity of the infrastructure we can provide specific support roles such as cloud and solutions architects, systems engineers and technical account managers,
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide initial configuration assistance and an optional seeding service (for large data sets or slow connectivity links), along with assisting with any issues with initial replication job configuration.; ; You will have access to support documentation, unlimited telephone/email support for the initial set up.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data is securely encrypted and is controlled from the Veeam console within your full control. Customers can restore their data up until the point of the contract ends.
• End-of-contract process: Data is held encrypted for the remaining period of the contact, up until the renewal date. At the end of the contract, the customer may decide to renew/change/cease the Veeam service. To renew the service no changes will need to be made. If changes are required then this can quickly be achieved by contacting your account manager with your requirements. To cancel the service, all data will be removed and the repository will be deleted.

Using the service

• Web browser interface: Yes
• Using the web interface: VMware vCloud Director (vCD) is the web interface presented to customers.; ; This extremely user friendly and intuitive interface enables clients to scale environments up and down, provision firewall rules, manage virtual load balancers, copy entire environments for migration or replication, set up NAT, provision site-to-site or client-to-site VPNs, do SSL offloading, mount CD ROM drives, reboot, and much more.
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: The vCloud Director interface has undergone accessibility testing - please see: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/product/vpat/vmware-vcloud-director-9.0-for-service-providers-vpat.pdf
• API: Yes
• What users can and can't do using the API: Extensive APIs are exposed through vCloud Director to facilitate automation and provide extensive customer interaction with the platform.; ; To begin using the API, clients request the system to create a session object. In this request, clients supply credentials in an authorisation header of the form prescribed by the identity provider that your organisation uses. The response includes an authorisation token, which must be included in subsequent requests.; ; Once access is enabled, the vCloud API Schema Reference includes reference material for all elements, types, operations, and queries in the vCloud API.
• API automation tools:
  • Ansible
  • Chef
  • Terraform
  • Puppet
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Logical resource segregation and resource allocation to each customer environment. Auto-scaling can be applied to a predefined upper agreed limit to allow a customer to grown without any disruption to their service
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Disk
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Hypervisor, VMware, HyperV, Xen
  • Virtual Machine Instances
  • Applications
  • Files
  • Databases
  • Operating Systems
  • Office 365 email
• Backup controls: Customer has a dedicated UI within the Veeam console to easily manage backup routines, set retention policies, invoke restoration, set data sets etc.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: OSG provides a minimum of 99.999% Availability for infrastructure resources and individual VMs under service level agreement (SLA). Punitive measure are in place that provide for a service credit regime for any failure to meet SLA.
• Approach to resilience: We operate a minimum N+1 configuration across our entire service delivery stack to ensure zero points of failure, with enough redundancy and capacity built in to absorb and tolerate hardware and service delivery chain failures.
• Outage reporting: OSG report outages by sending automatic email alerts to the customer. Following any outage a full root cause analysis is performed and comprehensive report of findings and remedial actions taken, including and future improvements, is delivered to the customer.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces implement role-based access controls and require members to authenticate against the corporate identity provider. Access is managed through the management gateway which restricts access based on originating IP address and SSL usage. Additional security and authentication mechanisms including the use of time-based credentials are used to secure and monitor access.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: SGS United Kingdom Ltd
• ISO/IEC 27001 accreditation date: 16/04/2021
• What the ISO/IEC 27001 doesn’t cover: All parts of our service are within the scope of our ISMS.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: There are a number of policies and processes that apply across OSG internal and customer infrastructures; policies are critical for providing assurance to customers, regulators and auditors. OSG takes seriously the confidentiality, integrity and availability of data placed in its care. There are also a number of guidelines that OSG follow while working with confidential and/or personal data. The policies include, but not limited to, Access Control Policy, Application Control Policy, Antivirus Policy, Asset Management Policy, Data Centre Design Policy, Conditions of use of IT facilities at CenturyLink, Confidential Information Transfer Policy, Electronic Messaging Policy, IT User Accounts Policy, Laptop Encryption Policy, Network Connection Policy, Password Policy, Patch Management Policy, PCI DSS Compliance Policy, Information Security Policy, Remote Access Policy, etc.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Formal change control process in place and aligned to ISO 27001.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Risk Management Policy which is aligned to ISO27001 Information Security Risk Management. This ensures risks are identified, evaluated and treated appropriately in an ongoing basis.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: The Service Desk is the single point of contact for requests and incidents and also provides constant proactive monitoring, vendor management and communication of incidents within a client’s environment.; The Service Desk is staffed with Incident Specialists who are responsible for monitoring and responding events. They have management control over customer infrastructure and adhere to a strict functional escalation methodology to enable rapid fault isolation and restoration of customer services. Incident Specialists communicate directly with the customer during incident troubleshooting and resolution or change execution.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: OSG will provide customer support 24 x 7. When an Incident or Request occurs, COSG will use reasonable efforts to meet the Time to Respond Objectives we have in place.; Incidents are categorised as severity levels P1 (Urgent), P2 (High), and P3 (Medium). Requests are categorised as severity levels P1 (Urgent) or P4 (Low).; There are four ways for a customer to initiate a request:; Proactive monitoring, phone call, portal or e-mail.; ; Updates for P1 Incidents are sent every hour, P2 Incidents and P1 Requests are sent every four hours. P3 Incidents and P4 Requests are sent every 24 hours.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Veeam Cloud Connect customers are assigned separate user credentials to ensure segregation between the data and instances.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: OSG and its datacentre providers are committed to incorporating environmental sustainability principles and practices throughout our operations as we work to serve our customers and our communities.; We demonstrate this commitment by establishing long-term greenhouse gas (GHG) emissions reductions targets, purchasing renewable energy to power our network and facilities in EMEA, operating certain facilities according to ISO 14001 certified Environmental Management Systems and/or ISO 50001 certified Energy Management Systems, implementing waste minimization, re-use and recycling initiatives, and by effectively managing our environmental compliance obligations globally.; All the data centres managed under the ISO50001 EMS are also supported under the EU Code of Conduct

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  OSG continuously strive to minimise the impact of our operations on the environment, while maximising sustainable business practices to better serve our employees, customers, partners, shareholders and communities.

  Tackling economic inequality

  OSG support and strengthen our local communities by enabling employees to donate time and resources where they are most passionate, by investing in causes that have a positive social impact, and by providing skills to people around the world to help maximise their full potential. Through our giving back program, our employees have helped students realise more of their limitless potential with consistent, hands on mentoring in life skills and academic subjects.

  Equal opportunity

  We have a robust recruitment policy that drives equality from the top down. Our aim is to always recruit the person who is most suited to each role, whether the candidate is internal or external. We recruit solely on the basis of the candidate’s skills, capabilities and individual meri tas measured against the criteria for the role. Qualifications, experience, and skills may also be assessed at the level that is relevant to the job. We are committed to applying our equality, diversity and inclusion policy at all stages of the recruitment and selection process. We always carry out shortlisting, interviewing and selection without regard to an applicant's sex, gender identity, sexual orientation, marital or civil partnership status, skin colour, race, nationality, ethnic or national origins, religion or belief, age, pregnancy or maternity leave.

  Wellbeing

  We are committed to creating a compassionate workplace where all employees feel supported personally and professionally by challenging the stigma surrounding mental health, raising awareness, and offering education opportunities. We ensure that our team are supported, remain in communication with management and each other, and understand that they can speak openly to their managers about their health and wellbeing to encourage discussion about how we can help them. Our programme of activities is run by our internal mental health and wellbeing ambassadors to help promote positive mental health and embed it into the culture of the organisation.

Pricing

• Price: £0 to £10,000 a unit a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Full Org vDC provisioned with limited resource allocation for up to 1 month available upon request.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at brian.mccrory@osgcloud.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.