Torchbox Ltd

Python/Django Hosting and Application Support

We provide scalable, performant and resilient cloud hosting for Python/Django-based applications, and a robust application support service with fixed response times, proactive maintenance, patching and security updates, and application availability monitoring to enable optimised and high-performing websites, services and products.

Features

• Managed cloud hosting optimised for Python/Django-based applications
• Infrastructure architected by expert technologists active in the Python/Django community
• Robust application support for critical issues
• Fully managed security upgrades
• Clear onboarding process
• Carbon emissions reporting

Benefits

• Ensure the best-fit solution for your technical setup and team
• Benefit from our expertise in technology built over 20 years
• Robust SLAs for issue resolution to minimise downtime
• Keep up-to-date with the latest Python and Django releases
• Streamline initial setup and migration to the new hosting solution
• Ensure low carbon footprint to reduce impact on the environment

£1,955 to £2,605 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at business@torchbox.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

780052264537990

Contact

Paul Vetch
07976297092
business@torchbox.com

Service scope

• Service constraints: Only services created by Torchbox are applicable.
• System requirements: Modern web browser to access the hosted service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Tickets are not monitored during weekends.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: https://slack.com/intl/en-gb/accessibility
• Onsite support: No
• Support levels: Only a single support level is provided, with access to the full suite of our support service. Incident or issue response times vary depending on the nature of the request.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We'll start with an onboarding phase to: *Review your current architecture (we will need access to your account, code repository, current database and site files for reviewing the existing application and any supporting documentation for the application) *Upgrade to the latest version of Wagtail and any dependencies which need updating for compatibility. *Ensure we have a local development environment for the project in line with our standard (docker-compose based) setup. *Migrate hosting to our standard setup. *Agree a deployment run book with you - this will include agreeing a rhythm for planned deployments to ensure we can provide prompt assistance should any support be required.
• Service documentation: No
• End-of-contract data extraction: User uploaded files and database backups are uploaded to an Amazon S3 bucket for buyer retrieval. Once the buyer has downloaded this data, it is deleted. Once the contract expires, all stored data is deleted.
• End-of-contract process: Should you wish to move to a different supplier, we will work closely with you to ensure a smooth transition and handover.

Using the service

• Web browser interface: Yes
• Using the web interface: Buyers can make deployments to any of their environments, make configuration changes, restart applications and manage scaling. Access to the web interfaces is not provided by default. Administrator access to the Wagtail admin is always provided.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: https://blog.heroku.com/equality-through-accessibility
• Web interface accessibility testing: https://blog.heroku.com/equality-through-accessibility
• API: Yes
• What users can and can't do using the API: https://devcenter.heroku.com/categories/platform-api Access to the API is not provided by default.
• API automation tools: Terraform
• API documentation: Yes
• API documentation formats:
  • HTML
  • Other
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
  • Other
• Using the command line interface: Buyers can make deployments to any of their environments, make configuration changes, restart applications and manage scaling. Access to the command line interface is not provided by default.

Scaling

• Scaling available: No
• Independence of resources: We use a CDN to ensure as much of the site as possible is served from a cache. We can also scale the service during periods of increased demand.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: TBC on individual basis

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • HTTP request and response status
  • Memory
  • Number of active instances
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: Never
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Database
  • Uploaded files
  • Codebase
• Backup controls: Backups are automatically performed daily. Exact times vary depending on what is being backed up. Exact details are available on request.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide a three tier SLA for application support: Critical (Category 1): 1 hours. High (Category 2): 2 hours. Medium / Low (Category 3): No fixed SLA.
• Approach to resilience: Infrastructure resilience is managed by a third-party. The exact configuration is available on request.
• Outage reporting: Buyers are contacted in the event of an incident, and kept up-to-date until normal service resumes.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Users only have access to the specific services or roles that they need to complete their tasks.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: 18/10/2021
• What the ISO/IEC 27001 doesn’t cover: There are no exclusions from the Statement of Applicability
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Policies follow Torchbox's information security management system compliant with ISO 27001:2013. Details available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All configuration changes are logged, and all code changes happen in a version-control system. All application code changes are reviewed by another member of the development team
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We monitor the relevant security announcement channels for the core services and dependencies we rely on. We assess the severity of each release as it's made available to determine how quickly the update needs to be released.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Within support hours, we will respond to incidents within 1 or 2 hours, depending on its severity. Usually this will happen much sooner.
• Incident management type: Supplier-defined controls
• Incident management approach: Buyers can raise incidents themselves, which are picked up by our support team during support hours. Response times will vary based on the severity of the incident. We have automatic availability monitoring to be notified of issues before the buyer. Incident reports are sent to the buyer within 5 days.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Heroku
• How shared infrastructure is kept separate: Docker containers are used to separate the running applications. Each container runs on a shared host, and may be moved at any time to free up resources. Each container is inaccessible to anything other than the platform itself.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: https://aws.amazon.com/about-aws/sustainability/

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As a BCorp we have to adhere to stringent rules and regulations that align our activities to benefit all people, communities and the environment. This way of thinking is baked into our approach, practices and general ways of working. In 2019 we became the first UK agency to transition ownership in full to its employees, and we base our decisions on what is best for our people, society and the planet. Our Impact Report details the ways in which we approach work, and the impact it has. We have joined the UN’s Race to Zero via the SME Climate Commitment, making a commitment to halve greenhouse gas emissions by 2030 and achieving Net-Zero emissions by 2050. We are in the process of creating a NetZero strategy that we intend to get verified by the SBTi. We’re actively taking proactive steps to reduce our carbon footprint, by reducing carbon generating activities that form part of our operations as well as with work we carry out with clients. We’ve invested in creating our own Digital Emissions Methodologies to ensure we effectively measure the carbon emissions of the websites we host and support. Alongside these reduction strategies, we’ve also committed to compensating for 52 tonnes of carbon with Klimate.co carbon removal programmes, the details of which can be viewed here: Torchbox Climate Projects. We have a set of Voice Groups that many of our team members are part of. Each group carries out different activities that support or impact a set of themes we value. We currently have groups based around the environment, our local communities, as well as inclusion and diversity. Activities have included doing team beach cleans, building sleeping pods for homeless people, sponsored bike rides and volunteering.

  Tackling economic inequality

  We are committed to tackling economic inequality by creating new employment opportunities and focusing on professional development for the whole team. We have recently launched the Torchbox Academy providing the opportunity for junior/entry-level people to join the team who might not usually have the opportunity to apply and with no specific qualifications required. We’re currently recruiting junior python developers and digital marketing executives who will contribute to live client projects with expert advice and guidance from our experienced mentors, leading to a full-time role at Torchbox: https://torchbox.com/blog/join-the-torchbox-academy/ Our developers contribute to Coders of Colour, Google Summer of Code, and Django Girls (which we also sponsor) to help underrepresented groups pursue a career in tech, which has led to some recent hires to our team. We also partnered with a Bristol-based social enterprise that supports under-represented young people in Bristol to find new career opportunities. We gave on-the-job training and have since taken an intern on as a permanent member of the team: https://torchbox.com/blog/jennys-experience-as-an-intern-at-torchbox/ Every team member has a professional development plan (PDP), which they develop with their manager. This plan helps to give clarity on the direction they're heading, work towards long and short-term career goals, provide a better understanding of areas to focus on improving, and plan potential development and training opportunities. This is supported by a training and conference budget, to help accelerate development. To increase supply chain resilience and capacity, in 2020/21, we successfully reviewed our supply chain management polices to ensure that our suppliers trade ethically, and manage their cyber security risk so we can comply with ISO 27001. We are constantly reviewing our supply chain and moving to the most environmentally efficient suppliers where possible in order for us to achieve our goals of hitting net zero.

  Equal opportunity

  Our diversity and inclusion voice group works alongside HR and our SMT to drive our diversity and inclusion mission. We want to learn, educate and make positive changes, which result in a diverse and inclusive environment for employees, clients and people in the tech industry. We monitor the make-up of the workforce regarding information such as age, sex, ethnic background, sexual orientation, religion or belief, and disability, encouraging equality, diversity and inclusion. To reduce the disability employment gap, we have: Delivered training to the team on topics ranging from neurodiversity to understanding gender identity and pronouns. Reviewed our processes - starting with recruitment - to identify ways to embed diversity and inclusion, for example trialling a ‘no CV’ hiring process. Created wellbeing rooms at our offices that people can use for things such as prayer, breastfeeding, or some quiet time out. To tackle workforce inequality we have: Adopted a transparent approach to pay and published pay bands for all roles at Torchbox. Published our diversity commitment on every job posting, welcoming applications from underrepresented groups and making it easy to access support in the application process for individuals who might need it. Published our Anti-Discrimination Policy on our staff directory. Published our modern slavery statement: https://torchbox.com/anti-slavery-and-human-trafficking-policy/

  Wellbeing

  Employee wellbeing has always been a priority but the Covid-19 pandemic has given even greater consideration for ways to boost wellbeing at Torchbox. We have a Wellbeing Voice Group that works on behalf of the whole Torchbox team, listens to their needs, wants and ideas, and advocates for improvements. We have: Encouraged and paid for multiple staff members to undertake external mental health first aider training. Arranged free access to Headspace for anyone at Torchbox that would like to use it, as well as sharing the benefits of the app and how to use it. Provided SAD lamps to employees who requested them. Given comprehensive guidance and support on things such as tips for working from home. Set up daily gentle reminders on our staff messaging platform to encourage everyone to log off and wind down at 6pm. Organised virtual meditation and yoga workshops for everyone to take part in. Worked with the Diversity and Inclusion group to set up wellbeing rooms in both offices. Encouraged staff to create and share a “working with me” manual to share communication preferences, strengths, and weaknesses with colleagues so that we can work better together and in a way that recognises individual need. Supported the recent Mental Health Awareness week campaign with a week of structured sharing of resources and tips

Pricing

• Price: £1,955 to £2,605 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at business@torchbox.com. Tell them what format you need. It will help if you say what assistive technology you use.