GRAVITEE TOPCO LIMITED

Gravitee API Management

Gravitee API Management (APIM) is a flexible, lightweight, and highly-performant event-native API management platform that accelerates and streamlines the governance and security of both synchronous (HTTP, REST, SOAP, gRPC, GraphQL, WebSockets, Webhooks, Server-Sent Events) and asynchronous APIs (Kafka, Confluent, Solace, MQTT, RabbitMQ), including both HTTP and TCP Proxy capabilities.

Features

• API Designer for API contract, adopting "Design-First" approach
• Protocol Mediation between backend services (REST/SOAP, gRPC, Kafka, MQTT, etc)
• API Developer Portal for discovery, subscription and consumption of APIs
• API Debug allows deep API analysis capturing bugs and bottlenecks
• Analytics dashboards provide performance and monitoring visibility into your APIs
• Log inspection for end-to-end API traffic tracing
• Identity&AccessManagement to secure APIs using OpenID Connect/OAuth2/etc
• Service Management Ecosystem connects APIs to anything
• Support for both OpenAPI & AsyncAPI specifications
• Flow Designer allows securing APIs using drag&drop (rather than code)

Benefits

• Easy to use API Management. Deploy an API in seconds
• Achieve cross-functional collaboration with Visual Designer
• Run anywhere, on Gravitee SaaS, on-premise or private cloud
• Open-source heritage (avoid vendor lock-in)
• Low Total Cost of Ownership
• Reduce MTTI and MTTR with end-to-end log tracing
• Advanced security with FAPI Certified solution
• No-code, low-code approach to API management
• Build future-proof APIs with support for streaming (AsyncAPI)
• Premium Support with dedicated Slack/Teams channel

£0 to £199,999.99 an instance a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.dyson@graviteesource.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

806161262203674

Contact

Charlie Dyson
+44 7950609103
charlie.dyson@graviteesource.com

Service scope

• Service constraints: None.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Depending on the selected level of support:; Response times (times and days); ; - GOLD: ; 8hrs/day, 5 days/week during Business Hours 9am-5pm, Paris time; Time taken to log a P1 call or ticket; 2 hrs; Time taken to log other priority calls or tickets ; 4 hrs; ; - PLATINUM: ; 24hrs/day, 7 days/week; Time taken to log a P1 call or ticket; 1 hr; Time taken to log other priority calls or tickets ; 2 hrs
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Gravitee prov ides three different levels of support.; ; - COMMUNITY EDITION:; Supported provided by the open source community on API Management and Access Management. This is free of charge.; ; - STARTER EDITION:; Includes Customer Success program and provides:; - Office Hours Support; - Three Cockpit Environments; - Two Enterprise Plugins; - Initial Enablement & Training; - Ability to add Alert Engine & API Designer.; ; - ENTERPRISE EDITION:; Includes Customer Success program and provides:; - 24/7 Support; - Dedicated Slack Channel; - All Advanced Modules; - All Enterprise Plugins; - 4 x Gateways, Production/ Non-Production.; ; - SUPPORT COST:; Support is included in the price for Starter and Enterprise Editions
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Gravitee will provide onsite as well as online training (depending on what is required by customers) whenever required. In addition to the training, a Customer Success Manager will be assigned, becoming the main point of contact for any question that might arise. In addition, the Customer Success Manager will ensure organizations are getting the most value out of Gravitee by providing guidelines and best practices on how to use the product.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Gravitee includes an underlying Management API (REST) that enables customers to export any data and configurations. ; This allows any of our Customers to extract all APIs from an instance of Gravitee API Management (using industry-standard JSON schema).
• End-of-contract process: The Gravitee Subscription Agreement outlines standard terms and conditions for expiry and termination of software components licensed as part of Starter and Enterprise Edition. ; Clients would of course be free to continue to use Open Source Software (OSS).; ; Client can export any data and configurations from the platform. After the End of Contract any data will be safely erased from Gravitee platform.

Using the service

• Web browser interface: Yes
• Using the web interface: Gravitee provides an easy-to-use web-based user interface to configure, manage, monitor and deploy APIs. ; ; The web interface can run on any major web browser and does not require special skills, providing an intuitive user experience to achieve an API owner's goal.; ; Your internal users and external consumers can also benefit from Gravitee's API Developer Portal to discover and consume APIs and also to monitor the performance of their application, raise issues with an API owner and specify a plan to protect their APIs.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Not applicable.
• Web interface accessibility testing: Not applicable.
• API: Yes
• What users can and can't do using the API: Any action performed within the UI can also be performed via the underlying Management API (REST). The management API (mAPI) enables you to integrate with 3rd-party solutions and to automate the entire API lifecycle (from importing an API definition, applying policies, securing your API, and publishing it to Gravitee's API Portal).; ; A service account can be created to authorize the API calls so that CI/CD pipeline can automate the process of managing APIs.
• API automation tools:
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
• Other API automation tools:
  • Jenkins
  • Gitlab
  • GitHub Actions
  • CircleCI
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Gravitee supports true multi-tenancy and can also support individual instances. All instances have guardrails configured to never inhibit performance of other instances.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • Other
• Other usage reporting: Users can be notified within the Notifications section of the Management Console (web-based).

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • API response time
  • API requests per client
  • Geolocation
  • API calls by browser
  • API calls by operating system
  • Request payload size
  • Application Identity associated with API request
  • API status code
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Configuration
  • Logs
• Backup controls: Configurations and Logs are automatically scheduled and initiated manually as per a client request.; Additionally, clients can configure log details be forwarded to another 3rd-party service (such as a file location, Elasticsearch, New Relic, or Datadog, etc).
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Gravitee SLA 99.95%
• Approach to resilience: Gravitee SaaS platform is implemented in a high-available configuration distributed through three different datacenters in the region/country of deployment.; All systems are deployed as code, as this shortens the recovery time from hours to minutes in case we have to rebuild the full or just part of our infrastructure. Configuration and client data is also stored and backed in a multi-array of databases.
• Outage reporting: Gravitee reports any scheduled outages in advance. Most updates do not cause any outages. Exceptional situations or incidents are immediately reported to our clients using the preferred method of communications for the client (i.e.: ticket, e-mail, phone call, sms, Slack/Teams).

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Defined by the client using a variety of methods to achieve role-based access control (RBAC) efficiently either by receiving it from the Identity Provider (IdP) of the client or by creating one in the Gravitee platform.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA/ UKAS
• ISO/IEC 27001 accreditation date: 08/01/2024
• What the ISO/IEC 27001 doesn’t cover: All business units and countries of operation by our ISO 27001 and ISO 27701 certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: August 2021 and updated January 2022
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: On-Prem deployments, Gravitee SAAS is fully covered by the CSTAR
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Financial API - Level 3
  • ISO 27701 (Extension to Data Privacy of ISO 27001)
  • SOC Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISO 27001, ISO 27701, and SOC Type 1 (working towards Type 2)
• Information security policies and processes: Gravite have in place a mature ISPIMS (Information and Data Privacy Management System) and our policies, processes and procedures were audited and certified in alignment with ISO 27001 and ISO 27701.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Operational/access changes, modifications to the Procedures, creation of new users and permissions.; Changes to internal /external systems components including SaaS.; Change that have an impact to the confidentiality, integrity, availability and accountability of systems or information within the scope of the ISPIMS.; Threat modelling and risk assessment is performed and documented.; A Data Protection Impact Analysis (DPIA) is done if the processing of data might result in a high risk to personal data being processed.; Information Security and Data Privacy risks are identified and mitigated; Management approval is needed for risks with High or Critical risk.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All vulnerabilities from any source are documented and addressed; Vulnerabilities fixing or updates will be done after risk triage; Vulnerabilities triaged shall be fixed/mitigated/updated within the following amount of days:; Critical - within 15 days; High and Medium within 28 days; For Gravitee Vulnerability Management we collect information from:; Penetration Testings, either lead by us or Clients; Vulnerability scans from tools such as SAST/DAST and others; Bug Bounty
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Gravitee implemented state of the art Extended Detection & Response (EDR) to end points and SaaS systems including a 24/7 Managed Detection and Response system that provides triage and alerts of indicators of compromise to the InfoSec team.; Average response times are within 30 minutes or less from the first alert.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Gravitee have policies and procedures for Incident Management aligned with NIST Cybersecurity for Critical Infrastructure and as part of the ISO 27001, ISO 27701, and SOC Type 2 certifications.; This includes not only Information Security but also Data Privacy incidents.; Users report directly incidents by e-mail, slack or call to the InfoSec team.; Reports of the incident are done using tickets, email or other means.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Gravitee uses Microsoft Azure to host Gravitee SaaS products.; Azure sustainability document available here: ; https://azure.microsoft.com/en-gb/global-infrastructure/sustainability/

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  At Gravitee, no employee or applicant, client, colleague or supplier, will be treated less favorably on the grounds of their sex, marital status, race, color, nationality or ethnic or national origin, disability, gender, sexual orientation, gender identity, age, pregnancy or maternity, marital or civil partner status, or religion or belief.; ; Our aim is to ensure that everyone who works here has an equal opportunity to develop a successful career, where everyone is treated with respect and dignity and decisions in the workplace are made free from the effects of bias and prejudice.

Pricing

• Price: £0 to £199,999.99 an instance a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Gravitee is an open-source platform and the core components can be installed free of charge for an unlimited time. The core components included are the API Management Gateways, console and portal and the Access Management Gateway and Console.
• Link to free trial: https://www.gravitee.io/downloads?hsLang=en

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charlie.dyson@graviteesource.com. Tell them what format you need. It will help if you say what assistive technology you use.