Intercity Technology Limited

Backup as a Service

Intercity’s Backup as a Service (BaaS) provides automated, offsite data backup and recovery solutions. Enjoy scalable, cost-efficient protection for critical data without managing infrastructure. Ensuring data integrity, compliance, and rapid recovery with secure, cloud-based backups. Ideal for businesses seeking reliable, hassle-free data protection.

Features

• Back up VM images and file stores to remote storage
• Delivered using Veeam Backup and Replication
• Self-service or managed service options
• Storage provided from our DCs in Birmingham and Bolton
• Dual DCs with multiple carrier connectivity
• Monitored 24 hours, 7 days a week
• ISO22301:Business Continuity Accredited
• Cyber Essential Plus Certified
• ISO27001:Information Security Management Accredited

Benefits

• Reliability and Redundancy - Availability and integrity of data
• Scalable - Able to grow as your data expands
• Market leading technology solutions
• Data centres designed to Tier 3 specification.
• Data stored under UK legislation.
• BaaS for backup by the next business day.
• In-house Project Management team - APMP qualified
• Optional 15 minute SLA
• Monitoring and Management, Secure customer portal to manage your backups
• Helpdesk, 24 hours, 7 days a week

£143.36 to £2,211.84 a terabyte a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@intercity.technology. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

826703283002977

Contact

Elise Sheridon
0330 332 7933
tenders@intercity.technology

Service scope

• Service constraints: Requires buyer to use Veeam Backup and Replication software.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support available 24x7x365 via our Network-Operations-Centre.; ; Emails have a 2hour response target. For high severity incidents escalation by telephone is advised to customers, Calls answered by a human in 30seconds (PCA30). Customer portal uses prioritisation system determining 'First-Response-SLA', 'Update-SLA' and 'Resolution-SLA' times targeted. ; ; P1 (highest priority/most severe/service down') has 30minute 'First-Response-SLA' target, hourly updates (Update-SLA) and a target resolution of 4hours for service restoration (Resolution-SLA). ; ; Ticket Priorities are graded 1 to 4 - (Ticket-Priority/First-Response-SLA/Resolution-SLA) ; ; P1/30Minute/4hour; P2/60Minute/8hour; P3/2Hour/24hour; P4/4Hour/48hour. ; ; We also provide a faster 15minute first response SLA for an uplift in cost. Portal can support 'manual' accessibility via web-coding interface
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: Support hours are 24x7x365. ; ; Support is included within the service and is provided by our 24x7x365 Network Operations Centre, providing end-to-end service support; ; * Engineering Tiers 1 and 2 are provided 24x7x365; * Engineering Tier 3 provided 7am - 7pm, Monday-Friday (Extended Business Hours); * Engineering Tier 4 (Operations Specialist) provided 9:00am - 5:30pm, Monday-Friday.; * Tiers 3 and 4 provide 'Out-of-Hours' support escalations via an on-call rota; ; Full vendor/manufacturer support is in place for platform/infrastructure issues to ensure service availability ; ; Support tickets are prioritised using the following scale: ; * P1 (critical) ; * P2 (major) ; * P3 (minor) ; * P4 (notable). ; ; Our SLA depends on the incident priority as follows: ; * P1 - 4 hours; * P2 - 8 hours ; * P3 - 24 hours ; * P4 - 48 hours. ; ; We do not provide a technical account manager or cloud support engineer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide you with the credentials to configure your Veeam instance to use our storage as a repository.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The user removes us as a storage repository.
• End-of-contract process: The service includes the off-boarding of client data, client related documentation, and client connectivity.

Using the service

• Web browser interface: Yes
• Using the web interface: The users set up and manage the service using the Veeam Backup & Replication GUI.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: For BaaS, we send the customer our service provider DNS name, user name and password, which they enter into the Veeam GUI. The customer's Veeam adds the repository name and capacity as a target. The customer then references the repository name in a backup job, which they configure using a wizard.
• Web interface accessibility testing: None
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Independence of resources, guaranteed performance levels, and scaling are based on defined criteria. ; ; The platform and infrastructure that deliver the service is fully monitored, managed and maintained by our UK-Based 24x7x365 Network Operations Centre (NOC), which is distributed across two sites giving true high availability and disaster recovery capability to the support function, using our own Service Management System. The NOC, which is also responsible for managing life-critical health and transport public safety systems, operates in accordance with ITIL best practice.; ; Any performance or service related issues are dealt with and remedied by these operational service assurance teams.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Availability
  • Incidents
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Back-up services are based on defined client criteria
  • Virtual Machines (VMs) physical servers and workstations
  • VM backups are stored as images
  • Physical machine backups are stored as file structures
• Backup controls: Back-up services are based on defined client criteria. Targeted items to be backed up and when they are scheduled is configurable and controlled by the client.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Clients can contract to different service and availability levels based upon their requirements.; ; As a general rule, target availability for the platform is 99.95% (including planned maintenance) over a rolling 12-month period. We achieve this by delivering service from a platform configured in active/standby mode, comprising nodes located in geographically-diverse data centres designed and built to Tier 3 specification. ; ; Each data centre has 99.98% availability, so the likelihood of total loss of both is remote.; ; Service levels include contracted availability with commercial penalties. ; ; The process to refund users is agreed with the client at contract outset.
• Approach to resilience: A combination of resilience is deployed across software, hardware and datacentre layers is employed. ; ; Target availability for the platform (software/hardware) is 99.95% (including planned maintenance) over a rolling 12-month period. We achieve this by delivering service from a platform configured in active/standby mode, comprising nodes located in geographically-diverse data centres designed and built to Tier 3 specification.; ; Tier 3 specification gives our customers N+1 redundancy as well as concurrent maintainability for all power and cooling components and distribution systems.; ; Each datacenter has a target availability of 99.982%, so the likelihood of total loss of both is remote.; ; Further detailed information on this can be found in the uploaded Service Description.
• Outage reporting: The service is monitored 24x7x365 and any outages are recorded and investigated. ; ; Our Service Assurance team monitors the production service 24x7x365 from our UK-based Intercity Secure Operations Centre (ISOC) using our own IT service management system. The ISOC, which is also responsible for managing life-critical health and transport public safety systems, operates in accordance with ITIL best practice.; ; Reactive incident reporting is available by phone at all times. We provide updates at a frequency to match incident severity. Incident priority is specified by agreement on a case-by-case basis between our first-line agent and the person who reports the Incident, based on its impact upon your organisation. ; ; We provide a Service Level Agreement (SLA) backed up by an escalation plan and service credits for any Priority 1 Incidents that breach their SLA. ; ; Any service outages (planned or otherwise) are proactively reported to affected users by email and/or telephone. A service management portal is utilised to record faults and service interruptions.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: Authentication is based on defined client criteria.; ; They will connect via a dedicated secure and encrypted VPN configured specifically to provide access to the services they have subscribed to. ; ; They will authenticate using dual factor authentication which requires a valid userID, plus a password and a time synchronised token. The token can be hardware or software based, and will be synchronised to their account providing a Time-Based One-Time password (TOTP) security to the account.; ; This ensures that only a valid, predefined user can access their service portfolio.
• Access restrictions in management interfaces and support channels: All management interfaces are isolated on dedicated equipment and accessible only from a secure operations centre. All support activity is also isolated to the operations centre.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR Limited
• ISO/IEC 27001 accreditation date: 29 September 2016
• What the ISO/IEC 27001 doesn’t cover: There are no exclusions to Intercity's ISO/IEC 27001 certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Intercity's Head of Governance and Assurance reports directly into the Board and is responsible for managing Intercity's fully integrated management system with includes ISMS, QMS, BCM, SMS and EMS. ; ; Intercity is committed to ensure the Confidentiality, Integrity and Availability of all systems and the data that resides within them. Core to the principles is compliance to ISO27001 which provides a sound basis for our security policies and managing risk to information assets. ; ; A schedule of both internal and external audits is in place along with a program of continual improvement to ensure policies are appropriate to the requirement and that policies, processes and work instructions are being followed. Key objectives and KPIs are tracked and monitored which are relevant to policy performance. ; ; Policies which make up our ISMS include:; ; Information Security Policy;; Information Security Employee Handbook;; Physical and Environmental Security Policy;; Information Security Incident Management Policy;; Data Protection Policy;; Access Control Policy;; Computer Disposal Policy and Controlled Waste;; Information Classification & Control Procedure;; Cryptography Policy;; Emergency Preparedness and Response Policy;; Virus Protection Policy;; Internet Usage Policy;; Mobile Computing & Teleworking Policy;; Company Asset Usage Policy;; Whistleblowing Policy.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Configuration and Change Management is in accordance with and ITIL process and are included with the scope of our ISO27001 - Information Security and ISO20000-1 - Service Management certification.; ; This embeds a security impact assessment across all potential changes to the design of a service to ensure customer data and assets are protected, and any changes that are approved by the Change Advisory Board, and implemented by our operational support teams do not introduce security risk or vulnerability into the service
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability Management and Patch Management Policy's are included within the scope of ISO27001 certification and ensure compliance.; ; We have automated notifications from key vendors (Check Point/Cisco/Juniper/Fortigate/VMWare) for security vulnerability alerts. ; ; Notifications are assessed by our 24x7x365 Secure Operations Centre (ISOC). If considered high risk are reviewed by an Operations Specialist. If the risk category is agreed then the risk will be addressed via an Emergency Change including communication to affected customers. Target SLA is 4 hours; ; If graded as a low risk, a normal maintenance window will be agreed and planned. These are flexibly scheduled around customer requirements.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Protective monitoring is in accordance with ISO27001 certification; ; Our Cloud Security product provides content-level inspection, bringing intelligence to detect, log and quarantine known and zero-day attacks, as well as providing traditional next-generation firewall protection (ports/protocols/IP addresses); ; The service is fully monitored, and managed by our UK-Based 24x7x365 Secure Operations Centre, (ISOC). The ISOC, which is also responsible for managing life-critical health and transport public safety systems, operates in accordance with ITIL best practice. ; ; All security incidents have a P1 priority which has a 30 minute response, and 4 hour target fix.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Incident management follows an ITIL Process and is included within our scope of ISO27001 & ISO2000:1 certification.; ; The incident management lifecycle is delivered using our own service management system. Our in-house developed monitoring system (ServiceAlert®) integrates into our middleware automation platform and our ticketing system to process and filter data to ensure accurate fault reporting and service health, and effective management of the service.; ; Customers receive status information at regular, predefined intervals based upon incident priority. If the customer takes a managed service from us, they receive automated monthly activity reports containing service performance data.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Veeam
• How shared infrastructure is kept separate: The service delivery platform is a purpose built multi-tenant solution providing secure segregation of clients' data, between separate security zones and between separate clients. The infrastructure is segregated between Official and non-Official services. Both environments use Veeam software to maintain separation within the compute and storage layer, Virtual LANs and separate physical interfaces provide network segregation and connectivity between networks is provided by a cluster of EAL+ certified firewalls. The platform is accessible via private network connections, secure public services networks and the internet.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Intercity’s data centres are complaint to ISO27001 – Information Security, ISO14001 – Environmental Management as well as being aligned to IL3 specifications. Intercity has not yet signed up to the voluntary EU code of conduct for energy-efficiency and so is unable to confirm compliance however, Intercity does have an environmental management policy in place which includes an energy efficiency initiative and are looking into signing up to the adherence of the EU code of conduct for energy-efficiency.

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  We are committed to reducing our environmental impact and continually improving our environmental performance as an integral and fundamental part of our business strategy and operating methods. ; ; Our policy is to: ; ; • Support and comply with or exceed the requirements of current environmental legislation and codes of practice. ; • Minimise our waste and reuse or recycle as much of it as possible. ; • Minimise energy and water usage in our buildings, vehicles, and processes to conserve supplies, and minimise our consumption of natural resources, especially where they are non-renewable. ; • Apply the principles of continuous improvement in respect of air, water, noise, and light pollution from our premises and reduce any impacts from our operations on the environment and local community. ; • As far as possible purchase products and services that do the least damage to the environment and encourage others to do the same. ; • Assess the environmental impact of any new processes or products we intend to introduce in advance. ; ; We’re certified to ISO140001:2015 and a member of two Corporate Social Responsibility (CSR) initiatives - Global Compact and Eco Vadis.; ; • The EcoVadis sustainability assessment methodology evaluates how well a company has integrated the principles of Sustainability/CSR into their business and management system. ; • The methodology is built on international sustainability standards, including the Global Reporting Initiative, the United Nations Global Compact, and the ISO 26000, covering 200 spend categories and 160+ countries. ; • The Sustainability Scorecard illustrates performance across 21 indicators in four themes: Environment, Labour and Human Rights, Ethics, and Sustainable Procurement. ; • Intercity Technology’s current EcoVadis score for 2022 – 2023 is 81% (up from 68% in previous years). ; • We have been awarded by EcoVadis a platinum medal in recognition of our sustainability achievement for our score which is in the top 1%.

Pricing

• Price: £143.36 to £2,211.84 a terabyte a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@intercity.technology. Tell them what format you need. It will help if you say what assistive technology you use.