Health Cloud

Service scope

Service constraints: Our platforms are based on Veeam technology, and so can only accommodate Veeam supported OS types.
System requirements: Microsoft Licencing will be via SPLA

User support

Email or online ticketing support: Email or online ticketing
Support response times: Priority 1 Issue — 1 elapsed hour;
Priority 2 Issue — 2 elapsed hours;
Priority 3 Issue — 8 elapsed hours;

Outside Business hours:

Priority 1 Issue — 2 elapsed hours;
Priority 2 Issue — 4 elapsed hours;
Priority 3 Issue — 12 elapsed hours;
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AAA
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: We provide two levels of support, Standard and Premium: Standard business hours are 8 - 6pm, Monday-Friday. Standard support guarantees a response within 4 working hours to a fault properly reported to Arrow’s support team. The contract also includes 1 dial in per calendar month for any non-fault related moves, adds and changes with a maximum time of 15 minutes. Outside these parameters moves and changes will become chargeable as follows; Remote dial in, £50 for up to 15 minutes or £90 per hour. Onsite call outs, £95 for the first 30 minutes and £27 for every 15 minutes thereafter. Premium support provides a maintenance service 24/7/365. The maximum response time for a Standard Fault will be 8 operational hours and the maximum response time to a System Crash will be 4 operational hours. The contract includes up to 10 dials-in per month with a maximum total time limit of 2 hours. Outside these parameters moves and changes will become chargeable as follows; Remote dial in, £50 for up to 15 minutes or £90 per hour. Onsite call outs, £95 for the first 30 minutes and £27 for every 15 minutes thereafter. Premium support is an additional £5.00 per user.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Migration of existing Infrastructure to the Arrow cloud environment can range from simple manual migration to a full assessment, plan and project implementation. Clients are able to sign up for an account and order a service through our online client portal. Once an account has been created, Virtual Servers can be provisioned and access granted to customers via a secure log in facility
Service documentation: Yes
Documentation formats: HTML

ODF

PDF
End-of-contract data extraction: Arrow's cloud platform allows easy migration between environments and Arrow commits to providing the same level of support and management to assist the client in the off-boarding process at contract end.
End-of-contract process: There is a decommissioning / migration charge, which is determined at contract start, depending on client requirements.

Using the service

Web browser interface: Yes
Using the web interface: Users must be pre-registered before they can access our 2FA protected web portal.

Users can restart and shutdown virtual servers.
Users can provision new services (subject to contract)
Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
Web interface accessibility testing: N/A
API: No
Command line interface: No

Scaling

Scaling available: Yes
Scaling type: Manual
Independence of resources: Capacity planning and monitoring
Significant headroom
Resources are not thin provisioned and are ringfenced
Usage notifications: No

Analytics

Infrastructure or application metrics: Yes
Metrics types: CPU

Disk

Memory

Network

Number of active instances
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: Less than once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Backup and recovery

Backup and recovery: No

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

Bonded fibre optic connections
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: Service Availability

Arrow undertakes to provide Service Availability of 99.9% of the available time in

each month. Failure to meet this level will result in a Service Credit offered to the

Qualifying Customer.

Service Availability Credit

100% of the Monthly Recurring Charges billed for the Arrow Cloud Video service

provided to the relevant customer for the relevant month.

Response Time

Arrow offers two levels of support service cover: standard and total care. During

Arrow’s Normal Working Hours on Business Days, standard service level cover

guarantees a response within 8 working hours to a fault properly reported to Arrow’s

technical helpdesk. During Arrow’s Normal Working Hours on Business Days, total

care service level cover guarantees a response within 4 hours to a fault properly reported

to Arrow’s technical helpdesk.

Failure to meet the relevant response time subject to eligibility will as described below,

result in a Service Credit of 50% of the relevant billed Monthly Recurring Charges for the

month in which the failure occurred.
Approach to resilience: Tier 3 equivalent Data Centre -Concurrently maintainable: 99.99 % Availability

• Enables planned activity without disrupting computer hardware operation. Arrows facilities are designed and specified to ensure that planned activity can be undertaken without any disruption to computer hardware.
• Resilient power infrastructure. Arrows design specification for the DC facilities provides for 2N resiliency on the power infrastructure and N+1 on all other components and multiple Low Voltage path options with a dual A & B feeds which are available for all racks.

• We also have resilient internet connectivity, setup in an auto-failover configuration and involving diverse routes and providers
Outage reporting: We have a process to communicate with customers in the event of a major service outage and provide a Reason for Outage report. This is based through emails from the support team. Once an outage is noted then regular hourly emails are sent detailing progress to resolution.

Identity and authentication

User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: Administrative and management networks are physically separate from other staff networks, within our secure NOC. Technical Staff access is strictly controlled.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Dedicated device on a government network (for example PSN)

Dedicated device over multiple services or networks

Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: DNV Business Assurance UK Limited
ISO/IEC 27001 accreditation date: 01 December 2023
What the ISO/IEC 27001 doesn’t cover: This certificate is valid for the following scope:

Provision of IT and Telecommunications Services (AV and Video Conferencing, Business Mobile, Cloud Telephony, Contact Centre, Cyber Security, Data Centre Services, Data services, IT, Software Development, Mobile Data) in accordance with the Statement of Applicability, version 1.0, plus Code of Practice ISO 27017:2015 on information security controls for cloud services and Code of Practice ISO 27018:2019 for protection of personally identifiable information (PII) in public clouds.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: Yes
Any other security certifications: NHS Data Security and Protection Toolkit. ODS Code: 8J121

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: The Chief Executive Officer, along with the board, in partnership with the Head of IT is responsible for the approval of all of the IT policies and ensuring that they are discharged to the relevant managers. Arrow's Information Security Policy outlines our approach to information security as well as being a method to establish a set of tools to outline the responsibilities necessary to safeguard the security of the Company’s information systems with supporting policies, codes of practice, procedures and guidelines. The policy applies to all employees - current and new - of the Company as well as all other authorised users. The policy relates to the use of all Company-owned information system assets, to all privately owned systems when connected directly or indirectly to the Company’s network and to all Company-owned and or licensed software/data. Authorised members of the IT Department will from time to time monitor the information systems under their control to ensure compliance. This is supported by training during the Induction process for new employees and updates to existing staff as appropriate.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: All components are recorded on a asset register and asset tagged where necessary. Should changes be needed a formal request is submitted to the change management board and risks would be assessed against the current safeguards in place against that component. Based on this assessment that change management board would recommend the correct and safest course of action.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Potential threats are identified through risk assessments. Our response to identified threats is measured on severity and impact. This also defines the level to which the issue is escalated. Regular software patches to our service are released by the manufacturer . We implement these patches onto our platform in a timely manner.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: Arrow's Data Protection Policy details the extensive controls, measures and methods used to protect personal data, uphold the rights of data subjects, mitigate risks, minimise breaches and comply with the data protection laws and associated laws and codes of conduct. We also carry out regular audits and compliance monitoring processes, to ensure that the measures and controls in place are adequate, effective and compliant at all times. All data breaches are reported immediately to the direct line manager and the reporting officer. Measures must be taken immediately to contain the breach and to stop any further risks or breaches.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: Arrow’s Data Breach Policy states that all staff must report a data breach immediately to the direct line manager.

The Supervisory Authority is to be notified within 72 hours of any breach where it is likely to result in a risk to the rights and freedoms of individuals.

A full investigation is conducted and recorded on the incident form, the outcome of which is communicated to all staff involved in the breach, in addition to upper management. A copy of the completed incident form is filed for audit and record purposes.

Secure development

Approach to secure software development best practice: Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
Who implements virtualisation: Supplier
Virtualisation technologies used: VMware
How shared infrastructure is kept separate: CCustomer private networks and support services access to be controlled with a separate EAL4 compliant firewall.

Webservers to be dual networked into dedicated Virtual Local Area Network (VLAN), access to and from such VLANs is controlled by separate firewalls and access rules.

Back end services segregated by multiple VLANs, segregating servers into separate VLANS protected by firewall access control lists.

Data storage will be on a shared Storage Area Network (SAN) this SAN will have a dedicated area for the service, presented via the iSCSI protocol to the hypervisors. iSCSI CHAP security will be used to prevent unauthorised access

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: Arrow is a participant in the European Code of Conduct for Data Centres (EUCoC) which aims to reduce energy consumption & carbon emissions in a cost-effective manner without hampering the mission critical function of systems or data centres. EUCoC has been created in response to increasing energy consumption in data centres and the need to reduce the related environmental, economic and energy supply security impacts. Arrow is an ethical and environmental conscious organisation that has adopted the best practices of the code and become an official participant. The EUCOC ensures that Arrow operational procedures regarding the management of a data centre are appropriate and the energy saving initiatives the company adopts meet the objectives of the European Union. All of Arrow Colocation clients have a clause in their contract requesting that, if possible, that they will utilise power off and auto restart on all equipment installed in Arrows data centre

Social Value

Wellbeing

Wellbeing

To help us drive wellbeing and engagement throughout Arrow, we have dedicated Wellness Champions at each of our key sites – these are voluntary roles and act as a central point of contact for advice and guidance around the mental health and wellbeing of our people. They also help to drive the promotion and organisation of various corporate social responsibility initiatives across Arrow further driving engagement. A dedicated Teams channel is used to communicate, share, and promote these activities. Each Champion has completed Mental Health First Aider training so that they are equipped with the necessary skills to fulfil this role. These courses run through MHFA England have also been attended by other members of the wider team. The engagement of our people is paramount at Arrow, and we track this closely, currently sitting at 89% this places us in the upper quartile of all benchmarked organisations. In addition to our 2 main annual surveys, we also track the wellbeing and resilience of our people as well as our eNPS score monthly to ensure we keep a close temperature check on how they are feeling. Our current eNPS score is 52% which places us in the top 25% of organisations in our industry.

Pricing

Price: £0.13 to £0.28 a gigabyte
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Trial periods can be arranged as part of PoC analysis. These periods are usually incorporated into a longer contract.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

Health Cloud

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents