ANNERTECH (UK) LIMITED

Managed Drupal Hosting

Our service offers Drupal hosting, support and on-going development. We can host your Drupal website and take complete responsibility for all the updates and capacity planning while you focus on managing your content. Our managed Platform.sh hosting provides a stable cost-effective hosting solution in UK data centres.

Features

• Drupal services for the public sector
• Optimised Managed Drupal Hosting Stack built on Platform.sh
• Automated workflow, effortless integration with Git version control
• Dev, staging and production environments as standard; optional extra environments
• 99.5% to 99.99% availability SLA
• Integrated/Bundled CDN
• Instant cloning for new environments and git service integrations
• UK data centre
• Fully managed granular backups
• Automated provisioning for fast deployment

Benefits

• Fully managed infrastructure lets you focus on your website
• Enhanced integrated agile development workflow
• Control for developers to spin up environments on demand
• Provide application level support as part of managed hosting contract
• Robust scalable infrastructure
• Scalability to increase and decrease as required
• Optimised for Drupal websites
• Secure and resilient
• 24/7 365 monitoring

£200 to £4,200 an instance a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@annertech.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

861084517978207

Contact

Stella Power
+442045860065
hello@annertech.com

Service scope

• Service constraints: Hosting specifically optimised for Drupal installations.; Linux only environment.
• System requirements:
  • Git knowledge is required
  • Drupal applications

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Annertech provide the following response times during standard business hours, 9am - 5:30pm Mon-Fri excluding public holidays:; ; ◦ Critical: immediately, with a maximum 2 working hours response time; ◦ High: within 8 working hours; ◦ Medium: within 24 working hours; ◦ Low: within 5 working days; ; Platform.sh provide the following response times 24x7x365 on their Enterprise tier:; ; ◦ Critical: within 1hr of ticket logged in their system; ◦ High: within 8hrs of ticket logged in their system; ◦ Medium: within 24hrs of ticket logged in their system; ◦ Low: within 48hrs of ticket logged in their system
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Infrastructure support is included in our costs.; ; We offer a number of additional subscription packages. These come in bundles of 8hrs per month and are billed in 15min increments. They cover help and support from our dedicated support team, maintenance of your application, and offer continuous improvement and ongoing development.; ; We provide 4 levels:; ; • Bronze: 8 hrs/mo; • Silver: 16 hrs/mo; • Gold: 24 hrs/mo; • Enterprise: 25+ hrs/mo; ; Packages can be upgraded or downgraded with one month’s notice.; ; If not all subscribed hours are used within a given month, you can roll over hours to the following month(s). A cap of one month's subscription is applied.; ; We do not penalise clients for exceeding their monthly subscription, and still only charge extra work at the daily rate according to the package chosen. However, we are unable to guarantee our capacity to take on extra work which has not been previously flagged or agreed to.; See our pricing document for costs.; ; You will have a dedicated, named account manager who will lead you through the onboarding process and hold regular reviews with you to ensure our levels of service are acceptable, and discuss goals and upcoming changes for the site.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The on-boarding process for our Managed Drupal Hosting is designed to help users start using the service effectively and efficiently. Here's how we support users during the on-boarding phase:; 1. Kick-off Meeting: We start by scheduling a kick-off meeting with key team members to understand your specific requirements and goals.; 2. Dedicated Point of Contact: We assign you an Account Manager who will provide assistance and guidance during the on-boarding process and throughout the contract. They will be available to answer any questions and address any concerns you may have.; 3. Documentation: We provide comprehensive online documentation for your developers to help them utilise the hosting platform effectively.; 4. Site migration / installation: we will migrate your existing site to Platform.sh or install a new site for you.; 5. Account Management: Throughout the on-boarding process, our account management team will be available to ensure a smooth transition and address any issues that may arise.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: We will provide full access to the CMS or application software code. We will also provide full access to the database and files uploaded to the CMS.
• End-of-contract process: We will work closely with you to ensure a seamless transition to your new provider. We will provide all code, documentation and data access as needed assuming any outstanding invoices have been paid. Unless otherwise directed by the client, all data will be destroyed 30 days after contract termination.; ; This is all included as standard within the price of the contract. Additional support or additional documentation would be chargeable.

Using the service

• Web browser interface: Yes
• Using the web interface: Users can raise and view tickets view the web interface, and access any service availability or status reports.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: We have done testing in line with WCAG 2.1AA
• API: Yes
• What users can and can't do using the API: Synchronize files, databases, merge and branch environments, configure SSL certificates, domains, setup routes, environment variables, permissions, users, http access locks, deploy keys and much more.; ; A RESTful API is available over HTTP.; Examples of API integrations are available on GitHub.
• API automation tools:
  • Ansible
  • Chef
  • Puppet
  • Other
• Other API automation tools:
  • Jenkins
  • Circle CI
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: A single-line command can be used to install the CLI; Everything that can be done on the console can also be done via the CLI, plus some integrations like Slack, Webhooks, managing backups, interact with the databases and issuing application commands

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Enterprise Dedicated deployments receive dedicated infrastructure. All other environments are containerised with resources being guaranteed by the allocator.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics: Uptime
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Platform.sh, Cloudflare, Fastly, Google Cloud Platform, Amazon

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Volumes encrypted by default. Third-parties guarantee protection - our hosting environment is deployed in AWS or Google Cloud Platform (GCP) data centres. They adhere to independently validated privacy, data protection, security protections and control processes. They are responsible for the security of the cloud and wherever appropriate, offer customers options to add additional security layers to data at rest, via scalable and efficient encryption features. They offer flexible key management options and dedicated hardware-based cryptographic key storage.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • A snapshot of the full cluster in a single image
  • Includes all data and code
• Backup controls: The service is fully managed and automated on a daily schedule.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: The only mechanism where data can enter and leave our hosting environment is via secure encrypted protocols unless the customer specifies otherwise (such as forcing HTTP on).
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Data transit is fire-walled to only be accessible by expected and specified relationships. Each container is only able to communicate to explicitly defined relationship subjects.

Availability and resilience

• Guaranteed availability: Depending on the level of service required we can support high availability environments up to 99.99% uptime. As standard we guarantee our minimum level of availability to 99.5%. Depending on hosting package chosen, failure to meet agreed level of availability can result in service credits awarded to to the customer.
• Approach to resilience: Our hosting is a highly available container grid. The grid is automatically self-healing. Any host that fails gets taken over by a healthy node; Any service that fails is automatically moved to a healthy host; Any unhealthy host is evacuated and the services move to a healthy host; The gateways are aware of the state of the underlying infrastructure and freeze traffic as failover happens; Grid hosts are aware of the state of services and do not run “deployment hooks” on services that fail-over, making failover quasi-instantaneous.
• Outage reporting: Outages are reported via an online status page which is hosted off-site, as well as via the helpdesk and email for individual affected customers. Detailed incident reports are sent to affected customers after resolution.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Restriction is managed by secure keys (for API access) as well as username & passwords for more routine support channels. Two factor authentication is also available.; ; Administrative connections may only be made over secured SSH or TLS channels.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Our data centre holds ISO 27001 amongst other security certifications
  • Our PaaS provider has PCI-DSS certification accredited by Risk3sixty, LLC
  • Our PaaS provider has SOC2 Type 1, SOC2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: The data centre is ISO27001 certified. ; ; Our hosting provider has a corporate governance framework to ensure continuity and monitor quality of the Security Programs. The following groups are established to facilitate corporate governance: ; ; Board of Directors: Helps ensure oversight for management strategy and operations. ; ; Audit Committee: Helps ensure that an independent body can provide corporate governance in corporate matters.; ; Governance, Risk and Compliance (GRC) Council, along with members of the Executive team, help ensure that organisational risks are prioritised and addressed, accepted or transferred. ; There are also definitions for Monitoring, Architecture, Policy, Plan & Procedure Review and External Third-party Audits.
• Information security policies and processes: Annertech implement formal, documented policies and procedures that provide guidance for operations and information security within the organisation.; ; Policies address purpose, scope, roles, responsibilities and management commitment.; ; Policies are maintained in a centralised and accessible location. ; ; Leadership involvement provides clear direction and visible support for security initiatives.; ; The output of Leadership reviews include any decisions or actions related to:; • Improvement of the effectiveness of information security; • Update of the risk assessment and treatment plan; • Modification of procedures and controls that affect information security to respond to internal or external events; • Resource needs; • Improvement in how the effectiveness of controls is measured. ; ; Policies are approved by Annertech leadership at least annually.; ; All staff are required to complete annual GDPR and IT Security training.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have an agreed change management process to allow services to evolve over time. We use source code versioning, peer-reviews and database monitoring tools to track and assess any configuration and change management process. Before any service updates, security tests are performed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Annertech perform vulnerability scans on the host operating system, web applications, and databases in our environments. ; ; The hosting platform (operating system, software, and applications) receives automated security patching for all software directly from the OS maintainers, with security patches applied as soon as they are available and have been tested on pre-production environments.; ; Alerts and newsletters are available from the maintainers, and technical staff monitor a number of respected advisory services for news.; ; Our Content Delivery Network provides a Web Application Firewall which is constantly updated to defend against newly released exploits.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Annertech have a range of automated and manual approaches to protective monitoring that are constantly being reviewed as new threats are identified within the industry. We work closely with our hosting partners to identify potential compromises, including inspecting access logs and Git commit histories.; ; Any compromise found results in quarantine actions for affected systems and replacement by clean builds, as well as analysis of access vectors used in attack. Response would be immediate following discovery.
• Incident management type: Supplier-defined controls
• Incident management approach: We have defined process for any outages and will update clients via agreed channels. Users report incidents through our service desk via ticket, email or telephone, and are kept updated with the progress and state of the incident throughout the event via the ticketing system. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: LXC and KVM; Xen; Hyper-V depending on the infrastructure provider
• How shared infrastructure is kept separate: Enterprise Dedicated deployments receive dedicated virtual machines from the underlying IaaS (eg. AWS, Azure, or Orange VMs). Users on the containerised architecture have guaranteed/isolated resources and network spaces.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: https://aws.amazon.com/about-aws/sustainability/; https://cloud.google.com/sustainability; https://www.microsoft.com/en-us/corporate-responsibility/sustainability

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are aware that reducing our emissions represents a significant benefit for ourselves, our customers, our suppliers and our communities.; Since our foundation, Annertech has always been a remote-first, distributed company – we have no offices. This means that we have reduced our impact on the environment by not having premises, meaning that our team does not have to commute while also enjoy a better work/life balance with flexible working hours.; As a digital only company we’ve also removed the need for paper, and travel to on-site meetings only where value can be added. If travel is required, then we encourage our staff to use public transport wherever possible.; We partner with providers, including hosting, who are committed to reducing their carbon footprint.

  Covid-19 recovery

  As a fully distributed company, our staff are able to work remotely from home. This meant that during the pandemic we were able to continue to support our customers with minimal disruption. In addition, our fully flexible working hours meant that staff were able to more effectively balance the needs of their families with that of work.; Being a distributed company, we are also mindful of the need for social interaction and to maintain our open, transparent and collaborative culture. To that end we have daily online coffee mornings, cameras on by-default (but not mandatory) policy, and other social activities such as a book club, foodie group to share recipes and restaurant recommendations, and more. We also try to get as many people from the team as possible to meet up in person for 1-2 retreats per year.; The health and wellbeing of our staff is important to us, so everyone also has access to an Employee Assistance Programme (EAP).

  Tackling economic inequality

  Annertech is committed to creating a diverse working environment which includes seeking candidates from different geographic, social and economic backgrounds.; We are mindful of the differing needs of sections of the community when it comes to employment opportunities. We provide fully flexible working conditions, including the ability to work from home and fully flexible working hours so they can flex their hours around childcare, taking care of elderly parents, or other personal commitments.; A training stipend is provided each year for employees to take advantage of to further develop their skills and knowledge.; We are committed to paying our staff fairly, and ensure that everyone is paid above the living wage. We have zero tolerance for slavery and human trafficking and are committed to ensuring there is no modern slavery or human trafficking in our supply chains. ; Where possible, we look to procure locally and support the local communities of our clients. We pay all of our suppliers promptly and always before the due date of their invoices.

  Equal opportunity

  At Annertech, we recognise that discrimination and victimisation are unacceptable and we are committed to encouraging equality, inclusivity and diversity in all aspects of our work.; We believe that policies alone are not enough and are committed to building an inclusive culture where discrimination is eliminated, everyone is respected and feels comfortable being themselves, and where everyone has equal opportunities. We employ team members based solely on their ability and experience, regardless of gender, race, religion or disability.; We are committed to paying our staff fairly, and ensure that everyone is paid above the living wage. We have zero tolerance for slavery and human trafficking and are committed to ensuring there is no modern slavery or human trafficking in our supply chains.

  Wellbeing

  At Annertech, the wellbeing of our staff is very important to us. We offer all staff members fully flexible working conditions, including the ability to work from home and fully flexible working hours. It is important to us that staff understand that family/personal time comes first and work should fit around their personal lives, rather than the other way around. If they need to care for a sick child, or they need to leave early, they can do that knowing without any difficulties or stress.; ; We also offer generous holidays to employees, and encourage them to take at least one solid 2-week break per year.; ; We also run a wellbeing programme where staff can access online resources and avail of a 24/7 Employee Assistance Programme which covers a large range of assistance from mental health, legal and financial advice, family counselling, and more.; We encourage openness, collaboration and engagement at all times and all levels. We operate a flat organisational structure with monthly company-wide meetings, where we come together to discuss our goals and achievements.

Pricing

• Price: £200 to £4,200 an instance a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@annertech.com. Tell them what format you need. It will help if you say what assistive technology you use.