ORION WEB LTD

Drupal CMS Website Development

Building, configuring, customising and maintaining websites and/or web applications using the Drupal Content Management System. It includes installation, back-end and front-end coding, theme and module development, content management, customisations, integrations, performance optimisation, security, responsive mobile design, pre/post-launch QA testing, deployment to servers and post-launch monitoring.

Features

• intuitive content administration and management
• Cloud-based, accessible from anywhere
• responsive design-enabled
• immediately secure
• multilingual support
• SEO-ready
• accessibility compliance-ready
• performance plugins in Core
• user roles and access levels
• extendable features

Benefits

• flexibility
• scalability
• modularity
• security
• community support
• multilingual support
• SEO-friendly
• integrations and API- friendly
• accessibility compliance
• optimised for performance

£90 a unit an hour

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@orionweb.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

871381184353797

Contact

Marios Ioannidis
02080582056
info@orionweb.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Based on the nature of the service, the provision is mostly (if not solely) remote.
• System requirements:
  • Web-database server (hosting)
  • PHP language installed on server (hosting)
  • Adequate memory on server (hosting)
  • Adequate disk space on server (hosting)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our SLA will include detailed response times, similar to the following: ; Urgent Issues: Response within 2 hours during business hours. ; Non-Urgent Issues: Response within 1 business day during business hours. ; Emergency Support: Response within 1 hour for critical emergencies affecting website functionality or security.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: - Tier 1: Basic help desk/support email resolution and delivery. ; - Tier 2: In-depth technical support. ; - Tier 3: Expert product and service support. ; The technical lead is commonly engaged with the support procedures and resolution path.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will make full use of our educational experience to create a structured framework of training (including scheduled online meetups at mutually convenient times) based on the new website functionality, while at the same time honouring the essential Drupal concepts upon which the website has been built.; When necessary, we will also provide guidance and references to additional resources online, compatible with the specific needs of the client’s team for successfully handling the new website functionality and features.; We usually schedule most of the training sessions before the launch of the new website, to allow for practising the concepts covered. ; Content editors will be able to create/view/edit/delete content and media, configure and manage content moderation workflows, test any integrations thoroughly, calibrate tracking and metrics harvesting (e.g. Google Analytics, server infrastructure metrics etc.), manage Drupal roles and users and generally gain the experience required to successfully manage the new website.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Given the nature of this service, user data will be contained in the website database. Upon continuation of the (hosting) service, the user data will remain intact. ; In case the client decides to discontinue the hosting service of the website, it is still possible to extract the content and user data from the website in the form of exportable files, for example .xls or .csv.
• End-of-contract process: The website development contract typically includes planning, research and discovery, design, development, testing and QA (Quality Assurance) and deployment. ; Documentation of complex features and processes as well as two to three training sessions are included in the main piece of work.; Support and maintenance are typically not part of the main scope of the website development project and require a separate agreement.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: We follow mobile-first coding practices, ensuring that the mobile version of the website is optimised for speed and performance. We prioritise the loading of essential assets, apply “lazy-loading” techniques and minimise unnecessary resources, thereby reducing load times and enhancing the overall mobile user experience. This also greatly improves the browsing experience of users requesting content from low bandwidth areas. To validate the mobile-first approach, we conduct extensive testing across a wide range of mobile devices and operating systems. Through rigorous testing, we identify any potential issues and fix them promptly to ensure a flawless user experience on mobile devices.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: The Drupal website is accessible to end users via its front-end, the publicly available portion of the application. Through login, the back office of the application is available to administrators, content editors and other user roles.; Various levels of access can be supported based on user roles and permissions (applies to the front-end as well as the back office).
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: Our CMS website solution utilises WCAG (Web Content Accessibility Guidelines) 2.1, promoting adherence to international accessibility standards. An accessibility checker integrates directly into the content creation workflow, empowering authors and editors to identify and rectify accessibility issues in real time.; Accessibility testing tools like editoria11y enable developers to identify potential issues early in the development process and rectify them proactively.; Automated tools such as Accessibility Insights, Google Lighthouse, Siteimprove, WAVE and Tenon can also contribute greatly to quickly discovering any issues. These tools would be used throughout the implementation process of the new website as well as post-launch when content editors will be managing the content in the back office.; We also use tools such as Monsido to ensure maximum accessibility compliance.
• API: No
• Customisation available: Yes
• Description of customisation: Drupal can be extended and configured, through the use of plugins (modules) and themes. For example, more than one front-end themes can be developed to provide a different look and feel for different areas of the website. Other customisations can be developed as per project requirements.

Scaling

• Independence of resources: Drupal has no hard user/visitor limits. Additional hardware resources are typically allocated to installations with hundreds of thousands or millions of users in order for the performance of the website to remain optimal.

Analytics

• Service usage metrics: Yes
• Metrics types: Google Analytics is preinstalled on every website project we deliver. Server infrastructure metrics are also available on most hosting platforms. Additional tools can be installed as per the project's requirements.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Given the nature of the service, admin user data is stored in the Drupal CMS database and through the use of plugins such as Views, it is possible to create exportable and downloadable reports. The exportables are usually in the form of XLS or CSV files.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We understand even the slightest outage can have an incredible impact on business. We provide everything needed to keep the website application up and running through the use of an effective support system, backups, byte-for-byte clones of production environments, and an SLA of 99.99% uptime.
• Approach to resilience: Available on request.
• Outage reporting: We monitor dedicated clusters 24/7 to maintain uptime and performance. A wide range of server metrics, including disk space, memory, and disk usage are continuously measured. These metrics provide a complete picture of the health of the application infrastructure.; When an outage is detected, a Point in Time report is generated so our hosting partner's support can triage the cause of the outage.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: IP whitelisting for non-production environments or for administration pages that require users to be logged in.
• Access restrictions in management interfaces and support channels: The websites we produce include a back office that allows for full administrative control as well as content moderation and editing. Admin users authenticate through a pair of username and password. On top of that, two-factor authentication can be implemented as well as other additional methods of access restriction (e.g. CAPTCHA, SSO etc.).
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: User IP whitelisting.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Information Commissioner’s Office (ICO) registration

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We are working towards getting ISO/IEC 27001-certified.
• Information security policies and processes: Available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Drupal provides an adequate level of change management, auditing and reporting. This can be expanded to include additional data points (e.g. user role changes) with the use of additional plugins and logic.; The Drupal UI offers an intuitive interface with reports including items to be updated, pending Core security updates etc.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: The Drupal security team periodically publishes patches for newly discovered security vulnerabilities. These patches are applied as soon as they are received and during the next planned release or an urgent one if needed (depending on the severity of the vulnerability).
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We are happy to share our business continuity plan and incident response processes upon request.
• Incident management type: Undisclosed
• Incident management approach: We have defined and actively maintain an incident response process. We are happy to provide our process upon request.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  The official environmental policy of our company is available upon request.

  Tackling economic inequality

  The official equality-diversity-inclusion policy of our company is available upon request.

  Equal opportunity

  The official equality-diversity-inclusion policy of our company is available upon request.

  Wellbeing

  The official equality-diversity-inclusion policy of our company is available upon request.

Pricing

• Price: £90 a unit an hour
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@orionweb.uk. Tell them what format you need. It will help if you say what assistive technology you use.