UNCOMMON CORRELATION LIMITED

Vendor Agnostic Dynamic Cloud SaaS - Design and Delivery

The design and delivery of novel, secure, hybrid, Software-as-a-Service systems for the dynamic consumption of compute resources. A continuous delivery approach to the deployment and management of cloud software and data. We take a cloud-vendor-agnostic approach to well-governed, secure, and resilient, distributed computing.

Features

• Cloud agnosticism
• Hybrid cloud
• Dynamic architectures
• True data sovereignty
• Authoritative data governance
• Distributed by default
• Rapid delivery
• Domain control
• Data as a primary concern
• Domain evolution

Benefits

• Protect against vendor lock-in
• Acheive best VFM for compute tasks
• Dynamic consumption of cloud compute for security and resilience
• Secure access to all data via RESTful API ensures ownership
• Tamper-evident, distributed, recording of system activity for absolute integrity
• Mitigate risk and evade attack by removing vulnerable centralization
• Surpass expectations at a fixed price
• Encapsulate your domain in software to reduce processing problems
• Better data and tooling to empower domain experts
• Prevent spiralling costs when your domain or its data changes

£0.05 a gigabyte a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gary.stevens@uncommoncorrelation.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

928907300346029

Contact

Gary Stevens
07309205105
gary.stevens@uncommoncorrelation.co.uk

Service scope

• Service constraints: None.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 hours during business the business week: 0800-1800, Monday to Friday. Within 2 hours of the start of the business week if the question is raised over the weekend or a bank holiday.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: None - we use Matrix.
• Onsite support: Onsite support
• Support levels: We only have one level of support. Our team members are all technical experts, and are all available to our clients to interface with directly.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We supply hands-on training and mentoring directly from our team of experts, which can be delivered on-site or remotely, as the client prefers. Full documentation is provided as standard, covering fundamental technology specifications, as well as end-user 'how-to' guides, and decision records and explanatory materials covering the 'why' of our services and software.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All data, all developed IP, and all pass-through-IP, is fully owned by the client at all times during and after the contract. They can extract data from our systems at any time, in bulk, over the API in an automated fashion, with or without support from our team.
• End-of-contract process: There are no additional costs for ending the contract, nor are there any additional costs for service sun-setting or data extraction.

Using the service

• Web browser interface: Yes
• Using the web interface: All system elements, and all data, are fully exposed to all create, edit, retrieve, and delete, (CRUD), operations, through an accessible web interface, conforming to the Richardson Maturity Model for RESTful (Representational State Transfer) interfaces, including the constraint of Hypertext as the Engine of Application State (HATEOAS).
• Web interface accessibility standard: WCAG 2.1 AAA
• Web interface accessibility testing: Recorded end-user testing against user stories, against a red-amber-green scoring matrix of achievement of objectives.
• API: Yes
• What users can and can't do using the API: All system elements, and all data, are fully exposed to all create, edit, retrieve, and delete, (CRUD), operations, through an API conforming to the Richardson Maturity Model for RESTful (Representational State Transfer) interfaces, including the constraint of Hypertext as the Engine of Application State (HATEOAS).; ; Additionally, we can expose all data through a PAS212-compliant (Hypercat) discover catalogue.; ; Furthermore, all system elements, and all data, can be exposed over gRPC should the client wish.
• API automation tools:
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
• Other API automation tools:
  • SSH
  • GPG
  • OpenTofu
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • Other
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: All system elements, and all data, are fully exposed to all create, edit, retrieve, and delete, (CRUD), operations, through a CLI and TUI (Terminal User Interface), via the API conforming to the Richardson Maturity Model for RESTful (Representational State Transfer).

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Dynamic scaling of consumption of compute resources is across data centres and is protected from the consumption of other clients.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • SMS
  • Other
• Other usage reporting: Web monitoring dashboard.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • Users and user access
  • Record and schema metrics
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Hardware keys, LUKS, SSH, GPG, encrypted key managers (like KeepassXC), distributed workflows to reduce data aggregating in central servers / clouds.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Code
  • Data
  • Files
  • Security credentials
  • Logs
  • Remote state configuration
• Backup controls: All system features are exposed via create, retrieve, update, and delete, functions (CRUD), including backups. Therefore, all backups are configurable against a schedule.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: SSH and GPG
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: SSH and GPG

Availability and resilience

• Guaranteed availability: We practice a 99.999% uptime target.; ; Downtime is refunded by writing off the time taken by our team to resolve the downtime.
• Approach to resilience: All our software and systems apply 'who, what, how' recording approach against all create, retrieve, update, and delete, (CRUD) events by, all users and integrations. This data is replicated, hashed for tamper-evidencing, and encrypted. Our software and systems operate in a load-balanced, distributed-by-default, configuration.
• Outage reporting: The services precise outage reporting configuration is set against users' needs. We make available this data across dashboards, replicated logs, APIs, and email and SMS alerts, where appropriate.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: GPG, SSH, hardware keys
• Access restrictions in management interfaces and support channels: A zero-trust / beyondcorp approach to security, using access control lists.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: SSH, GPG, and hardware keys
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We divide our security governance into two: per-project and whole-company. All projects face unique, and relative, risks. Therefore, we design and implement an appropriate security governance framework, policy, and practice, for all of our projects. This is designed and implemented in partnership with our client, and training and documentation is provided. At the company level, security governance is a top-level priority, the design, implementation, and execution of which is made the personal responsibility of all team members. Our overarching principles are zero-trust, many-eyes, private-by-design-and-by-default, and distributed-by-default. More information on these is available freely on request.
• Information security policies and processes: As per our position on security governace, our information security policies and practices are divided into two: per-project and whole-company. Our overarching principles are zero-trust, many-eyes, private-by-design-and-by-default, and distributed-by-default. All team members at all levels are given training to identify risks, and action them. All risks identified are logged and triaged appropriately. Equal weight is given to risks with a low probability of manifestation to those that are high where the outcome state is the same degree. Our treatment applies the same to near-miss and speculative events and risks. All risks and events are recorded in a tamper-evident manner, and are passed up to the senior responsible officer.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All of our source code, and documentation (for the source code and for wider concerns), is tracked in the version control system, git. All changes, no matter how trivial, are subject to a rigorous peer review process. Furthermore, we use an internal protocol, which operates similar to a context-free-replicated-data-type, or a blockchain, to provide immutability and tamper-evidencing to the most critical of governance data. Changes are assessed against a number of properties, including but not limited to: supply chain attacks, large software-bill-of-materials dependency attacks, cryptographic flaws, vendor lock-in attacks, etc. More information freely available on request.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our first principle is that all software, and all interfaces to and between software, present a threat. Potential threats are assessed at all levels of our services, from 'bare metal and silicon', up the software stack to end-user interfaces and APIs. All threats are analysed according to our risk methodology (described above). We patch our software and services immediately a threat is registered - regardless of manifestation - as part of our continuous integration practice. We identify threats and risks through channels such as NCSC, NIST, MITRE, and the open source community. We identify and mitigate novel, hitherto undocumented threats.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: All our software and systems apply 'who, what, how' recording approach against all create, retrieve, update, and delete, (CRUD) events by, all users and integrations. This applies to failed and successful log-in / connection events. This data is replicated, hashed for tamper-evidencing, and encrypted. Our software and systems operate in a load-balanced, distributed-by-default, configuration. both potential compromises, and manifest risks / incidents, are mitigated immediately as part of our continues delivery and risk management methodology. All activity is carried through to our internal 'lessons learned' process.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our principle is that 'all team members can stop the production line', meaning that any issue or incident can be raised by any team member, which is immediately prioritised in our continuous integration workflow. This means that incidents and issues get found and fixed immediately. This principle extends to our clients and their users. The means of reporting is implemented on a per-project basis, and can be through means such as telephone, email support, a ticketing system, API, etc, as appropriate. Post-fix, all incidents are treated with a lessons learned analysis.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We do not operate any fixed-location or vendor-specific data centres, as we maintain strict vendor agnosticism to avoid lock-in. All data centre locations and vendors are chosen on a project basis. Therefore, we, and the client, are at liberty to choose data centres that adhere to the EU code of conduct. Participants can be viewed here: https://e3p.jrc.ec.europa.eu/communities/data-centres-code-conduct

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  We use the standard carbon accounting concepts of 'operational carbon' and 'embodied carbon' to base decisions of product acquisition and transport / logistics. We implement a near-far policy, where products and services are analysed against their procurement from local suppliers. Where local suppliers cannot meet the needs as judged by the non-temporal and non-spatial properties of the target product or service, then the scope of supplier review is broadened progressively until a suitable option is found. For a case in point: UK-manufactured ARM boards are chosen in preference of equivalent devices from international vendors.

Pricing

• Price: £0.05 a gigabyte a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gary.stevens@uncommoncorrelation.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.