Cyber-Duck

Headless CMS Development (Storyblok/Drupal)

Cyber-Duck can help you select the headless CMS that’s right for your organisation and implement it across all your channels, through native or custom APIs. We can help you personalise your UX with automation and AI.

We integrate CMSs with Google Analytics, CRMs, Algolia/Elastic search, automation and personalisation tools.

Features

• Headless CMS development and testing
• Low and High Fidelity Prototypes for user journey validation
• Sandbox environments for training and approvals
• Enterprise CMS features out of the box
• Customisable publication workflows
• Dynamic forms management & 3rd party integrations
• Multiple content types
• Dynamic "drag & drop" layout builder
• Taxonomy and tagging features
• Analytics tracking, reporting and conversions monitoring

Benefits

• Greenfield and Brownfield development capabilities
• ISO27001 Cyber Essentials Plus Certified for information security
• ISO9241-210 Accredited User Centred Design Process
• Accessibility/Inclusivity solutions in-line with WCAG standards
• Dedicated multidisciplinary team, embedded in your organisation
• Lean Agile methodology, overseen by SCRUM certified Project Manager
• ISO9001 certified for quality management and customer satisfaction
• ISO14001 certified for sustainability

£450 to £1,500 a unit a day

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at CD-Tender-Team@cyber-duck.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

936441511950835

Contact

Matt Gibson
02089530070
CD-Tender-Team@cyber-duck.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: The organisation (client) should cover any licence fees for proprietary services that are requested as part of the service. If open source software is being used, this will not be required.
• System requirements: Licences for any commercial or proprietary application

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times vary depending on the severity (urgency) of the issue:; Severity 1 (most urgent) - 2 hour maximum response time; Severity 2 - 24 hour maximum response time; Severity 3 - 24 hour maximum response time; Severity 4 (least urgent) - 24 hour maximum response time; ; Out of hours and weekend support is available at additional cost, and would follow the same structure.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Service Level Agreement:; Urgent issues - Response within 2 hours, resolution within 24 hours.; High priority issues - Response within 24 hours, resolution within 5 working days.; Normal issues - Response within 24 hours, resolution within 2 weeks; Low priority issues - Response within 24 hours, resolution within 4 weeks or next major deployment.; ; Cost: per our rate card.; ; Resource: Quality Assurance Analyst to manage the issue and relevant engineer from our technical team to resolve the issue. Free account management is also provided.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We can provide training and release notes throughout the project as well as end user documentation.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All content can be extracted in raw format from the database (into CSV or other common formats) and via an API if it needs to be migrated to another platform.
• End-of-contract process: Transferring the technical and billing contact of the cloud software solution to your team is included in the contract. Any training, data and assets migration or termination of services would need to be scoped and quoted for.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: N/A
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: We rely on the API provided by the open-source platform used (Drupal, Laravel...)
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: We will work with the buyers to define the requirements and permissions around customisation of the themes, admin settings, form rules and publication workflows.

Scaling

• Independence of resources: We set up each hosting account individually with no shared resources between users.

Analytics

• Service usage metrics: Yes
• Metrics types: The Content Management Platforms will come out of the box with basic analytics and usage metrics. We can configure more advanced solutions such as Google Analytics or corporate audit log monitoring tools.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users can export their data via the Admin area or with direct but restricted access to the database.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XML
  • JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We rely on the SLA provided by the underlying hosting provider (AWS, MS Azure, Gov.uk PaaS, Acquia) which is usually at least 99.99%. We also guarantee P1 response time within 30 minutes and provide service credits if we fail to achieve those SLA.
• Approach to resilience: We rely on the resilience provided by the underlying hosting provider and core platform used for the cloud software. Our engineers guarantee an additional layer of support for all requests.
• Outage reporting: We report service outages by email alerts by default. We can deliver custom workflows into back-office systems or other internal tools.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
• Access restrictions in management interfaces and support channels: As per our ISO-27001, we enforce MFA and group policies to access to all management inferfaces.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 22/08/2016
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: ICO Tier 1

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We are ISO-27001 and Cyber Essentials Plus certified.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We use source code versioning, peer-reviews and database monitoring tools to track and assess any configuration and change management process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: For all cloud software platforms, we rely on the vulnerability management process provided by the open-source community. Once notified, we have our own policy to respond and process such vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: For all cloud software platforms, we configure secure cloud hosting solutions including tracking and monitoring tools. We provide SLA to respond to any incident or compromise with an optional 24/7 upgrade available.
• Incident management type: Supplier-defined controls
• Incident management approach: We follow our ISO 9001 and ISO 27001 policies to manage incidents. These can be triggered by our automated monitoring or raised by users via our email or phone helpdesk system. Once the incident is resolved, we provide a full root cause analysis in a post-mortem report.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Cyber-Duck is ISO14001 certified, and has published a detailed Carbon Reduction Plan, available on our website. ; ; We have set a target of being Net Zero by 2035 for greenhouse gas emissions and, as part of our Carbon Reduction Plan, report on progress annually. ; ; We provide staff with support for purchasing electric vehicles, and encourage staff to use public transport where feasible. We also offer staff the opportunity to sign up to the Cycle to Work Scheme.; ; We operate a hybrid working policy, with staff working remotely the majority of the time. Face to Face meetings and office days are planned in advance, and where meetings can be done remotely, this is encouraged.; ; Other actions we take to reduce the carbon footprint of our business is how we manage file transfers. Emailing large attachments to multiple recipients consumes a lot of energy, and in our line of work we can send large design files or presentation documents. Instead, we host documents on a central repository, such as DocSend for sales materials, and only send a link to the recipient, saving a considerable amount of energy.; ; Finally, we work proactively with our clients to support them in their own missions towards Carbon Net Zero. We do this by ensuring their websites and other digital products are hosted on architecture that is powered by renewables, and by optimising the user journeys and flow of data, we can cut the amount of energy dedicated towards powering our products.
• Covid-19 recovery:

  Covid-19 recovery

  Cyber-Duck is committed to supporting both staff and the wider community in recovering from COVID-19. To that end we have developed robust procedures to both maintain operational capabilities, whilst ensuring staff are supported both in their day-to-day work, and in their emotional and physical wellbeing. This includes:; ; 1. Providing new employment opportunities regardless of location. We employ people based on talent, skillset and compatibility with our community, regardless of location. We operate hybrid and remote working, and ensure all staff have the tools required to work to their full capacity.; ; 2. Support for those affected by COVID, and those shielding. As a hybrid company, we can facilitate remote working for those who are vulnerable. Where in-person meetings can take place, social distancing is supported where possible. As a global organisation, all meetings are virtual and we facilitate those at risk through providing the tools to join remotely.; ; 3. Supporting businesses and clients by offering fully remote capabilities including support for new and unfamiliar ways of working. Every member of our team is trained in working remotely, and we are tech-agnostic, meaning we work with the tools best for our client.; ; 4. Supporting physical and mental health of those affected by COVID-19 through well-established policies and procedures. All Senior Management and Leaders are trained Mental Health First Aiders, and we also offer all staff access to counselling, gym memberships, and support to maintain physical health.; ; 5. Improving workplace conditions through supplying staff with all relevant required tools, including laptops, additional screens and funding to set up home offices as required. We also offer sustainable travel solutions including support for staff in purchasing electric vehicles, and providing access to the Cycle To Work scheme.
• Tackling economic inequality:

  Tackling economic inequality

  In-line with Cyber-Duck’s Diversity & Inclusion (D&I) Policy, Cyber-Duck has implemented a Gender Pay Gap policy and will voluntarily produce a Gender Pay Gap report from next financial year: introducing transparency to promotion, pay/reward processes. We will calculate the difference between the mean/median/hourly rate paid (salary/bonus) for all full-paid relevant employees, accompanied by the banding, to male/female employees. ; ; Within 6 months of calculating our gender pay gap statistics, we will develop an action plan to be applied in the following 12 months, aiming to reduce or remove any pay/promotion disparity. Wherever possible, the plan will contain actions which have specific targets or timelines that can be objectively measured. Cyber-Duck is proud to already be an Accredited Living Wage and London Living Way employer.; ; We hire staff that are the mutual best-fit, in terms of culture and expertise, regardless of their background or circumstances. HR and Line Managers create adverts that clearly explain the role and our inclusive culture. We ensure equality/accessibility, without discrimination, to work opportunities for those with protected characteristics. ; ; We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales, Girls in AI, London Pride, AXSChat, and 1,000 Black Voices. ; ; Our end-to-end process for Learning & Development is integrated with our HR systems, to ensure it’s part of our team’s day-to-day. It includes previous (30%); on-the-job (40%); CPD (20%) and specialist external training (10%). ; ; We’re always looking to improve our male/female balance (67/33%) and diversity: 13% of our team are black, 27% are “Black Asian and Ethnic Minorities”, 31% are white (non-British), and 42% are white (British).
• Equal opportunity:

  Equal opportunity

  Cyber-Duck applies its Diversity & Inclusivity Policy that explores how we can safeguard protected characteristics like gender. We’ve committed to the Miscarriage Association’s Pregnancy Pledge, ensuring we have supportive policies around pregnancy-related leave including pregnancy loss and illness, and the Menopause Policy, raising understanding for health challenges caused at that time. ; ; HR and Line Managers create adverts that clearly explain the role and our culture of inclusivity. Recruitment practices include sourcing via partnerships with diversity initiatives, where we offer mentorships, internships, or permanent roles; these include Motherboard, LadiesThatUX, CodingBlackFemales and Girls in AI. ; ; We conduct specialist reviews of the linguistics/requirements/any unconscious bias in job ads/interviews/assessment tasks/panels from our D&I Lead: a UN-certified trainer/thought-leader in the Convention on the Rights of Persons with Disabilities.; ; We have implemented a Gender Pay Gap policy, introducing transparency to promotion, pay/reward processes. We calculate the difference between the mean/median/hourly rate for all full-paid relevant employees, accompanied by banding, to male/female employees, which determines actions aimed to reduce or remove any pay/promotion disparity. ; ; We are members of the International Association of Accessibility Professionals and are expert in providing digital services utilising assistive technologies. We are also members of the Royal National Institute of Blind People, and have provided training to staff on ways to ensure accessibility and inclusivity is at the forefront of all day to day operations. ; ; We monitor progress using Progression App, enabling leadership to identify areas where staff require additional support, including assistive technology and measures, to enable staff to carry out their duties and progress to higher paid roles within Cyber-Duck and develop new skills. We are passionate about supporting our staff, contractors and the people we work with and these measures ensure that no one from protected characteristics, disability, disadvantaged or minority backgrounds are held back from achieving their full potential.
• Wellbeing:

  Wellbeing

  Focusing on health and wellbeing is especially important to Cyber-Duck. We hold a weekly company-wide townhall with all staff, openly sharing news and challenges together. We also use it as a safe space for open dialogue and active listening on internal or external topics affecting the team. ; ; Mental health is very important to Cyber-Duck; 15% of Cyber-Duck’s team, including most of the company’s senior management team are certified mental health first aiders, trained by MHFA England. This means they are familiar with the signs of poor mental health, and are competent and confident in assisting with a mental health problem in a non-judgemental way. ; ; We have implemented a Mental Health Policy which includes an active employee toolkit and references to external guidance. Measures include: Encouraging audio-only walking meetings, encouraging team members to take breaks and go for walks, and offering flexible working hours. ; ; We monitor the team’s well-being through FridayPulse, a platform that uses NPS-style Happiness KPI functions, team building tools, culture profile and predictive people analytics. ; ; Using the FridayPulse platform, each department holds weekly meetings to discuss social and emotional well-being. Line managers also hold monthly 1:1 meetings to build deep and qualitative feedback loops with their teams. Our CIPD qualified HR team also regularly meets to staff to support them in an impartial manner. ; ; Voluntary reporting mechanisms on wellbeing/mental health are shared via HiBob, our second HR platform, every quarter. Environment questions explore whether staff’s work environment is comfortable, enabling effectiveness and productivity; if they had the equipment and resources required; and whether their setup is conducive to healthy remote working in the long-term.; ; Employees have access to benefits such as the Healthcare cash plan that rewards healthy living habits such as exercise or meditation; access to counselling, doctors, and resources; gym memberships; remote mindfulness and yoga sessions.

Pricing

• Price: £450 to £1,500 a unit a day
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at CD-Tender-Team@cyber-duck.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.