Factory Hosting

Service scope

Service constraints: We have high availability and the ability to hot-move running workloads meaning planned maintenance is kept to a minimum. We can also setup business specific schedules for planned maintenance to keep user disruption to a minimum.

From a hardware perspective, we can support Virtual Machines upto;

256 CPUs.
2TB RAM.
64TB Storage.

We can deliver above this but require a longer notice period to deploy resources (typically 1-3 weeks).
System requirements: We provide all licensing for Operating Systems, Backups and Monitoring

The customer can supply additional licenses for application workloads.

We require support to connect to your network.

We require a HLD session to finalise design.

User support

Email or online ticketing support: Email or online ticketing
Support response times: Within 30 minutes during working hours, within 1 hour at weekends. Our times are typically quicker than this and escalation options are available for emergencies.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AAA
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Our structure for support is as follows;

Primary Tech Contact - Knows your solution and setup well, responsible for documentation and day to day support/maintenance/changes on your system.
Secondary Tech Contact - Backs up the primary contact and acts a Primary if the Primary is on-leave or not available. Will attend most meetings and also understand the solution and setup.

Account Manager - Helps with commercial matters and quoting/contracts.

Service Manager - Manages reporting/day to day issues/point of contact into the business.

Support Team - access to our service/ticketing system - requests raised here will be triaged, the team can deal with 80% of issues but will escalate to the Primary/Secondary tech contact where there is ambiguity/require extra support.

Senior Escalation - Director level escalation contact, for any issues arising that cannot be solved by the team.

Our support can be used by yourself and third parties who have an interest in the service (i.e. third party suppliers who may host/deploy on the service).

This is our default and is included within our costs. Dedicated Technical Resources can be used at an extra cost.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: We manage and deploy services based on requests from users. Control plane access to our service is isolated from our own corporate network. Screen shares of the provision/detail of how the service is provision is open.

Control plane access can be granted, however a dedicated device/laptop will be required for users who require access to directly manage deployments.

We can provide onsite training, online training and documentation around this process.
Service documentation: Yes
Documentation formats: ODF

PDF
End-of-contract data extraction: Each extract will be different depending on how a customer is migrating/moving to a new supplier. To that end, we support a variety of options to make this as seamless as possible. Our typical options are as follows, however we will absolutely support requests that we can technically facilitate if it de-risks a customer migration;

> Entire export of a virtual machine.
> Shipping Virtual Machines on encrypted drives.
> Helping with replication of data to another hosting platform.
> Using customer/supplier provided migration tooling to move data to another platform (i.e. ETL software).
> Other reasonable methods.

If huge amounts of support or custom migrations are required, we can provide professional services to assist in more complex/zero downtime migrations.
End-of-contract process: At the end of the contract, assuming no extensions are made to service, our service will terminate service at the end of contract.

For hosting services, we make significant effort to ensure workloads are not in active use and that the wider business is aware of any implications if the service is terminated.

We can continue hosting for additional costs which will be inline with the original contract.

If services are terminated, our process is as follows;

> Soft terminate network connections - i.e. we soft shut the network whilst leaving workloads running but now in an offline/disconnected state.

> 72 hours later the workloads are shutdown at a machine/running level.

> 30 days later - the workloads are deleted from our systems.

The reason we do this is to ensure failbacks can happen quickly if required, or if data/tools/information is required, there is a technical means to do so within 30 days of the contract expiring. After 30 days, all data is purged from our systems.

Using the service

Web browser interface: No
API: No
Command line interface: No

Scaling

Scaling available: Yes
Scaling type: Automatic

Manual
Independence of resources: We deploy ample hardware from a compute, storage and networking perspective. We have lots of monitoring in place at the lower level of the service and do not over contend resource to the point where it impacts service.

We use software solutions to mitigate performance issues and migrate noisy machines to specific hosts to ensure the wider estate/large demand doesn't impact other users.
Usage notifications: Yes
Usage reporting: Email

Other
Other usage reporting: We notify our own teams internally such as your Primary/Secondary Technical Contacts and your service manager. This adds a human element and they have appropriate overrides to help if limits are being approached.

i.e. If a limit is longer term, fees may change, but if usage is quite temporary (i.e. extra machines during an upgrade period/normal BAU changes/a small spike for a specific event), then our team are authorised to allow changes to ensure business needs are catered for accordingly.

Analytics

Infrastructure or application metrics: Yes
Metrics types: CPU

Disk

HTTP request and response status

Memory

Network

Number of active instances

Other
Other metrics: Disk I/O.

Application Metrics.

System Infrastructure Logs and Events.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: Yes
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: At least every 6 months
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed

Hardware containing data is completely destroyed
Equipment disposal approach: In-house destruction process

Backup and recovery

Backup and recovery: Yes
What’s backed up: Virtual Machines.

Files and Folder Contents.

Databases.

Active Directory Systems.

Configuration Files.
Backup controls: Backups are on a custom schedule. We align backups to business needs so custom schedules can be configured.

By default, we schedule backups to have daily copies of the week, 1 weekly copy and 1 monthly copy retained.
Datacentre setup: Multiple datacentres with disaster recovery

Multiple datacentres
Scheduling backups: Users contact the support team to schedule backups
Backup recovery: Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: We offer an SLA based on the overall solution. As such, if a service is contained on a single instance/none resilient system, then the SLA is 99.5%.

For systems with High Availability or BCP/DR or Fault Tolerance the SLA will be 99.9%. The 99.9% is based on either of the multiple sites being able to service requests (i.e. two sites each individually have 99.5% but combined form a 99.9% service) - i.e. we're stating that we'd breach SLA if both sites are down at the same time for 0.01% of the time.
Approach to resilience: This information is available on request. The resilient nature is designed across physical controls, technical architecture and operational processes all designed in a manner to increase resilience whilst still allowing flexible changes to service.
Outage reporting: Email Alerts for outages along with contact organised via a dedicated incident response plan. i.e. we might be a component within your incident response plan.

Without a response plan, we'll email and then call specific contacts to notify of the outage and what we're doing to fix it, along with any available ETAs.

Identity and authentication

User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google apps)

Limited access network (for example PSN)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: We use PAWs (Priv Access Workstations) along with multiple layers of MFA along with Hardware Tokens. We have a lot of custom detection rules within these zones of our networks and services to ensure anything anomalous is alerted on rapidly.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Dedicated link (for example VPN)

Username or password

Other
Description of management access authentication: Dedicated workstations and dedicated management planes.
Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Dedicated device on a government network (for example PSN)

Dedicated device over multiple services or networks

Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information: Users receive audit information on a regular basis
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users receive audit information on a regular basis
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: CSA CCM version 3.0
Information security policies and processes: We have an internal policy which is approved at board level. We're working towards ISO27001/IASME Level 2 certification.

We have Legal and HR controls linked to employees with significant access and practice segregation of duty amongst our team members.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: When changes are made to our infrastructure, tickets are raised internally to allow tracking and approval.

Depending on the component/area of service being changed, this will trigger a security review and potentially a component level pen test/security scan to ensure we're still operating in an assured manner.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Further information can be requested for more detail. We assess potential threats using a mixture of threat intelligence. Patches are deployed when critical/high according to a tier - if an asset is internet facing vs internally facing vs offline, we have different times along with a different IR protocol. Further details can be requested. Information for threats comes from a variety of open source intelligence sources and we monitor the internet/vendors/news outlets/intelligence partners for information relating to vulnerabilities.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: We identify potential compromises using XDR and SIEM technology along with custom detection rules. We also simulate attacks to ensure we cover blind spots and improve quickly. If we find a potential compromise, we invoke our IR process which can be extremely detailed depending on the nature of the compromise. In terms of time to respond, one an incident is raised, we would start the triage of that immediately (minutes) and work through an escalation process.
Incident management type: Undisclosed
Incident management approach: We have a defined Cyber Incident Response Process which is a high level overall response process. We then have a series of playbooks for common incident types. Users are educated on reporting incidents and are actively encouraged to report anything suspicious. Incident reports follow a set format for an initial report - most incidents will just use this template, if an incident was very complicated, it would use a custom report format.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
Who implements virtualisation: Supplier
Virtualisation technologies used: KVM hypervisor
How shared infrastructure is kept separate: We use VXLAN/VLAN technology to keep networks separate. From a compute perspective, we use hardware/software which isn't vulnerable to Spectre/Meltdown type known attacks to ensure enhanced resilience. We also perform significant monitoring at the Hypervisor layer to monitor for anomalous access between customer workloads.

Additionally, we offer the ability to have isolated/dedicated hosts where required by business need or data classification.

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: We use partner datacentres and look for energy efficiency when choosing sites. Our current sites have advanced cooling features and we use newer hardware to improve the performance per watt gains on our compute workloads. We also spend significant focus on ensuring we use minimal energy in our datacentre operations.

Social Value

Tackling economic inequality
Equal opportunity
Wellbeing

Tackling economic inequality

As a member of Charity IT leaders we facilitate Cyber security workshops for the member community, educating and helping identify risks and plug gaps they may well not be aware of, this community is broad with organisations that may not have economic advantage to access such information and guidance without cost.

Equal opportunity

We facilitate work placements and provide support to organisations such as Little Gate Farm who support adults with autism and learning difficulties. We also provide work experience placements to support local schools and colleges, both educating, assisting in new skill development and inspiring local students into technology. We also provide volunteering opportunities to our team, that support local charities and communities, a substantial effort has gone into addressing the Digital divide by educating and supporting 'Aging well' networks, via Rother voluntary association. These activities both support well being of work force and give opportunity to develop skills relevant to delivery of Factory Internet services.

Wellbeing

We recognise that the wellbeing of our team and a positive and healthy company culture is paramount to the delivery of the high level of service to our valued clients. We therefore advocate and provide our team with flexible working arrangements to suit, team days out, celebration of successes and provision of premium healthcare packages to support both physical and mental health. With educational resources and training provided by default, we also provide time out opportunities to volunteer with local charities and NFP organisations, providing variety, new abilities and personal development.

Pricing

Price: £20 an instance a month
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: We can provide trials of our services. Typically this wont include the same network preparation (i.e. dedicated/IPSec links - but it can be included where possible). Typically we'll provide client VPN/MFA access to resources for testing purposes.

We generally offer 2-4 weeks of testing.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

Factory Hosting

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents