Code Enigma Limited

Managed AWS hosting

A fully managed AWS hosting service. We can provision and configure a highly available, high performance server layout for your PHP application. Alternatively we can take over the running of your existing AWS services. We'll manage your environments, manage your backups, manage your users, audit your security, manage incidents, etc.


  • AWS Select Tier Consulting and Public Sector partner
  • Dedicated hosting team in four timezones
  • Real-time intrusion and service monitoring systems
  • Rapid response to emergency security incidents
  • 24/7/365 monitoring available
  • Rapid scaling options available


  • Tailor-made for high performance / high uptime requirements
  • Disaster Recovery built in
  • Infrastructure changes strictly controlled
  • High level of security in both software and hardware configurations
  • 10 years of experience hosting some of Europe’s busiest websites
  • Streamlined invoicing through a single supplier


£150 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

9 5 4 1 5 7 7 8 6 6 5 9 1 1 1


Code Enigma Limited Greg Harvey
Telephone: 020 3588 1550

Service scope

Service constraints
We can only support sites using version control. Clients and their services are required to conform to our ISO 27001 information security policies. We work as a distributed team so will not normally work onsite. Security in our hosting service is a shared responsibility between Code Enigma, Amazon Web Services (or other hosting provider), and the client.
System requirements
  • We're unable to support Windows servers
  • Debian Linux specialists - other versions may require migration

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our Service Desk is available 24/7 for users to submit issues, requests and report incidents. Our UK/EU based team is available from 8am to 6pm (UK). Response times are as follows:
Urgent - 15 mins - e.g. Unavailability of the entire system.
High - 60 mins - e.g. Unavailability of a key module or major function, causing significant business impact.
Normal - 1 working day - Problems causing inconvenience, minor disruption or restricting performance.
Low - 2 working days - Non urgent problems, cosmetic or general enquiries for information.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Our web chat tool, Mattermost is WCAG 2.0L compliant. For meeting Web Contact Accessibility Guidelines 2.0 (WCAG), Mattermost has received a third-party “A” rating and is working towards an “AA” rating.
Web chat accessibility testing
Onsite support
Support levels
All clients have access to the same level of support and Service Level Agreement.

Code Enigma provides all clients with secure, authenticated access to our management dashboard. From this, you’re able to manage your users, access instant chat services, view live systems status dashboards and use our secure file sharing.

This also enables access to our Service Desk which is based on the open source, issue management tool, Redmine.

Our Operations team oversees contract and relationship management for all clients, including scheduling and chairing regular service reviews. These are an opportunity to review and discuss any key issues/incidents, improvement suggestions/requests and problem/root cause analysis. They are also an opportunity for qualitative feedback on how we deliver our services. The frequency of these reviews is agreed with you, but we typically meet with clients monthly.
Support available to third parties

Onboarding and offboarding

Getting started
We provide training, support and maintain a detailed FAQ.
Service documentation
Documentation formats
End-of-contract data extraction
Users have full service access and can extract their data however and whenever they wish. We can also provide final capture of data in certain formats, to be determined when contract is signed.
End-of-contract process
The AWS account being managed will have the billing details changed so it belongs to the user and is paid for by the user. The user may then either cancel the account or continue their services, if they so wish. If Code Enigma did not create the AWS account, we will simply cease to manage the service.

Using the service

Web browser interface
Command line interface
Command line interface compatibility
Linux or Unix
Using the command line interface
Once servers are set up clients can have full SSH access to those servers. Client administrators can decide how much access other members of their organisation may have. Client administrators have 'sudo' access on all servers, so are unrestricted in their access.


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
Each user has their own distinct and separate AWS account, there is no shared infrastructure between users.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Full access to AWS CloudWatch
  • Dedicated Prometheus monitoring server
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Reseller providing extra support
Organisation whose services are being resold
Amazon Web Services

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • Disk volumes
  • Databases
Backup controls
Users can request a change to backup schedule by raising a ticket in our service desk.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.99% uptime guarantee on AWS services calculated month on month:
between 99.90% and 99.99% - 10% refund
between 95% and 99.90% - 30% refund
below 95% - 100% refund

99.95% uptime guarantee per server on software, excluding planned maintenance. Credit is prorated on outages covered by the SLA.
Approach to resilience
We use AWS autoscaling technology to ensure there is more than one server available, where budget permits. We also use AWS Availability Zones (data centres) to spread infrastructure across multiple physical premises, to guard against issues with any one data centre. We can, on demand, also run multi-region resilience, e.g. infrastructure in London and Dublin.
Outage reporting
Each user has their own Prometheus monitoring service and access to AWS CloudWatch alarms. Both can be configured to alert via API or email. The user will also have their own private dashboard, provided by Prometheus.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
We have a roll-based user management system and separation between staff and users via a network of Groups. We use these Groups to only allow technical staff and designated user administrators access to management interfaces. Similarly, only designated Groups may access a user's support services. The user's administrators can self-manage the members of the various groups and add and remove users as they see fit.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
BCS Certification
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Areas of HR and Finance teams that deal with company data
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
All relevant information security policies are under document control, stored in our file management system and can be found via our Document Register. This is available to all employees. Key policies are highlighted to employees as part of onboarding and ongoing training. Links to key policies for third parties are incorporated into contracts. The members of the management team are identified through the People Chart and Roles and responsibilities documents. More extensive information relating to management responsibilities for the ISMS are given in the Management Team Terms of Reference and QMS/ISMS Management operations process. Aspects of these process are highlighted to all employees as part of general awareness training, while management have a specific awareness module on management responsibilities. We have an Access Control Policy that determines the access to information and systems based upon business requirements. The parameters for secret authentication information are set out in the Acceptable Use Policy and apply to all users (employees and third parties). The use of cryptographic controls is defined in our Acceptable Encryption Policy. The implementation of information security in development is defined in our Secure Development Policy

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes are defined in the Change Control Policy and the process for handling change is dependent on the context. The Case Tracker is used widely to track change requests. System changes are also tracked through commit logs in GitLab. Other supporting process documentation is linked to from the Change Control Policy. Code Enigma has defined 3 types of change: Standard changes (low risk, a risk assessment should be performed in the first instance); Emergency changes (may occur in response to a cyberattack, discovery of a vulnerability or bug, or data breach of any kind); Managed changes (follow set procedure)
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We use CVE tracking software to get alerted to vulnerability reports relating to software we operate. We aim to deploy patches within 12 hours, wherever possible and if patches are not yet available we will implement mitigations when available. All information comes from the MITRE Corporation CVE database.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We operate numerous pieces of software to identify compromises, notably rkhunter, OSSEC IPS and ClamAV. If a potential compromise is discovered the server is immediately isolated for investigation and a security incident is raised. We aim to achieve this initial response effective immediately on discovery. After that, speed of response will depend on the nature of the incident and the wishes of the user. If we have reason to believe laws have been broken it will be necessary to inform law enforcement, and the affected infrastructure may not be touched by anybody until released.
Incident management type
Supplier-defined controls
Incident management approach
We've developed a Security Incident Management Policy which includes definitions and examples of security incidents, events and vulnerabilities. There are guides for how to report an incident, and what action Code Enigma will take when a report is recorded. Reported events will be assessed on a case by case basis, and a qualified member of the Management team will determine if a reported event is an incident. In the event of an information security incident, it will be assessed and entered into the case tracker by a member of the Management team, following our Corrective and Preventive Actions (CAPA) Procedure.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
AWS is committed to running its business in the most environmentally friendly way possible and achieving 100% renewable energy usage for its global infrastructure. Higher utilization rates, energy-efficient servers and renewable energy supply of AWS data centers mean that they have an 88% lower carbon footprint compared to an average on-premise data center. AWS reached 65% renewable energy across their business in 2020 and became the world’s largest corporate purchaser of renewable energy. AWS infrastructure was found to be 3.6 times more energy efficient than the median surveyed enterprise data center. Amazon is committed to building a sustainable business for all customers and the planet. In 2019, Amazon co-founded The Climate Pledge—a commitment to be net zero carbon across the business by 2040, 10 years ahead of the Paris Agreement.

Social Value

Fighting climate change

Fighting climate change

We choose to base many of our services on AWS due to their commitment to be net zero by 2040. We review the data centres we use against the Green Web Foundation's hosting directory ( to look for opportunities to minimise our environmental impact. AWS' approach differs from most other green hosting companies in that it is not only based on offsetting, carbon credits, and tree planting, but also significant investment in renewable energy schemes internationally. We are exploring the prospect of using company funds to subsidise “green” home improvements for our UK employees (replacing gas boilers with heat pumps, solar panel installation, insulation improvements etc.). We reviewed our banks against and have closed our account with HSBC. We currently bank with the Co-Operative, Nationwide, and an investment bank in the North of England, and are in the process of switching to Triodos because of their ethical and sustainable approach to banking.


£150 an instance a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.