Microsoft Azure hosting

Service scope

Service constraints: We can provide solutions and services that make use of the full suite of Azure products and services, so we are only constrained by what Azure can offer.

We currently do not offer any on-premise hardware support or design as we work exclusively in cloud systems.

Our software is primarily written in .NET Core and Javascript.
System requirements: Solution requirements must be Azure compatible

Solutions must run on Windows, Linux, or serverless.

User support

Email or online ticketing support: Yes, at extra cost
Support response times: Response times are based on the priority of the ticket:
- Priority1 = Immediate
- Priority2 = 2 working hours
- Priority3 = 8 working hours
- Priority4 = 24 working hours

Customers may purchase out of hours and weekend support at an additional cost, and response times will be agreed as part of that service.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), 7 days a week
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Our standard support offering includes:
- Access to Freshdesk ticketing system
- Access to onsite support
- Dedicated Account Manager
- Response times SLA

Our Premium offering additionally includes:
- Dedicated support staff
- 24x7 hotline for Priority 1 incidents

Both offerings are priced separately per project, depending on the amount of support required each month.

Out of hours support
Unsociable hours, namely weekends and statutory holidays, and after 5.00pm on weekdays, will be charged at £300/month to have the service available.

If the customer uses the emergency call line, £250 will be charged for the call-out. This covers up to one hour of the support team member’s time. £150 will be charged for every whole or partial 30 minute period thereafter.
These rates are for the work the development team will have to perform in order to identify and resolve the problem.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Our approach is to provide a managed service in terms of hosting, so minimal training is required in this regard.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Microsoft offers different pricing models, depending on the model you are using the contract date will vary. As Microsoft services are scalable, you will only pay for what you are using they can be scaled up or down at anytime.

Microsoft pricing calculator can be found here
https://azure.microsoft.com/en-gb/pricing/calculator/
End-of-contract process: Details of account closure are included in the Microsoft Online Subscription Agreement

https://azure.microsoft.com/en-gb/support/legal/subscription-agreement/

Using the service

Web browser interface: Yes
Using the web interface: Almost all Azure services can be accessed via the web portal.

Configuration parameters of some services are only available from the CLI, SDK or API interface.
Web interface accessibility standard: None or don’t know
How the web interface is accessible: You can sign in to the Azure Management Console using your Microsoft account root user credentials at https://azure.microsoft.com

Azure Identity and Access Management (IAM) user, can be configured enabling the use of a specialised URL.
Web interface accessibility testing: Azure offers assistive technology
API: Yes
What users can and can't do using the API: All functionality is available from the API
API automation tools: Ansible

Chef

OpenStack

SaltStack

Terraform

Puppet
API documentation: Yes
API documentation formats: HTML

PDF

Other
Command line interface: Yes
Command line interface compatibility: Linux or Unix

Windows

MacOS
Using the command line interface: All Azure functionality is available via the CLI.

Scaling

Scaling available: Yes
Scaling type: Automatic

Manual
Independence of resources: Provision of multiple instances. Auto-scaling in place for further instances if pre-agreed compute or latency thresholds are exceeded.
Usage notifications: Yes
Usage reporting: Email

Analytics

Infrastructure or application metrics: Yes
Metrics types: CPU

Disk

HTTP request and response status

Memory

Network

Number of active instances

Other
Other metrics: Azure Monitor configured to collect all metrics

All Azure services publish metrics to Monitor

Azure Log Analytics account provides further diagnostic metrics from logs
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Reseller providing extra features and support
Organisation whose services are being resold: Azure

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: Yes
Datacentre security standards: Supplier-defined controls
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding

Other
Other data at rest protection approach: Encryption is managed by 3rd party, ie Microsoft. Data encryption at rest is available for services across the software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) cloud models. More details can be found here https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed

Hardware containing data is completely destroyed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery: Yes
What’s backed up: Azure Virtual Machines

SQL Server

Azure File shares

On-premise files, folders or systems
Backup controls: Azure Backup is a fully managed backup service that makes it easy to centralise and automate the back up of data across Microsoft services in the cloud as well as on premises. Using Azure Backup, you can centrally configure backup policies and monitor backup activity for Azure resources. Azure Backup automates and consolidates backup tasks. Azure Backup provides a fully managed, policy-based backup solution, simplifying your backup management, enabling you to meet your business and regulatory backup compliance requirements.
Datacentre setup: Multiple datacentres with disaster recovery
Scheduling backups: Users schedule backups through a web interface
Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Use infrastructure assuring 99.9% uptime
Approach to resilience: We make extensive use of Azure's native resiliency and redundancy capabilities through leveraging multiple Availability Zones through load balancers for servers and (where possible) distributed databases or read replicas. This is further supported by 'warm' backup regions in case of a disaster recovery scenario.

Details of Azure's SLA's can be found here;
https://azure.microsoft.com/en-gb/support/legal/sla/
Outage reporting: Azure Monitor - Azure Alerts API
Public dashboard
Email alerts
Text messages

Identity and authentication

User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google apps)

Username or password

Other
Other user authentication: Typically username and password, but MFA also available. Other - capability to offer facial recognition.
Access restrictions in management interfaces and support channels: Username and password. Resets only available directly to user via their email.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Username or password
Devices users manage the service through: Dedicated device over multiple services or networks

Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: British Assessment Bureau
ISO/IEC 27001 accreditation date: 21/12/2021
What the ISO/IEC 27001 doesn’t cover: N/A
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Company Information Security Policy must be signed by all employees, and is updated regularly.
CTO – The company’s Chief Technology Officer is responsible for corporate-wide IS system planning, implementation, and execution.
Information Security Manager – The IS Manager is responsible for the company-wide datacenter and network infrastructures.
DevOps Engineers – The DevOps Engineers are responsible for all enterprise business systems.
Internal Users -- All members of the the company User Community are required to familiarise themselves with the policies outlined in the The Company Employee and Contractor IS Policies document.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Changes are managed via the change control process to ensure projects remain within approved constraints. Change proposals are agreed with the client, completed by the individual who identifies the need for a change, then submitted to us. The project team then assesses the impact of the change. The request is submitted to the change control board with the project team's findings to be reviewed. If the change is approved, all project documentation must be updated and the change must be communicated to all stakeholders. Some changes may also require re-alignment of the project costs, schedule, or scope.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Threats are monitored using an IDS provided by Azure along with the standard protection offered by Azure. Patches are routinely applied with urgent hotfixes applied the same day as a threat is identified. Threat information is monitored from Azure and industry leading security boards and alert feeds.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: This is managed by Azure on our behalf.
Incident management type: Supplier-defined controls
Incident management approach: Incidents are managed via a ticketing system.
Information and FAQs are available via the ticketing system to help with common issues. Canned responses are prepared for common issues. Users report incidents via email or through ticket portal. Responses are given according to pre-defined SLAs. RCAs are available for critical issues. Ticket reports are available at client request.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
Who implements virtualisation: Third-party
Third-party virtualisation provider: Azure
How shared infrastructure is kept separate: Different accounts for different clients on Azure. Clients have separated Azure instances.
Azure assure security of the cloud.

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: Microsoft is committed to achieving 100% renewable energy across our global infrastructure.

https://www.microsoft.com/en-us/corporate-responsibility/sustainability

Social Value

Fighting climate change
Equal opportunity
Wellbeing

Fighting climate change

Fighting climate change The Virtual Forge are committed to ● Complying and keeping up to date with environmental legislation ● Preventing pollution ● Continually working to reduce our environmental impacts – minimising waste produced, minimising our energy use, training staff and encouraging greener transport options Specific areas where we are working to reduce our environmental footprint: ● Working with our staff and building users to make all of the building’s operations as environmentally friendly as we can, heating and lighting our premises efficiently ● Investigating how much waste we generate, using segregation to enable higher rates of recycling ● Looking at how people travel to and from our site: encouraging public transport and cycling ● Looking at what we buy – sourcing goods with low environmental impact and working with local suppliers wherever possible

Equal opportunity

Equal opportunity The Virtual Forge Limited is committed to achieving a working environment which provides equality of opportunity and freedom from unlawful discrimination on the grounds of race, sex, pregnancy and maternity, marital or civil partnership status, gender reassignment, disability, religion or beliefs, age or sexual orientation.

Wellbeing

Health and wellbeing initiatives run throughout the year encouraging the wider VF family & friends to get involved.

Pricing

Price: £0 to £150 an instance an hour
Discount for educational organisations: Yes
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

Microsoft Azure hosting

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents