Versantus

Acquia Drupal Cloud

Acquia Drupal Cloud Platform is a fully managed, high-availability, scalable, clustered Drupal hosting environment, built on Amazon Web Services infrastructure. Acquia Cloud is used for hosting the most complex Drupal applications with the highest performance and uptime requirements.

Features

• Scalable infrastructure
• Fully-managed service
• Site monitoring tools
• Automated development workflow
• 24x7 monitoring by Acquia's cloud security team
• Redundant hosting
• Choose from multiple, hosting locations around the world
• Security monitoring and testing
• Backups
• Alerting and support services

Benefits

• High availability
• Thoroughly secure hosting environment
• Disaster Recovery
• IT resource and cost savings
• Certified Drupal Experts
• Drupal Association Premium Supporting Partner
• Acquia Preferred Partner

£5,995 a licence

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.vallance@versantus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

964320194646753

Contact

David Vallance
01865 422112
david.vallance@versantus.co.uk

Service scope

• Service constraints: None
• System requirements:
  • Drupal used as CMS
  • Modern web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Responses vary based on urgency. Support SLAs are applicable 24x7, support is available on a 24x7 basis.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Acquia provides standard technical support, advisory hours, a technical account manager and enablement services.; ; Support Levels: Starter, Basic, Business, Premium, Elite; ; See details at: https://docs.acquia.com/support/guide#overview_subscriptions; ; Customer may contact Acquia Support Services by submitting tickets or by phone. Response times to tickets are based on the level of urgency.; ; "Critical" issues where the customer's production system is inoperative, production operations are several impacted, or involving a critical security issue have a 1 hour, 24x7 initial response time.; ; "High" urgency issues (Customer’s production system is operating but the issue is disrupting Customer’s business operations; a workaround is not suitable for sustained operations) have a 2 hour maximum initial response time during business hours.; ; "Medium" urgency issues (Customer’s system is operating and the issue’s impact on Customer’s business operations is moderate to low; a workaround or alternative is available) have a maximum 4 hour initial response time during business hours.; ; "Low" urgency issues, which do not impact business operations in any significant way and have little or no time sensitivity, have a maximum initial response time of one business day.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Versantus provides a fully managed service for Drupal hosting on Acquia. In addition, Acquia provides a range of resources to help customers get started. Together we perform a complete assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. Online training and documentation is also readily available.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: When a customer cancels service with Acquia, the customer’s servers are terminated and the website data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices.; ; Data is exported and provided to the customer via Redshift.
• End-of-contract process: End of contract includes provision of your data and files. Migration support to another platform would be chargeable at an extra cost (varies according to your needs)

Using the service

• Web browser interface: Yes
• Using the web interface: The Acquia Cloud UI can be used to monitor and report on capacity, usage, availability and security, and to perform backups. The dashboard can also be used for content tagging and ranking, as well as user access management.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Accessible through a browser-based dashboard/UI.
• Web interface accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Acquia provides a Cloud API that allows our customers to automate many site management tasks and access our cloud services remotely.; ; More information on the Acquia Cloud API is available here:https://cloudapi.acquia.com/
• API automation tools: Puppet
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: Acquia Cloud has two additional interfaces that developers can use to extend, enhance, and customize Acquia Cloud:; ; Acquia Cloud API - The Acquia Cloud API is a RESTful web interface that allows developers to extend, enhance, and customize Acquia Cloud. It includes developer workflow, site management, and provisioning capabilities.; ; Acquia Cloud Drush commands - The Acquia Cloud Drush commands allow you to use all features of the Cloud API either on the command line or from shell scripts using the excellent Drush command-line tool.

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: The Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia's performance experts analysed performance characteristics and identified the configurations at each layer of the stack that make Drupal websites fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux (Ubuntu) operating system and PHP programming language with Drupal.; ; The Acquia platform provides burstable, elastic cloud resources that let you scale your servers on demand. Our platform continuously monitors site performance.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Acquia

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Website code
  • Static files
  • Databases
• Backup controls: You can make on-demand backups of any database at any time either on the Cloud > Workflow page of your Acquia Cloud account or on the Cloud > Databases page. These backups are listed as User backups in the Acquia Cloud UI. Acquia Cloud keeps on-demand backups until the customer deletes them.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Acquia Cloud supports and encourages the use of SSL on it's customers' sites for protection of data in transit.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: - 99.95% Up-time SLA for infrastructure as well as application; 24x7x365; - 30-minute or 1-hour response time for critical application failure
• Approach to resilience: Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.; ; Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.
• Outage reporting: https://status.acquia.com/ and subscribable email alerts

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Acquia has baseline access security requirements. Access controls can be configured by customers for increased security.
• Access restriction testing frequency: Never
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company, LLC
• ISO/IEC 27001 accreditation date: 23/12/2021
• What the ISO/IEC 27001 doesn’t cover: The certification covers the Acquia Information Security Management System as it pertains to the listed product, among others.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 23/12/2021
• CSA STAR certification level: Level 3: CSA STAR Certification
• What the CSA STAR doesn’t cover: N/A
• PCI certification: Yes
• Who accredited the PCI DSS certification: Schellman & Company, LLC
• PCI DSS accreditation date: 06/10/2021
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
• Other security governance standards: - SOC 1; - SOC 2; - HIPAA; - PCI-DSS; - FedRAMP
• Information security policies and processes: Acquia follows its Information Security Policy and Procedures. The information security policy is required to be reviewed on an annual basis and approved by either the CISO or the Senior Director of Information Security. All Acquia employees, interns, contractors, and third party contractors are required to complete a security awareness training course upon hire and annually thereafter, that educates workers about Acquia's security policies. In addition, they are required to sign off on the Acquia acceptable use policy that includes acknowledging the receipt and review of the information security policy.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Acquia utilises an agile change management process. System changes are managed by the Acquia engineering team who use a single server in each environment which is configured as the configuration management server. Changes are grouped into sprints. System changes are tracked in a change management ticketing system and required to be tested and approved prior to being implemented into the production environment. Version control software is in place to help ensure that code changes are tracked and can be rolled back as needed. Changes are assessed for potential security impact.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: At the Operating System and LAMP stack layers, Acquia employs a third-party vulnerability assessment platform, Rapid7, to perform authenticated host-based vulnerability scans against a representative sample of Acquia server types. The vulnerability scans are run weekly and reported to Acquia's security and operations teams. Vulnerabilities are reviewed, identified, and categorised by the Acquia security team, which assigns and prioritises reported vulnerabilities and documents mitigation steps to be implemented by the Acquia operations team.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Acquia uses OSSEC, an open-source, host-based Intrusion Detection System (IDS), which performs log analysis, integrity checking, and time-based alerting. Action is taken immediately if a compromise is identified. All affected or potentially affected customers are notified immediately of the incident.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Acquia has a formally documented Incident Response Plan that describes discovery, investigation, escalation, containment, notification, and documentation processes of security incidents. Upon initial notification that a Security Incident that has occurred, or is in progress, and is customer impacting it is the responsibility of Support team to notify the customers who are likely to be affected by the incident. Regular updates will be sent depending on the nature of the incident and as determined during the incident declaration stage.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Amazon Web Services
• How shared infrastructure is kept separate: Each customer is provisioned on separate EC2 instances for each layer of their solution. Web application firewalls are in place. Data checks also verify that assets are located in the appropriate customer environments.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: This is an Amazon Web Services Control. Acquia is not responsible for monitoring the energy efficiency of their datacenters.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  “Being good” is a core value at Versantus, and one we take seriously. We know that we’re in a lucky position, and we want to use our privileges to benefit society. ; ; Our Environmental impact; Although we’re primarily office based, and most of our work is online, we can still have a significant impact on the local, national and global environment. ; ; Commuting to work or to customer sites. We encourage our team to travel by public transport or by walking, cycling or running to work where possible. Where we can, we car-share or use public transport. Our team can work from home, and are encouraged to do so where it suits their lifestyle.; ; Our office generates greenhouse gases through our use of electricity and an oil-fired boiler. This is one of our largest impacts, and we make efforts to behave in a responsible way and reduce power usage. Where possible we also purchase electricity from “green energy” suppliers.; ; Our office waste includes recyclable and non-recyclable materials. We have separate recycling bins and take great care to ensure they’re used correctly. We aim to reduce non-recyclable waste as much as possible. ; ; Our office uses water for drinking, cleaning and toilet flushing. We have water-savers in urinals to combat wastage and deal with any leaks quickly. We have sponsored two toilets in Africa as part of a “toilet winning” scheme.; ; Our project work generates greenhouse gases through servers and other IT equipment that runs the websites and software we use ; We love projects that encourage greater environmental awareness, including our work for Swarco Econnect, an electric vehicle supplier, and Global Canopy, an organisation that campaigns against the deforestation of the Amazon.; ; We discuss and advocate a healthy, meat-reduced diet, with several of the team adopting a vegan or vegetarian diet over recent years.

  Equal opportunity

  At Versantus we believe individuals with diverse opinions, cultures, lifestyles and circumstances make us a better company and that everyone is entitled to a working environment that promotes dignity and respect to all.; ; To bring this to life we’re committed to building an environment with equality of opportunity, practices which are free from unfair and unlawful discrimination and where the individual differences and the contributions of our staff are recognised and valued. In addition no form of intimidation, bullying or harassment will be tolerated.; ; We use the OfficeVibe platform which gives our team a safe place to provide feedback, opinions and tell us how they are feeling anonymously should they wish to. ; ; This monitors a number of things across the organisation and individual teams including:; ; - Relationship with manager; - Relationship with peers; - Recognition; - Happiness; - Wellness; - Satisfaction; - Personal growth; ; As a senior leadership team this allows us to understand how our teams feel, take action and measure our impact.

  Wellbeing

  Looking after our team ; To be a sustainable business, we need to care about ourselves and our customers. A happy, healthy team is more creative, productive and long-lasting. ; ; We encourage a healthy lifestyle, with most of the team doing some form of regular cycling, running or other outdoor exercises. The business celebrates and sponsors team members who take part in activity challenges, and several of us complete regular Parkrun, 5k, 10k, half marathon and marathons. One member of our team has completed 2 marathons during 2020 Lockdown! ; ; We talk about mental health and acknowledge that everyone struggles and needs support from time to time. We provide peer support as well as external support where needed and encourage our team to look after their mental wellbeing.; ; We provide employee benefits such as wellbeing allowance and Vitality private Health cover.

Pricing

• Price: £5,995 a licence
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Bespoke to specific requirements

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.vallance@versantus.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.