CenturyLink Limited

CenturyLink Hybrid Cloud - PaaS

Provides PaaS hosting capability in Physical or Hybrid environment. The managed infrastructure supports platforms suitable for Commercial, Official & Official-Sensitive (Historically IL0, IL2 & IL3). Secure, Managed (SQL & Oracle, IIS & Apache), Scalable, Compliant, Resilient, Managed, Backup, Recovery, Marketplace, ISO270001, SLA, Portal Access. Optional Remote Access within PaaS.


  • CapEx Cost Reduction
  • Consistent Global Operations run book (Standard Operating Procedures)
  • Portability for Existing Applications
  • Security
  • Customisation & Flexibility
  • Large capacity Servers and Storage
  • Hybrid IT Infrastructure
  • Physical Isolation of Resources


  • Makes it easier to adapt to changing business conditions
  • Increases levels of support and service availability
  • Eases adoption of new business processes
  • Makes the IT budget more stable and predictable
  • Provides access to the latest technology with limited risk
  • Provides access to an enhanced skills base
  • Enables your IT group to focus on the core business
  • Reduces costs, including traditional service fees, hardware & IT operations


£350 per server per month

Service documents

G-Cloud 9


CenturyLink Limited

Siobhan Hafferty

+44 7584 338034


Service scope

Service scope
Service constraints CenturyLink offers a flexible Hybrid Cloud PaaS service that can vary in configuration.

The constraints are dependant on the services subscribed by the customers.

This can be provided and detailed upon request.
System requirements Service Dependant

User support

User support
Email or online ticketing support Email or online ticketing
Support response times This is service / agreed SLA dependant. The response SLA's varies between 15 minutes to over 4 hours dependant on the severity level of the ticket.

The response times also varies depending the support level agreed. CenturyLink provides various levels starting 8/5 weekdays only to 24/7 support.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels The support levels are dependant on the priority / severity of the support request. The support levels varies from Tier 1 support to Tier 4 support.

Depending on the complexity of the infrastructure CenturyLink can provide specific support roles such as TSE (Technical Services Engineer), TOM (Technical Operations Manager), TAM (Technical Account Manager, CTA (Client Technology Advisor), etc... at additional cost under CenturyLink "CenturyLink Consulting Services" service description within the G-Cloud 9 Cloud Support Service.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The CenturyLink Onboarding team provide a flexible service to ensure that the customer is educated to ensure best use of the platform. The first week is usually introductions to the people and program and at least one training session.The Assisted Deployment is where the QuickStart team assists you in building out additional Servers, creating reports, and working with backups and your other services.The final Closure phase is where the QuickStart Team ensures the goals set out in the first meeting were met, and reviews all the support contacts and processes so that you know how to engage CenturyLink for ongoing support. Extended on-boarding engagements are available on request.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction This is service dependant and also depends on the complexity of the infrastructure services provided. CenturyLink has a standard methodology for the creation of an exit plan for its customers. The costs and timescales are wholly dependent on the size of the infrastructure, the requirements of the customer and the customer needs for the transfer of data back to the customer or its new supplier. A customer can request the return of data on a standard CD format or stored onto unique tape media, encrypted, duplicated and shipped to separate locations.
End-of-contract process CenturyLink has a standard methodology for the creation of an exit plan for its customers. The costs and timescales are wholly dependent on the size of the infrastructure, the requirements of the customer and the customer needs for the transfer of data back to the customer or its new supplier. At a high-level the proposed exit plan methodology, under a statement of work, would be as follows: The contract reaches the point of natural expiry is terminated as per the contract, or another trigger event occurs that requires the implementation of an exit plan. CenturyLink Professional Services / Project Manager will own execution of the plan within CenturyLink. Professional Services / Project Manager discuss with customer exactly what is required of the migration. Professional Services / Project Manager engage the areas of the business required to deliver on the plan. If this exceeds contracted thresholds for exit costs, or is otherwise chargeable under the contract then these charges will be agreed with customer before commencement of the plan. Execute in accordance with the agreed plan.

Using the service

Using the service
Web browser interface Yes
Using the web interface The SavvisStation online portal is a web based application that provides approved customer representatives with secure access using almost any Web browser. Throughout the portal, users can customize and configure their views. The portal is built with a focus on security and user permissions. Customer information is safe, and only accessible by those with the proper authorisation. There is no charge for customers to use the SavvisStation online portal, and there is no limit to the number of user accounts that can be assigned for a customer. The SavvisStation portal: • Provides alert and notification management capabilities • Allows end user customisation and configuration • Enables monitoring setup and self-provisioning • Delivers permissions-based functionality • Features an intuitive and easy-to-use user interface • Supports mobile device access • Provides interactive charts and graphs with drill-down capabilities • Enables custom reporting with automated e-mail delivery • Facilitates order and invoice management • Supports change management processes • Enables easy case management and tracking • Features a web services Applications Programming Interface (API) for maintenance and ticket management • Allows an unlimited number of user accounts • Includes a comprehensive document library
Web interface accessibility standard None or don’t know
How the web interface is accessible N\A
Web interface accessibility testing None
What users can and can't do using the API This API allows the customer to connect to CenturyLink to create tickets, perform limited updates, and add notes without manual intervention such as calls to the Operations Centre or Account Team. It is a single directional API. As such, the Portal API requires the Customer to schedule “gets” to have updates processed into their system. Therefore, as CenturyLink works to update the ticket, those updates are not pushed back to customer in real time. Creates are performed in real-time and poll intervals are established to ensure system performance. Polls are limited to no more than every minute. Data retrieved may be delayed by 30 minutes. The specifics of this configuration should be finalised through collaboration with CenturyLink.
API automation tools
  • Ansible
  • Chef
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface No


Scaling available No
Independence of resources The CenturyLink Hybrid PaaS platform is a dedicated / private platform that will be physically and logically dedicated to a specific customers at all levels including Network, Compute and Storage. The platform will be physically and logically isolated from other users / customers and the customer can make full use of its performance capabilities.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Service Dependant
Backup controls Backup includes data backup and restore on demand, utilising high capacity and high availability tape libraries.

Backup Encryption provides the same services as Utility Backup with the addition of data encryption throughout the lifecycle of the data

Vaulting includes retention, data management and rotation of data to off-site secure data archiving facilities. Service is only available to Customers whose backups are managed by CenturyLink.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network CenturyLink will protect the customer data by using various mechanisms at different levels depending upon the complexity and protection levels, this includes but not limited to; physically and logically isolating the data with the environment, SAN zoning at the storage layer, Firewall policies and Access Control Lists (ACL) at the network layer, Multi-Factor Authentication, Physical Access controls, Change Control, etc.. Further details can be provided upon request.

Availability and resilience

Availability and resilience
Guaranteed availability CenturyLink provides a minimum of 99.95% system availability to its customers. CenturyLink managed its services to meet its SLAs in the following ways: 1. CenturyLink Service Management team provide the primary interface Client Service Partner (CSP) for SLA management. The Client Service Partner is responsible for CenturyLink’s’ performance against the agreed SLA’s, and will monitor and report on performance on an on-going basis. As part of their role, the Client Service Partner’s perform the following functions that CenturyLink support SLA management: • Root Cause Analysis (“RCA”) reporting. In the event of a major outage, a Client Service Provider will create and submit to customer an RCA, which details the root cause of an outage, and subsequent follow up actions. Corrective Action Plan (“CAP”) creation. Following on from an RCA, the Client Service Partner will lead the creation of a CAP and propose to customer the corrective actions that CenturyLink will employ to mitigate the cause of the outage to prevent its recurrence. This may take many forms dependent on the type of incident, including but not limited to; Process changes (both within CenturyLink, and its interface with customer), further training, solution correction or re-configuration, additional patching or updates etc.
Approach to resilience This is a CenturyLink confidential information that can be made available upon request under an NDA.
Outage reporting As a standard CenturyLink will report outage by sending automatic email alerts and Dashboard Status Updates. For customers with a dedicated service partner any outages will be reported by the service partner resource either by email or a telephone contact to the nominated customer resource.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces are restricted by logically and physically isolating them on a separate network with rigid access controls in place. Any user accessing the management interfaces and support channels will have to authenticate using a separate username and password or multi factor authentication that is different from their normal network username and password.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman
ISO/IEC 27001 accreditation date 23/06/2016
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 29/06/2015
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification Yes
Who accredited the PCI DSS certification Coalfire Systems
PCI DSS accreditation date 10/11/2016
What the PCI DSS doesn’t cover N/A
Other security accreditations Yes
Any other security accreditations
  • PSN Supplier Certified
  • PSN Customer Certified

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards SSAE16, PCI DSS, PSN Customer Certified, PSN Supplier Certified
Information security policies and processes There are a number of policies and processes that apply across CenturyLink internal and customer infrastructure, policies are critical for providing assurance to customers, regulators and auditors. CenturyLink takes seriously the confidentiality, integrity and availability of data placed in its care. There are also a number of guidelines that CenturyLink follow while working with confidential and/or personal data. The policies include, but not limited to, Access Control Policy, Application Control Policy, Antivirus Policy, Asset Management Policy, Data Centre Design Policy, Conditions of use of IT facilities at CenturyLink, Confidential Information Transfer Policy, Electronic Messaging Policy, IT User Accounts Policy, Laptop Encryption Policy, Network Connection Policy, Password Policy, Patch Management Policy, PCI DSS Compliance Policy, Information Security Policy, Remote Access Policy, etc.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Change Management policy is designed to apply standardised methods and procedures on a global basis to provide efficient and prompt handling of all changes to the Infrastructure to minimize the impact to Clients and include: Ensuring the continuity of business and system process Establishing a process for communicating and managing changes for increased visibility and communication of changes to both the business and operational support staff Reducing the number of incidents caused by changes Increasing effectiveness of changes by including lines of business in the decision process Improving confidence in Global Technical Organisation to maintain network and system availability
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach CenturyLink performs vulnerability scans on the shared infrastructure environment including the Hosted Area Network & Management Infrastructure that looks for known vulnerabilities or configuration weaknesses in applications, systems or infrastructure . Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities. Approved 3rd party vendors may conduct external assessments for customers by contacting CenturyLink operations centre and with prior notification. Note that CenturyLink does not allow customer testing of any parts of the shared infrastructure, any testing must be scoped within a customer’s own deployed solution.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The Service Centre is the single point of contact for requests and incidents. The Service Centre also provides constant proactive monitoring, vendor management and communication of incidents within a client’s environment. The Service Centre is staffed Incident Specialists who have the following responsibilities: Incident Specialists are responsible for monitoring and responding to events originating from CenturyLink’s proactive monitoring infrastructure toolset. They have management control over customer infrastructure and adhere to a strict functional escalation methodology to enable rapid fault isolation and restoration of customer services. Incident Specialists communicate directly with the customer during incident troubleshooting and resolution or change execution.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach CenturyLink will provide customer support 24 x 7. When an Incident or Request occurs, CenturyLink shall use reasonable efforts to meet the Time to Respond Objectives we have in place. Incidents are categorized as severity levels P1 (Urgent), P2 (High), and P3 (Medium). Requests are categorized as severity levels P1 (Urgent) or P4 (Low). There are four ways for a customer to initiate a request: Proactive Monitoring; Phone Call; Portal; E-mail Updates for P1 Incidents are sent every hour, P2 Incidents and P1 Requests are sent every four hours. P3 Incidents and P4 Requests are sent every 24 hours.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £350 per server per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑