Appvia Ltd

Application Container Platform (ACP)

The Application Container Platform (ACP) makes it fast and simple for developers and engineering teams to build, run and manage containerised applications. The application delivery framework provides an end-to-end delivery pipeline for building and operating applications to industry standards and best practices.


  • Cloud agnostic, portable across private and public cloud and bare-metal
  • End-to-end framework for microservice application development
  • 24x7 support options available
  • Cost management tools included in the platform
  • Multi-tenant environment, automatically scaled according to demand
  • DevOps engineered principles (no need for dedicated DevOps resources)
  • Standard architectural patterns for rapid deployment
  • Security assured, penetration tested platform
  • Open source technologies, no vendor lock in
  • Autoscaling and Autohealing


  • Enabling rapid delivery of projects and services
  • “Secured by design” built into delivery of services
  • Industry best practices used and promoted throughout application delivery
  • Repeatable design patterns and re-use
  • Reduced hosting costs through economies of scale
  • Self-service portal for digital delivery teams
  • Encourage delivery of decoupled scalable micro service applications
  • Production environments within seconds
  • Reduction of reliance on DevOps resources
  • Development language agnostic


£4000 per unit

  • Education pricing available

Service documents

G-Cloud 10


Appvia Ltd


020 3475 0546

Service scope

Service scope
Service constraints Bound by SLA inherited from public cloud (eg. Amazon AWS or Google Cloud Platform)
System requirements N/A

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard: 9 to 5, Mondays to Fridays excluding public holidays. Extended support available.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible General support through Slack
Web chat accessibility testing None or don’t know
Onsite support Yes, at extra cost
Support levels Standard support service is available by email, telephone and web chat.
Enhanced support is available at an extra cost.
On site support is available at an extra cost, delivered by on-site platform engineer.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full training can be provided with inductions around all tooling and delivery.
Self-service portal with indexed FAQ's can be used to find information on how to use features.
Remote additional training can be offered as well as video support.
Service documentation Yes
Documentation formats
  • HTML
  • Other
Other documentation formats Markdown
End-of-contract data extraction Client will request access to the data and all data related to client will be provided within an agreed timeframe
End-of-contract process TBC

Using the service

Using the service
Web browser interface Yes
Using the web interface Self service portal allow users to onboard and manage their projects.
Project admins are able to define strategies for onboarding other users (self service or pre-approval)
Web interface accessibility standard None or don’t know
How the web interface is accessible None or don’t know
Web interface accessibility testing None or don’t know
What users can and can't do using the API Kubernetes and cloud provider APIs available
API automation tools
  • Terraform
  • Other
Other API automation tools
  • Kubernetes
  • Docker
API documentation Yes
API documentation formats Open API (also known as Swagger)
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface Deploy and manage the lifecycle of their application, as well as any public cloud services


Scaling available Yes
Scaling type Automatic
Independence of resources RBAC defined policies with separate namespaces. Separate nodes or clusters can be added at additional cost. QOS limits are applied to CPU and Memory for all workloads.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Whatever the application needs to define
  • Statsd supported metrics
  • Latency
  • Prometheus supported metrics
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Databases
  • Local or remote persisted files
  • Application logs
  • Audit logs
Backup controls These will be provided via either Cloud Hosted Offerings or via additional provided components as part of ACP. Users will deploy the service with their application.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Cloud Service SLA's will be used or will be inherited from the on-premise private cloud. as an example
Approach to resilience We leverage large scale cloud resiliency, distributing across a region's multiple availability zones.
Cross cloud platform federation can be provided at an extra cost for higher availability
Outage reporting Overall status page with known incidents / service degradation,
Email alerts,
Slack notifications,
Pinned self-service portal messages

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels We use tight Role Based Access Controls to granulate user permissions across our services.
Administrative access is hardened with separate credentials and MFA devices
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security Governance is inline with NCSC's guidelines and best practices, along with Cloud Security practices and Digital Principles.
Regular pen-tests are peformed on all platform services we provide
Information security policies and processes TBC

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Each change is rigorously and automatically tested through with continuous integration / delivery pipelines (CI/CD). Automatic vulnerability scanning is performed daily.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We subscribe to a number of vulnerability and threat monitoring agencies including the NCSC threat newsletter. A baseline patching process is maintained monthly for all services, and emergency responses to critical threats are evaluated and actioned appropriately.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Protective monitoring can be provided depending on client needs.
Incidents are responded to appropriately based on the severity of the event.
Incident management type Supplier-defined controls
Incident management approach We have adopted an ITIL incident management process.
Incidents are reported via the self service portal or through web chat.
We can provide incident reports on demand and at intervals defined by the client.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon AWS, Google Cloud Platform, Microsoft Azure, VMWare
How shared infrastructure is kept separate Each organisation has its own set of accounts

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £4000 per unit
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑