Flexera Optima

Optima offers a unique approach to cloud cost management and optimisation that enables cloud governance teams to work collaboratively with business units and cloud resource owners to reduce wasted cloud spend.


  • Identify unused or underused cloud resources.
  • Compare cloud costs across regions and instance sizes.
  • View discounting options based on usage.
  • Implement budget controls to avoid surprises.
  • Allocate cloud costs to the appropriate cost centers or teams.
  • Reporting of cloud costs to your organization.
  • Slice cloud spend by clouds, data centers, instance types, etc.
  • Drill-down from summary data to individual servers, to track costs.
  • Compare costs on different cloud providers.


  • Save Cloud costs in public Cloud, based upon usage metrics.
  • Evaluate the most cost-effective regions and instance sizes.
  • Identify the best discounting options based on your usage level.
  • Manage your usage to leverage existing discounts.
  • Implement budget controls to cloud cost surprises.
  • Allocate costs to appropriate cost-centers or teams, to manage usage.
  • Provide tailored reports to every part of your organisation.
  • Slice cloud spend by clouds, data centers, instance types, etc.
  • Drill-down from summary data to individual servers, to track costs.
  • Compare costs on different cloud providers.


£76,000 a unit

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 12

Service ID

1 2 1 7 1 7 9 5 6 0 1 6 5 9 8


SoftwareONE Tom Hook
Telephone: +44 203 005 0238

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Supported CSPs are listed as - AWS, Azure, GCP at time of writing. More CSPs are added on a regular basis.
System requirements
  • Supported Browser is required for access.
  • Credentials required: CSP Portal integration for billing data via credentials/auth/token.

User support

Email or online ticketing support
Email or online ticketing
Support response times
"This would depend upon Severity and negotiated Support contract. Typically for Gold Support, responses are elicited within 30 minutes for Sev1, or up to 8 business hours for Sev4.
More information on Support Levels (Gold / Silver) can be found by contacting Flexera."
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Flexera offer two levels of support. More details can be found on the Flexera website - A 'Customer Success Manager' is provided for customers to drive success at each account. The CSM is typically not charged for.
Support available to third parties

Onboarding and offboarding

Getting started
Flexera offer both onsite and web-based training for customer, with most web-based training videos being free for customers. Extensive documentation for the product exists, both in PDF format or in-context HTML for accessing when using the Web UI. In general terms, the data presented is simple to understand, unambiguous, and logically presented - most customers with basic Cloud Service Provider data understanding can use the UI.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users can export data via a number of methods, such as via the Admin UIs or APIs - into standard output formats such as CSV/XLS.
End-of-contract process
Exit support to be mutually agreed

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
Flexera Optima provides a web-based browser interface to the service, using standard browser controls and access to obtain the information in Optima. Optima consumes cloud billing data and presents this in the service interface to users.
Configurations and reporting is saved for the users, by using controls presented, and further levels of access and viewing of data is available. The interfacea aligns to the current standard UI Flexera provides across Flexera One solutions.
Accessibility standards
None or don’t know
Description of accessibility
Via Browser
Accessibility testing
No specific testing on assistive technology
What users can and can't do using the API
Update and modify parameters in the Service Interface, for reporting services.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The Optima service data is designed to present value based upon the billing information initially processed, and then for the user to add additional context to this data, by customizing report and data logic.
The billing data provided by the CSP offers insights and actionable information, but further context in the form of reporting and organization structure can be added. Within the UI, different data fields can be sorted / filtered and data extracts can be performed. User customize the service via the browser based interface only (no other customization is required). User Roles exist within Optima to allow for the definition of user access rights, which in turn control the data that is seen.


Independence of resources
The is architected for high availability, leveraging the capabilities of our cloud providers to maximize uptime, resilience, and data protection by deploying our platform across multiple geographic regions and data centers and through fault-tolerant software architectures. Because the service runs independently of your workloads and is not an active component of your applications, it is not a point of failure for your managed workloads. If the platform suffers from an outage, your cloud workloads will continue to be available.
See more information here:


Service usage metrics
Metrics types
For Cloud services, status information for Flexera solutions is presented here:


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Most data is presented via the administrative Web-UI, and can then be exported using built-in functions to extract to CSV formats.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • XLSX
Data import formats
Other data import formats
Directly via API or CSP connection

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
RightLink™ is an agent that is installed on your Flexera-managed cloud instances. It communicates with the platform to allow for running of scripts, monitoring, and other management functions. The latest version of the agent (RightLink 10.x) leverages HTTPS (TLS/SSL HTTPS and AES-192 encryption) and Secure WebSockets to secure communication between the agent and the platform. When used to manage a private-cloud or virtualized environment, the RightLink agent requires egress-only through the firewall to a small, fixed set of destination IP addresses.
Data protection within supplier network
Other protection within supplier network
Data protection between buyer and supplier networks using CSP security.

Availability and resilience

Guaranteed availability
Flexera will maintain systems/controls designed to maximize Monthly Up-time, minimize outages, and enable notification in event of any unscheduled outage. Excused Outages: Licensee may experience outages in the Cloud Site due to Scheduled Maintenance and/or Emergency Maintenance, as defined in the contract. The platform provides a service level agreement of 99.95 percent. Flexera maintains a status page showing the current status of all services. Flexera notifies customers of planned maintenance windows in advance. Planned maintenance windows are typically 60-90 minutes.
Approach to resilience
AWS Hosting:- AWS is architected in a manner to maintain availability of its services through defined programs, processes, and procedures. The AWS Resiliency Program encompasses the processes and procedures by which AWS identifies, responds to, and recovers from a major event or incident within the environment. This program builds upon the traditional approach of addressing contingency management, incorporating elements of business continuity and disaster recovery plans while expanding to consider critical elements of proactive risk mitigation strategies. These strategies include engineering physically separate Availability Zones (AZs) and continuous infrastructure capacity planning.
Outage reporting
Via Web-page showing uptime statistics.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
With Role-based security permissions, related to the different features, which can be configured to roles or individual users. Users only see what they have been given permission to see. As such, their view to data in the system is constrained by their specific availability rights. Security roles are managed by Client Administrators.
Access restrictions in management interfaces and support channels
With Role-based security permissions, related to the different features, which can be configured to roles or individual users. Users only see what they have been given permission to see. As such, their view to data in the system is constrained by their specific availability rights. Security roles are managed by Client Administrators.
Access restriction testing frequency
At least once a year
Management access authentication
  • Username or password
  • Other
Description of management access authentication
With Role-based security permissions, related to the different features, which can be configured to roles or individual users. Users only see what they have been given permission to see. As such, their view to data in the system is constrained by their specific availability rights. Security roles are managed by Client Administrators.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
EY CertifyPoint (through AWS hosting)
ISO/IEC 27001 accreditation date
05 November 2019
What the ISO/IEC 27001 doesn’t cover
Flexera's application is not covered but AWS ISO certification covers the underlying PaaS and IaaS resource Flexera uses.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Other security certifications
Any other security certifications
Systems and Controls (SOC) 2 Report

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Flexera operate a multi-faceted approach to Application Security Governance. A Secure Systems/Software Development Lifecycle is active and In addition to the mandatory corporate security training provided through our Learning Cloud, Flexera provides access and encourages training for its engineering staff through Pluralsight. Participation in training provided through Pluralsight, this will become mandatory in 2019 for our engineering staff (to include developers and testers). A clearly defined reporting structure is in place with Senior leadership executing security governance and reviews regularly. More details can be provided on demand.
Information security policies and processes
Flexera's Security and Compliance Program is based on the ISO 27001 Information Security Management System (ISMS). We have defined policies that govern our security policies and processes and continually update our security program to be consistent with applicable legal, industry, and regulatory requirements for services that we provide to you under contractual agreement.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Public Cloud hosted Flexera applications are managed within a change management methodology that includes processes for the request, review, approval, and verification of changes. Flexera has an established change management committee (CMC) with responsibility for the scheduling and administration of changes. Change requests are submitted in Flexera’s CMS, reviewed by committee, and approved by management during the weekly CMC meetings. For any scheduled high risk changes, test and back out plans will be discussed before the change approval. All changes are assessed by Flexera Data Platform security principals for security impact.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Flexera conducts a formal risk management program to continually identify, assess, mitigate, and monitor risks, and modifies its controls as a result of this process. A risk management assessment is completed on an annual basis at a minimum. Any changes required by the risk mitigation activity will be scheduled and approved in the weekly Change Management Committee (CMC) meetings. AWS provide a comprehensive patch management policy that is in place for mission critical devices, and ensures that software, firmware and operating system patches are identified, tested and installed in a timely manner.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
AWS public cloud hosted applications/infrastructure are monitored using monitoring applications that provide notification of critical system/app events. Customer-facing websites are monitored using different services – one for immediate event notification and another for calculation of SLAs. Events that affect availability of AWS Hosted Cloud applications are investigated, resolved and documented according to procedure by the Site Reliability Engineering department. This team is alerted to any suspicious activity with the alert method varying depending on the severity.
Incident management type
Supplier-defined controls
Incident management approach
Predefined processes exist for Events. The first priority is for the Site Reliability Engineering team to investigate and resolve any issues affecting the availability, stability, performance, or security of the Cloud hosted application/services. If there is no resolution within 15 minutes, an email will be sent to notify members of the SRE, Engineering, Client Success and Customer Support. If after hours, customer support will be notified. Further escalation to the Cloud hosting service provider will occur, if and when identified.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£76,000 a unit
Discount for educational organisations
Free trial available
Description of free trial
A trial version can be requested during a PoC, this can be supplied with demonstration data. This version is limited to a short time frame for use (i.e. during the PoC) where specific use cases are performed, according to customer requirements.

Service documents