Platform.sh Limited

Platform.sh PaaS Hosting

Platform.sh is groundbreaking hosting and development for web applications, accelerating development processes 20-40%, reducing DevOps and tickets 90-100%, and enhancing production stability (99.99% uptime). Extending Git-based branch-merge workflows to the infrastructure so every branch is tested as if in production; live sites scale effortlessly for peak traffic.

Features

  • Triple redundant Enterprise architecture offering guarateed 99.99% uptime including CDN
  • High-density micro container grid, unique high-availability multi-cloud orchestration layer
  • PHP, Drupal, Symfony, Wordpress, Magento, Laravel, Ruby, Python, Node.js, JavaQ317
  • Flexible hosting in public/private/sovereign cloud: AWS, Azure, Orange Business Services
  • Unique developer tools extend Git branch-merge workflow to infrastructure
  • GUI, API and CLI-based service management tools
  • Multi-site to containers
  • Every git branch has its own URL
  • No more DevOps. PaaS automation equals NoOps

Benefits

  • Zero application interruption scaling, 6-384 CPU's in <15 minutes
  • Guaranteed uptime = less than 4 minutes a month downtime
  • Development & deployment workflow is regime change; developers love it
  • Automation and orchestration suited to running thousands of low-cost sites
  • 20-40% developer productivity improvements
  • 10-15x faster testing and UAT sign off
  • 90-100% less DevOps and tickets
  • Set-up time for new developers / environments 100's times faster
  • Deployment time 10-15x quicker
  • Deployment frequency improves from monthly to several times a day

Pricing

£8 per unit per month

  • Free trial available

Service documents

G-Cloud 9

126031744335136

Platform.sh Limited

Kieron Sambrook-Smith

0203 815 7962 or 07818 427136

kieron@platform.sh

Service scope

Service scope
Service constraints For Enterprise clients only: Some change requests require ticketing system.
System requirements Git is required to perform changes

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Ticketing support is the primary channel and questions are answered very quickly. Slack chat available during business hours. Enterprise support is 24/7
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible N/A
Web chat accessibility testing There are reports that Slack accessibility is good in mobile clients and firefox
Onsite support Yes, at extra cost
Support levels 30/60 minutes response time SLA for Priority 1 tickets. We typically achieve < 20 minutes
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Welcome Email, Kick-off call, follow-up calls, tests, migration assistance, launch window planned and support resources made available
Service documentation Yes
Documentation formats
  • HTML
  • Other
Other documentation formats
  • Web page
  • Github repo
  • Markdown
  • CLI
End-of-contract data extraction Customers wishing to terminate service can have all their data returned to them upon request.
End-of-contract process Customer has full access to code and data which is 100% portable, no lock in .

Using the service

Using the service
Web browser interface Yes
Using the web interface Synchronize files, databases, merge and branch environments, configure SSL certificates, domains and much more
Web interface accessibility standard None or don’t know
How the web interface is accessible N/A
Web interface accessibility testing SSH, CLI, and API controls are all available, making Platform.sh easy to integrate with external tools, eg. Jenkins/Rundeck.
API Yes
What users can and can't do using the API The Platform.sh API and UI allow web developers to build code bases, launch and configure infrastructure and services, create snapshot backups, clone and create new environments for development or testing, merge branches, and much more.
API automation tools
  • Ansible
  • Chef
  • Puppet
  • Other
Other API automation tools
  • Gitlab CI, Puppet, Boto
  • Anything that can execute a php CLI or rest calls
API documentation Yes
API documentation formats Open API (also known as Swagger)
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
  • Other
Using the command line interface Everything that can be done on the UI, plus some integrations like Hipchat, managing backups, interact with the databases and issue application commands

Scaling

Scaling
Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Enterprise deployments receive dedicated infrastructure. All other environments are containerised with CPU and RAM guarantees.
Usage notifications Yes
Usage reporting
  • API
  • Email

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Anything that NewRelic provides
  • Key Transactions
  • Throughput
  • Error rate
  • Custom metrics
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach Volumes encryted by default.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Restoration from a snapshot of the whole production system.
Backup controls Periodicity of snapshots can be determined by the customer.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Platform.sh ensures that customer confidential data stays on AWS infrastructure and is only held outside of AWS for short periods of time when this is necessary in order to solve an issue or debug a problem connected with the data.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Private network or public sector network
, VPN and encrypted connections

Availability and resilience

Availability and resilience
Guaranteed availability 99.99% SLA guaranteed infrastructure availability. This is achieved through 3x redundant services (eg. database in Master/Master/Master configuration).
Approach to resilience 3x redundant services (eg. Master/Master/Master configuration for the database). This extends to all services including Solr, Elasticsearch, Redis, MongoDB, as well as the file system.
Outage reporting Outages are reported via our status page (http://status.platform.sh/) which is hosted off-site, as well as via the helpdesk and email for individual affected customers. Detailed incident reports are sent to afflicted customers after resolution.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Other user authentication Web access is username/password based over an encrypted connection. Two-Factor Authentication is available. Actual hosting environments are accessed via SSH or Git, and authentication is based on public/private key pairs.
Access restrictions in management interfaces and support channels The project owner can assign roles to other accounts.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach A corporate governance framework is in place to ensure continuity and monitor quality of the Security Programs. The following groups are established to facilitate corporate governance:

Board of Directors: Helps ensure oversight for management strategy and operations.
Audit Committee: Helps ensure that an independent body can provide sound corporate governance in corporate matters.
Governance, Risk and Compliance (GRC) Council: A GRC Council is established with members of the Executive team to help ensure that organizational risks are prioritized and addressed, accepted or transferred.

There are also definitions for Monitoring, Architecture, Policy, Plan & Procedure Review and External Third Party Audits.
Information security policies and processes Platform.sh has a risk-based "Information Security Program". Various Risk Owners have been identified within their respective business units and must evaluate the likelihood and impact on confidentiality, integrity and availability and make a decision based on a predefined list of actions, and then document the results and distribute to key stakeholders

Internally, access to systems is granted on the basis of the need-to-know principle. Users are given access only at the appropriate level required to perform their job functions.

There is a strong information security policy defining the information classification, roles, responsibilities, data handling, risk management, security awareness, training processes, human resources, onboarding, security audits, logs, change management and more.

The policies are ensured and enforced by the Corporate Governance Framework.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Software either tracks Debian upstream, and thus tracks that security schedule, or is deployed also via Debian packaging as our own packages. Change configuration management on servers is governed via Puppet. Internal security team assesses incoming patch risk and monitors upstream security channels.
Vulnerability management type Supplier-defined controls
Vulnerability management approach When vulnerabilities are detected, PSA notices are sent out to any customers who are potentially affected, including steps that we are taking, steps they need to take, and overall threat level.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Compromises would be detected by inspecting access logs, git commit histories. A found compromise results in quarantine actions for affected systems and replacement by clean builds, as well as analysis of access vectors used in attack. Response would be immediate following discovery.
Incident management type Supplier-defined controls
Incident management approach Process for comment events described in operational manual. User report incidents via helpdesk and/or Slack chat. Incident reports are provided via helpdesk which also triggers email delivery.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used Other
Other virtualisation technology used LXC; Xen.
How shared infrastructure is kept separate Enterprise deployments receive dedicated virtual machines from the underlying IaaS (eg. AWS, Azure, or Orange VMs).

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes

Pricing

Pricing
Price £8 per unit per month
Discount for educational organisations No
Free trial available Yes
Description of free trial We offer a free one-month trial for Platform.sh Standard with no further commitment required.
After one month users can either terminate their trial or convert to a paid package.

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑