Q-Solution Ltd

Secure Messaging as a Service

A Secure Messaging Service hosted within public cloud and built using AWS native cloud serverless technologies allowing for high autonomous scaling. Enables Public Sector bodies to exchange sensitive (up to OFFICIAL SENSITIVE) data securely across the Public Services Network (PSN), PSN Protected and Internet.

Features

  • Secure Message based routing for SOAP, AWS MQ, FTP/S, HTTP/S
  • Security controls embedded into the design to the highest standards
  • Content based message routing
  • Message persistence
  • Error Handling
  • Online MI and alerting via Slack, email, SMS, GOV.UK notify
  • Anti Malware for data at rest
  • 99.9% availability
  • Built to scale on 100% serverless architecture
  • Assessed against Article 28 - GDPR Data Processor

Benefits

  • Assured message delivery
  • Implementing in-transit and at rest malware scanning
  • Message persistence
  • Data encryption based on AWS KMS (AES-256) secures your data
  • 100% native cloud technologies ensuring the service is scalable
  • Full messaging auditing available at the touch of a button

Pricing

£0.01 to £0.08 a transaction

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kevin.hoskins@q-solution.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 3 2 6 9 2 0 5 5 8 7 2 0 1 1

Contact

Q-Solution Ltd Kevin Hoskins
Telephone: 07966 306058
Email: kevin.hoskins@q-solution.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
The following are the current limitations of the service. We do however encourage customers to review these pages and the dashboard for changes made to the service as we aim to continually improve the capacity, availability and overall service provision.

Individual message sizes are limited to 6Mb

Message throughput is restricted to 1000 messages per second based on message sizes of 100k
System requirements
PSN Protected access for sending and receiving systems

User support

Email or online ticketing support
Email or online ticketing
Support response times
4 hours, Monday to Friday, 8am to 6pm excluding UK Public Holidays
User can manage status and priority of support tickets
No
Phone support
No
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support hours for the service desk is between 8am and 6pm, Monday to Friday excluding UK Public Holidays. Our Protective Monitoring and System Monitoring however operates 24/7/365 and will generate alerts throughout this period in the event of any priority incidents occuring. Agreement on how these incidents outside of core hours are resolved will be agreed during the on-boarding process

The Secure Messaging Service availability outside of core hours allows for Change Requests and enhancements to be made to the service. A scheduled maintenance window will operate typically between 8pm and 10pm with notification of changes published to the customer portal as well as communicated via the customers preferred channel.

All changes to the service are automated using Infrastructure as Code and Continuous Integration processes. The above SLA for out of hours availability allows for approximately 1 deployed per week (assuming a 30 minute outage) if required.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We have a detailed onboarding process that supports users and that can be provided upon request. The process details how users a provisioned onto the service and details the levels of support Q-Solution provides.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
This will be detailed in the On Boarding and Off boarding process documents provided to the customer and will align to the latest Data Protection Standards
End-of-contract process
Details of any additional costs will be provided in the Off Boarding procedures. However, as a SaaS service, there would typically not be expected any additional costs for Off Boarding

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
No
Service interface
No
API
Yes
What users can and can't do using the API
Supports RESTful and JSON. Core API functionality exists and Q-Solution will work with the customer in creating the customer specific API requirements and associated routing
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Customers are able to customise the API to suit their business needs with common service such as Protective Monitoring, System Monitoring, network connectivity in place.

Scaling

Independence of resources
There are only limited areas of shared services e.g. ingress and egress proxies, with all other services serverless/independent. For these shared services, our design maximises the use of all AWS Availabilities Zones, Application Load Balancing and Auto Scaling Groups to ensure any increases or spikes in capacity have no detrimental impact on the services or customers. The service is monitored 24/7 with alerting to Q-Solution and customer service desks as required.

Analytics

Service usage metrics
Yes
Metrics types
Application Monitoring - Message per hour/day, messages to/from systems, max, min and avg message sizes, messages by type.
Service Levels - delivery times, system availability, incident response times, incident durations
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data held on the Secure Messaging Service is considered OFFICIAL SENSITIVE. Q-Solution will support any requirements to export data as part of the On Boarding Process
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service levels for availability during core hours are 99.9%. Outside of core hours, availability is 99.5%. Further details of SLAs and KPI's are provided during the On Boarding process
Approach to resilience
The service is designed and built to be entirely cloud native and serverless. Detailed information on the design for resilience of the solution can be provided during the On Boarding process and subject to confidentiality provisions
Outage reporting
Email alerts and a customer facing dashboard

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Only support staff with SC clearance have access. Access is restricted to individuals accredited machines. Support staff required password and MFA. Account activity is protectively monitored and alerted. Staff have a single master account for logging in and 'Assume Role' into other acounts enable fine grain authentication and access on a 'needs to know' basis.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI
ISO/IEC 27001 accreditation date
17/06/2017
What the ISO/IEC 27001 doesn’t cover
Please refer to the formal BSI Certificate of Registration and our Statement of Applicability available on request
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Annual ITHC
  • PSN Protected
  • Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our Security Working Group oversees the implementation, maintenance and improvement of our ISO27001:2013 Information Security Management System (ISMS). This ISMS encompasses numerous process, policies and procedures including Information Security Policy, Acceptable Usage Policy, Statement of Applicability (SOA), Risk Assessment, Secure Development Policy, MMAE Policy, Business Continuity Policy and Plan and Change and Configuration Management among many others.
Additionally we have an independent IT Health Check (ITHC) performed by a CHECK Team annually and are certified to Cyber Essentials Plus (CES+)

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
A comprehensive Change Management process is provided to the customer during the on-boarding processes. This can also be shared with any potential customer during their supplier identification process
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We have a separately documented vulnerability management process that can be shared with customers upon request covering areas such as Monitoring, Threat Detection, Security Alerting, Compliance, Audit Logging, SIEM, Patch Management and anti malware
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We have a separately documented Protective Monitoring process that can be shared with customers upon request covering areas such as Monitoring, Threat Detection, Security Alerting, Compliance, Audit Logging and SIEM
Incident management type
Supplier-defined controls
Incident management approach
We have a comprehensive documented approach to both Incident and Problem Management. This information, in the form of PDF can be provided to customers on request

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Yes
Connected networks
Public Services Network (PSN)

Pricing

Price
£0.01 to £0.08 a transaction
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kevin.hoskins@q-solution.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.