Catalyst's managed Drupal CMS delivers an Open Source, end-to-end publishing solution which is cloud native and omnichannel ready.
- WYSIWYG editor with rich media support
- Flexible page layout and creation
- Powerful search integration
- Supports responsive and mobile-first design
- Extensive library of Drupal community plugins
- REST and other API allows delivering content via apps/services
- Excellent support for external/third party integrations
- Unlimited number of CMS users
- Metadata support for Search Engine Optimisation
- Multi-site and multi-language capable
- Open Source; freedom to innovate with no additional license fees
- Enterprise service delivery; 24x7 monitoring and incident response available
- Fully managed service including maintenance and security patching
- Customisable responsive page templates
- Includes free access to Matomo analytics platform
- Experienced UK-based teams
£7500 per instance per year
- Free trial available
1 5 1 2 3 9 2 5 1 6 5 3 0 8 9
Catalyst IT Europe Ltd
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|System requirements||Devices (laptop / desktop / mobile) with internet connection.|
|Email or online ticketing support||Yes, at extra cost|
|Support response times||See attached service description document. Responses to tickets are variable according to severity.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Catalyst offer technical support for your CMS users (L2), application bug reports or feature requests (L3), and hosting support and incident management (L4).
UK business hours are covered as standard (9am-5pm, Mon-Fri) with option to extend L4 cover to 24x7 at additional cost.
Ticketing system provides direct access to support engineers, with an Account Manager available for strategic discussions or as point of escalation.
|Support available to third parties||No|
Onboarding and offboarding
Catalyst can provide CMS training in person or remotely, and also provides a support guide covering use of the ticketing system for further support queries.
Extensive user documentation is provided for core Drupal features and workflows.
|End-of-contract data extraction||Catalyst will provide copies of all data to clients upon request at the end of a service contract. Backups will be deleted after a period of six weeks from the contract end date.|
|End-of-contract process||At the end of a contract the site will be closed, removed from service and all data purged. Costs for this are included in the base contract. If a client requires copies of data this can be extract at an additional cost.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Full functionality on desktop through to mobile devices is supported by fully responsive design.
Omnichannel support for Mobile integrations.
|Description of service interface||Application dashboard Service Management dashboard|
|Accessibility standards||None or don’t know|
|Description of accessibility||Nil|
|Accessibility testing||None at this time|
|What users can and can't do using the API||All functionality exposed through standard Drupal API (please consult Drupal documentation for details.)|
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||CMS users with administrative privileges can customise content types, taxonomies, workflows, page templates, navigation and more. These users will also have full control over user administration, including role definitions and user permission allocation.|
|Independence of resources||The underlying cloud infrastructure is architected with elastic auto-scaling characteristics to minimise performance impacts resulting from other users of the service.|
|Service usage metrics||Yes|
|Metrics types||Site analytics (page views, page render times, user devices/browsers, user activity analysis), and monthly service level metrics (tickets raised, support hours used, site availability, trend analysis).|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||In-house destruction process|
Data importing and exporting
|Data export approach||Catalyst can export data on behalf of the customer; such requests are initiated through a support ticket.|
|Data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
|Other protection within supplier network||
Data is encrypted at rest and in transit.
Strong security principles and governance ensure proper role separation, minimal privileges granted to each role, and strong defensive security posture.
Availability and resilience
|Guaranteed availability||99.9% availability|
|Approach to resilience||Available on request.|
|Outage reporting||Email alerts via ticketing system. Private dashboard showing monthly availability metrics.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Configurable permissions within each user group restrict access to site functions as appropriate.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Closely aligned with ISO/IEC 27001:2013, but not formally certified.|
|Information security policies and processes||
Catalyst has formal, documented policies and procedures that provide guidance for operations and information security management within the organisation.
The policies clearly define scope, roles, responsibilities and management commitment. Staff maintain the policies in a centralised and accessible location, subject to review by the Security Manager.
Senior management provides visible support for security initiatives, and ensures appropriate prioritisation and resource allocation in order to maintain good security posture.
Policies are reviewed at least annually.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Changes to Catalyst services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is limited.
Teams set bespoke change management standards per service, underpinned by standard practices.
All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.
Exceptions to change management processes are documented and subject management review.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Catalyst monitors potential threats from a variety of sources including CERT and upstream project channels such as the Debian Security Advisories (DSA).
Supplier notifications and industry updates are assessed by technical team and Critical patches are deployed as soon as possible.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Catalyst use a combination of intrusion detection methods to identify potential security incidents. IDS alarms alert the infrastructure support team immediately.
Upon detection, the affected systems are isolated and analysed, followed by service restoration using fresh cloud infrastructure.
|Incident management type||Supplier-defined controls|
|Incident management approach||Yes, standard incident response processes are defined for Catalyst staff. Users may report incidents using telephone or the online ticketing system. Incident reports and root cause analysis are published to the customer as PDF documents upon completion.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£7500 per instance per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||Limited access (user) to a demo instance - refreshed daily. Extended access to a sandbox environment with admin privileges can be negotiated on request.|