Code Enigma Limited

Managed Drupal Servers

Based wherever you prefer to procure your infrastructure, we provide ISO 27001 certified, Linux specialist server management, with Disaster Recovery features and enhanced security measures, as well as a dedicated, expert Drupal support team. There is a range of supported software and we offer free consultancy for multi-server environments.


  • Highly secure, ISO 27001 certified
  • Free consultancy in sales process
  • Highly flexible, your server images tailored to you
  • Complementary applications and services can also be accommodated
  • Dedicated hosting team in four timezones
  • 24/7/365 support available
  • Scalable system
  • Infrastructure and configuration stored in code
  • Dedicated Drupal specialist support team


  • Disaster Recovery built in
  • Provide out of hours support without hiring
  • Open source stack is portable, no lock-in
  • Access to expert team of specialists
  • Host multiple applications on one platform


£100 per server per month

Service documents

G-Cloud 10


Code Enigma Limited

Greg Harvey

020 3588 1550

Service scope

Service scope
Service constraints There is a list of supported software within the service definition document you may install on the cluster. We can optionally include additional software, subject to contract, but it will depend on our experience.
System requirements Required software must be freely available for Debian Linux

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times vary and are subject to contract. Customers on Enhanced SLA terms enjoy a response time objective to Urgent tickets of within 15 minutes, 24/7/365. Customers on Standard terms have no response time targets.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web chat is available via a dedicated chat server using the open source Rocket.Chat product. Buyers should consult the Rocket.Chat website and GitHub project for information.
Web chat accessibility testing None. Rocket.Chat is a service provided "as is".
Onsite support Yes, at extra cost
Support levels All customers will have a dedicated technical account manager. Standard SLA - £100 per service consumed per month: includes access to online ticketing only, no response time guarantee, 99.9% uptime target for supported software, active monitoring 24/5 (Monday 00:00 to Friday 23:59 UK time). Enhanced SLA - £250 per service consumed per month: includes access to online ticketing, telephone support and online chat support (on request), response time targets included, 99.9% uptime target for supported software, active monitoring 24/7/365.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide an onboarding questionnaire to gather information about the application you intend to host, to ensure we are providing a layout that is most suitable to your requirements. We also provide a customer handbook, which is freely available on our website, for orientation around ticketing, contact mechanisms, interacting with our services, and so on. Depending on the services consumed, some limited training may be carried out online via video conferencing tools. On site training may be provided for an additional fee.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users have full access to their platform, it is entirely dependent on the application as to how data is extracted, and the application belongs to the Buyer. That said, each Buyer will have their own AWS account, so when the contract ends the Buyer may choose to keep their configuration "as is" and take control of the account from us with no service disruption whatsoever.
End-of-contract process Depending on how the Buyer wishes to proceed, we may either: provide archives of database and other volatile content to the Buyer and switch off their services; or hand over the ownership of the AWS account to the Buyer so they may continue with the service, interacting directly with AWS and without our additional support.

Using the service

Using the service
Web browser interface Yes
Using the web interface Users have a self-service dashboard to control access to ticketing and systems. Administrators will need to have some kind of second factor of authentication in place, either via a smartphone app, if possible, or via a 2FA token device shipped out to you. The first two 2FA tokens are free, there is an additional charge for each 2FA token provided beyond the second token issued, including those replacing lost or damaged tokens.
Web interface accessibility standard None or don’t know
How the web interface is accessible The interface is simple, standard HTML forms with no requirement for JavaScript or embedded technologies to function, so we do not envisage any accessibility issues.
Web interface accessibility testing None.
Command line interface No


Scaling available Yes
Scaling type Manual
Independence of resources The service is based on AWS and every user has their own AWS account dedicated to their project, including their own dedicated AWS VPC (Virtual Private Cloud) thus their own individual virtual LAN and dedicated networking space. There is total service separation and services are spread over all available 'Availability Zones', which are entirely separate data halls, for maximum resilience.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Any (including internal private clouds)

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual machines (via snapshotting)
  • Individual files (via backup software, copied off site)
  • Databases (via SQL dump files)
  • Infrastructure configuration
  • Server software configuration
Backup controls If users have specific backup schedule requirements they may communicate these to us in a ticket and we will adjust their schedule accordingly.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability AWS guarantee availability of 99.99%, with a service credit of 10% between 99.0% and 99.99% and a service credit of 30% for availability below 99.0%. Code Enigma guarantees software uptime of 99.9% per managed Linux server or container, however this layout is designed to have multiple elements and no single point of failure, so the likelihood of software failure alone causing a reduction in availability is extremely low.
Approach to resilience This information is available on request.
Outage reporting We have a public dashboard and optional email alerts. We also communicate via a dedicated Twitter stream and email in the event of a major outage.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels All services that are deemed to be 'management interfaces' require at least two factors of authentication, in some cases up to four. We adhere to standard principles required by ISO 27001, such as no shared accounts to ensure accountability, separation of privileges and 'maximum necessary' privileges in order to carry out duties. We use an LDAP directory to store user data (which is encrypted at rest and only accessed via TLSv1.2 or above encrypted tunnels, be that over a VPN or SSL) and we run a group system to control access levels per customer.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Standards Institute
ISO/IEC 27001 accreditation date 08/10/2014
What the ISO/IEC 27001 doesn’t cover Finance and some aspects of HR.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our Information Security Policy is the core of our Information Security Management System (ISMS) and dictates roles, responsibilities and required policy and procedure. We are ISO 27001 certified by the British Standards Institute for all aspects of cloud services. The ISMS is owned by our Information Security Committee (ISC) which comprises of members of the business representing a range of activities. The committee meets monthly to review the performance of the ISMS. There is also a technical sub-committee that reviews our security posture from a more technical perspective, for example the specifics of secure service management. The sub-committee reports to the ISC on a monthly basis. We operate a CAPA procedure to ensure we continuously improve our security posture and we have an Incident Management Procedure to dictate how we respond to security incidents, including service failures and outages. The Procedure includes communication mechanisms, reporting (via our case tracker), ownership of issues, rectification steps and means to avoid recurrence. Alongside these more practical aspects of technical ISMS management, we also run an extensive auditing program, carried out by external auditors, and a routine training program, to ensure all staff and contractors have up to date security knowledge and skills.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All infrastructure and software configurations are stored in code, which in turn is kept in a Git version control system (VCS). The system is designed to enforce peer review of change, and there is inbuilt automated testing at every level. If an engineer wishes to make a change to infrastructure or configuration, they must first make the change in the 'development' branch of the VCS. These changes are automatically built and tested on dedicated test infrastructure, submitted to a colleague for review and approval. On approval the changes are scheduled for putting live, if necessary with each customer individually.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We subscribe to numerous vulnerability reporting services which send emails into our case tracker, which in turn emails the entire team. Logged vulnerabilities are reviewed and assessed by the entire systems team on a daily basis and are judged to be either: acceptable risk, to be applied at next routine patching window (never more than three weeks in the future); elevated risk, to be scheduled with customer ahead of next routine patching window (ASAP, according to customer schedule); or high risk, to be applied immediately (within the next 24 hours).
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We operate numerous software tools to help us identify potential compromises, most notably the open source Intrusion Protection System (IPS) OSSEC and the open source rootkit detector, rookKitHunter. Both systems email any incidents automatically to the entire team and, in the case of OSSEC, take automatic action to contain the threat. Response is immediate, in the case of the software, and within minutes if the team suspects a serious breach. We operate a Security Incident Management Policy which includes specific instructions on how to handle a suspected criminal incident and/or a breach.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our Security Incident Management Policy dictates the process for reacting to common events. The mechanisms for reporting incidents are various, they may be reported by case tracker ticket, email to the Information Officer, or even submission of an anonymous form on our website for 'whistle blowing'. Incident reports are generally kept private, but may be provided to customers on request when they are specifically affected by an incident. This will be done in the form of an emailed PDF document of the full report in our case tracker.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon Web Services (AWS)
How shared infrastructure is kept separate We create a unique and separate AWS account for every individual hosting project, even for different projects run by the same customer. This account separation allows us to leverage the extensive AWS features for virtual network and hardware separation, most notably using their Virtual Private Cloud technology, which allows us to configure separate, protected virtual LAN environments for every project.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £100 per server per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑