Zodiac Media Ltd

Drupal CMS website

We can customise or develop from scratch Drupal 7 and Drupal 8 websites. This includes extending Drupal's functionality, adding security layers, or streamlining Drupal's user interface. Full Drupal training and post-release support can be provided on request.


  • Mobile-first design approach
  • Separate staging and live development servers
  • System event logging for security
  • UK based data centre hosting provided at cost
  • Content presentation can conform up to WCAG 2.0 AA standards
  • Granular role-based permission systems developed on request
  • We are an ISO 27001 information security certified company


  • Mobile-compatible as standard
  • Fast turnaround with multiple opportunities for feedback
  • Reduce resource overheads and technical debt
  • Fully customisable to meet your precise requirements
  • Inherently modular and scalable design
  • Security compliant up to ISO27001 standards


£600 per person per day

Service documents


G-Cloud 11

Service ID

1 7 1 7 5 6 0 7 7 6 9 7 8 2 1


Zodiac Media Ltd

Billy Davies

0207 582 7160


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our target response time for critical issues affecting all users and all functionality, e.g. website down, is 2 hours. For major issues affecting all users and some critical functionality, e.g. website can no longer send/receive emails, it is 4 hours. For minor issues such as confirmation messages failing to display it is 2 working days. For trivial issues such as misaligned text it is 4 working days.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We offer one level of support.

Support work can include any tasks you feel Zodiac Media are suited to handling. Zodiac Media offer website maintenance and support contracts based on a flat fee that covers a pre-agreed amount of support time for each month, typically 1 day per month, at a cost of £600 ex VAT. Unused support time can be rolled over to subsequent months, although at the end of the contract any remaining support time will not be reimbursed. If the amount of support work required for a given month exceeds the balance of your support account, then we would charge by the hour for further work. We would always make you aware of this by providing estimates for further work once the support allowance has been exhausted. We will endeavour to accommodate additional support and development work as soon as we are able to based on our existing work schedule. We will advise you as to when additional work can be undertaken on a case by case basis.

Requests go through an Account Manager who will be able to answer basic requests and field those necessary to technical personnel.
Support available to third parties

Onboarding and offboarding

Getting started
We can provide on request onsite training, online training, and user documentation.
Service documentation
Documentation formats
End-of-contract data extraction
In compliance with GDPR, once the contract is fulfilled the client may request a portable copy of the data we hold on them and/or the erasure of such data.
End-of-contract process
At the end of your contract you will be provided with Zip files of your site's codebase and database, at a mutually agreed date and time. All other work would be billable by the hour.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile version of the service will have a different, mobile optimised layout in comparison to the desktop version. Likewise, functionality may also differ slightly so that the user experience is optimised for mobile devices.
Service interface
Description of service interface
Change request to the service are created and managed through an online issue tracking system. Customer staff are also provided with access to Drupal's online administration system for managing the website.
Accessibility standards
None or don’t know
Description of accessibility
The service interface does not natively adhere to WCAG 2.1 A standards. However we will work collaboratively with customers to ensure that the admin system is accessible to all their staff by implementing custom changes to the system as required.
Accessibility testing
We have previously worked on the websites of several UK councils to ensure they adhere to WCAG 2.1 AA accessibility standards. To do this we used the online service SiteImprove, which is popular with many UK government organisations.
What users can and can't do using the API
Drupal has an inbuilt RESTful API. Full details can be found at Drupal.org: https://www.drupal.org/docs/8/core/modules/rest
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Drupal CMS's public-facing front end and administration screens can be customised almost without limit.

Customisation can be achieved through either changing Drupal's admin settings or installation of additional modules which extend Drupal's native functionality.

Customisation of Drupal's admin settings would need to be undertaken by a trained user. Coding and module customisation would need to be undertaken by competent web developer familiar with the Drupal platform.


Independence of resources
Client servers are allocated exclusively to them so there is no contesting of server resources. Minimum target uptime for servers and network connectivity is 99.9%. In any given month, if your server is down for more than 0.1%, you will be given a pro-rated hosting cost credit for the down-time.

If Zodiac Media fails to respond to an issue report within the target response time, then 1 extra day of support time will be credited to the support account’s balance.


Service usage metrics
Metrics types
We can set up Google Analytics for your Drupal website on request which gives you intricate detail on the usage data for your website.

All servers are integrated with our enterprise class performance monitoring system. This provides real time technical information for your Drupal website such as CPU load, memory utilisation, hard disk utilisation and network utilisation.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Drupal can be customised on request to support CSV export of user data. Data can then be exported by the user via Drupal's admin system. A bulk export of data from Drupal's underlying database is also available upon request.
Data export formats
  • CSV
  • Other
Other data export formats
SQL dump
Data import formats
  • CSV
  • Other
Other data import formats
SQL query

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Minimum target uptime for servers and network connectivity is 99.9%. In any given month, if your server is down for more than 0.1%, you will be given a pro-rated hosting cost credit for the down-time. If Zodiac Media fail to respond to an issue report within the target response time, then 1 extra day of support time will be credited to the support account’s balance.
Approach to resilience
Data centre resilience information is available upon request.
Outage reporting
All of our production servers are integrated with our enterprise class monitoring system. If you have a fixed IP address we can provide you with a user account to access this and view server performance. Alternatively we can enable a VPN connection for you to gain access. Depending on the severity of the issue detected the monitoring system sends alerts to a Slack group consisting of Zodiac Media staff.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
The data centre management interface is subject to two factor authentication. SSH access to the server is via firewall whitelist and public key authentication. Support system access can be granted via VPN. Drupal's admin system is accessible via username and password, we would also recommend limiting access to the admin system via firewall whitelist/VPN or enabling two factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ACM Ltd.
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We are ISO27001 certified with a full Information Security Management System (ISMS). Every client project has its security objectives and potential risks documented. Every quarter we perform an internal security audit, including integrity and intrusion scans on all our servers. All project files are stored on encrypted storage devices and backed up on IP restricted servers with logging and version control. All information assets are labelled under our ISMS, with their associated handling, storage, access, transference, and retention standards.

We have a fully documented procedure in the case of an information breach with our point of contact at ICO identified. All employees are onboarded with our ISMS policies when they join the company.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are assessed for their likely impact on security and performance prior to being implemented. All changes progress through a sequence of review gates using local development, staging and then live infrastructure to mitigate risk. Both the performance and security of the overall Drupal website are reviewed at each stage. All server configuration changes are noted in our issue tracking system. Codebase related changes are recorded in the version control system Git.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We pro-actively monitor both Drupal core and Drupal community plugin public releases. If a release contains security updates then we make clients aware of the need to update as soon as possible. Typically security updates are implemented within 2 working days of clients instructing us to proceed. We use the unattended upgrades functionality of Linux to keep server packages up to date. All servers are integrated with our security monitoring system which actively alerts us to possible threats. We conduct quarterly vulnerability scans of all servers.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
All servers are integrated with both our enterprise class performance and security monitoring systems. These actively alert us to issues immediately, based on custom configured trigger rules. The time taken to respond to these issues is near immediate, although the resolution times depends on the impact of the issue. In addition all servers are enrolled in the data centre's performance monitoring system which also actively alerts us of performance issues.
Incident management type
Supplier-defined controls
Incident management approach
As part of our Information Security Management System (ISMS) policies we have a predefined process for security incident management. This is inline with ISO 27001 standards. Clients can report incidents to our dedicated account manager, and are kept updated with the progress and state of the incident throughout the event. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£600 per person per day
Discount for educational organisations
Free trial available

Service documents

Return to top ↑