Zoocha Limited

Drupal 9 Cloud CMS

Zoocha Drupal Cloud CMS is a secure, compliant Drupal content management system, providing complex Drupal integration, single sign-on, CRM, configuration and workflow management. Drupal 9 is the lastest version of Drupal.


  • Drupal 9 best practice implementation
  • Expert Drupal 9 module evaluation based on requirements
  • Remote access to your Drupal 9 Cloud CMS
  • Customisable responsive Drupal 9 template design
  • Drupal 9 Multi-lingual Capability
  • Drupal 9 publishing workflows and content versioning
  • Drupal 9 development using agile methodology
  • ISO 27001 Certified
  • ISO 9001 Certified
  • Drupal Association Premium Supporting Partner


  • Drupal security compliant
  • Fully managed Drupal hosting on AWS
  • Thousands of Drupal Association approved modules
  • UK based expert Drupal Development team
  • Over 12 Certified Drupal Developers
  • 3 Drupal Grand Masters


£600 an instance a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zoocha.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 7 9 9 5 0 7 2 8 6 7 7 7 3 0


Zoocha Limited William Huggins
Telephone: 441992256700
Email: info@zoocha.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Drupal can be used as a software component within a microservices architecture.
Cloud deployment model
Private cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
15 minutes for critical support
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Zoocha provide a single tier support service which is contracted as 'support days per month' @ £650 per day. There is no limit to the number of tickets raised, but support time above the contracted amount is charged at £130 per hour. Contracted support time can be increased or decreased (to a minimum of 1 day per month) at any time during the contract, by providing 30 days notice. Technical account management can be provided at an additional cost of £750 per day.
Support available to third parties

Onboarding and offboarding

Getting started
The onboarding process starts with a workshop (kick off meeting) to capture some of the information and key behaviours the project needs people to engage with to be a success. This could include training in our processes and on our project systems like Jira. Zoocha also provide agile training (including basic training in our project management systems) during or in addition to the workshop session. Drupal CMS training is provided as a separate service, the details of which can be found in the Service Definition document.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data may be copied out using OS-level tools (such as xopy or rsync).
End-of-contract process
Buyer may terminate the contract with Zoocha for any reason by providing Zoocha with notice. Zoocha will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Zoocha services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Fully responsive web inteface
Service interface
Description of service interface
Drupal 9 CMS
Accessibility standards
WCAG 2.1 A
Accessibility testing
What users can and can't do using the API
All functionality can be exposed via an API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Content Types; Taxonomies; Role Types; User Permissions; Workflows; Menus/ Navigation


Independence of resources
Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Services which provide virtualized operational environments to customers (i.e. EC2) ensure that customers are segregated via security management processes/controls at the network and hypervisor level. AWS continuously monitors service usage to project infrastructure needs to support availability commitments/requirements. AWS maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, the AWS capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements.


Service usage metrics
Metrics types
Zoocha provide a monthly service report including uptime metrics, support SLA performance and any other metrics agreed within the scope of the contract.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other data at rest protection approach
Zoocha use AWS, which adheres to independently validated privacy, data protection, security protections and control processes. (Listed under “certifications”). AWS is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS enables customers to control their content (where it will be stored, how it will be secured in transit or at rest, how access to their AWS environment will be managed). Wherever appropriate, AWS offers customers options to add additional security layers to data at rest, via scalable and efficient encryption features. AWS offers flexible key management options and dedicated hardware-based cryptographic key storage.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Users with administrative access to the Drupal Cloud CMS are able to export data directly from the admin interface.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
Other protection within supplier network
Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. AWS gives customers ownership and control over their content by design through simple, but powerful tools that allow customers to determine how their content will be secured in transit. AWS enables customers to open a secure, encrypted channel to AWS services using TLS/SSL, and/or IPsec or TLS VPN (if applicable), or other means of protection the customer wish to use. API calls can be encrypted with TLS/SSL to maintain confidentiality; the AWS Console connection is encrypted with TLS.

Availability and resilience

Guaranteed availability
Availability SLA is 99.95%. Failure to meet agreed level of availability will result in service credits awarded to to the customer.
Approach to resilience
Zoocha cloud infrastructure is build on AWS. The AWS Business Continuity plan details the process, in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that system recovery and reconstitution efforts are performed in a methodical sequence, minimizing system outage time due to errors and omissions. Zoocha have implemented a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and distribution of instances/ data stores within multiple geographic regions across multiple Availability Zones.
Outage reporting
Email alerts.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
IAM provides user access control to Zoocha services, APIs and specific resources. Other controls include time, originating IP address, SSL use, and whether users authenticated via MFA devices.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
Zoocha implement formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment. Employees maintain policies in a centralised and accessible location. Leadership involvement provides clear direction and visible support for security initiatives. The output of Leadership reviews include any decisions or actions related to: • Improvement of the effectiveness of the ISMS. • Update of the risk assessment and treatment plan. • Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS. • Resource needs. • Improvement in how the effectiveness of controls is measured. Policies are approved by Zoocha leadership at least annually or following a significant change to the infrastructure.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to Zoocha services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation. Teams set bespoke change management standards per service, underpinned by standard Zoocha guidelines. All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party. Emergency changes follow Zoocha incident response procedures. Exceptions to change management processes are documented and escalated to Zoocha management.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Zoocha perform vulnerability scans on the host operating system, web applications, and databases in the AWS environments. Approved 3rd party suppliers conduct external assessments (minimum frequency: annually). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities. Zoocha monitor newsfeeds/vendor sites for patches. Zoocha are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for customers instances/ applications.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Zoocha use monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor: • Port scanning attacks • Usage (CPU, processes, disk-utilization, swap rates, software-error generated losses) • Application metrics • Unauthorized connection attempts Near real-time alerts flag potential compromise incidents, based on set thresholds.
Incident management type
Supplier-defined controls
Incident management approach
Zoocha Drupal Cloud CMS incident management process is: Logging (creating a story for the incident in the dashboard and assigning severity level); Validation (review and clarification by the support team); Assignment (assigning story to relevant team member), Analysis (estimate of time required to resolve); Resolution (completion of the story ready for acceptance by the Client); Tracking (assignment of unique reference number and ability for Client to follow each ticket in order to receive notifications of any changes to the ticket); Escalation (recorded method of escalating to Directors); Acceptance (closure of the ticket via ‘one click’ acceptance by the Client).

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£600 an instance a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zoocha.com. Tell them what format you need. It will help if you say what assistive technology you use.