Webcurl Ltd

Drupal Managed Cloud Hosting

Drupal Managed Cloud Hosting

Features

  • 99.5% uptime SLA on Standard Dedicated Server
  • Production and Staging environments for each domain being hosted
  • Linux operating system management including security patching
  • Git version control, using private Github repositories
  • Public sector specialism
  • Drupal specific measurement monitoring
  • Kubernetes Infrastructure and monitoring with BigPanda, Sealion, Nagios, or Monit
  • ISO 27001 certified
  • ISO 9001 certified
  • ApacheSolr for fast website search indexing

Benefits

  • Drupal specific support over and above traditional hosting providers
  • Proactive performance troubleshooting and optimisation
  • Single point of contact
  • Low cost of hosting and management
  • High Availability
  • Secure
  • Resilient dedicated hosting

Pricing

£3,500 to £12,000 an instance a year

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

1 8 3 3 6 9 2 6 8 2 7 0 6 6 7

Contact

Webcurl Ltd Colin Sherry
Telephone: 01865 741762
Email: colin.sherry@webcurl.co.uk

Service scope

Service constraints
No
System requirements
Drupal CMS

User support

Email or online ticketing support
Email or online ticketing
Support response times
2 hours - Monday - Friday, 24/7 online portal, Out of hours support available for critical issues
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our support packages are based on time used and is billed in 15 minute increments. The cost of a support contract is determined by the amount of time purchased in advance and is detailed below. Time Block Cost per block 10 Hours - £ 1,100 20 Hours - £ 2,000 30 Hours - £ 2,800 50 Hours - £ 4,500 100 Hours - £ 8,400 200 Hours - £ 15,000 Webcurl provides an initial response within 2 hours for critical tickets with a proposed action and resolution timescale being posted within 4 working hours. Other tickets will be acknowledged within a maximum of 4 hours with a proposed action and resolution timescale being posted the same day. Webcurl provide help-desk support via telephone, e-mail and the online portal during the hours of 9.00am to 5.00pm UK time (excluding weekends and days which are public holidays in England).
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We would generally provide the initial setup for clients as part of a wider hosting service offering. Should direct training be required this can be facilitated along with documentation.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
All data will be returned to the customer via a backup of the MYSQL database and the supporting software which is located in our GIT repository, This extraction can also be performed on an on going basis by the end user at any point of the contract lifecycle. As we use open source technology, the system can be restored freely on a new platform by another vendor or the end user
End-of-contract process
In the case a client wishes to seek services elsewhere, a handover meeting is booked with the new agency and we collaborate with them to ensure smooth transitioning.

Using the service

Web browser interface
No
API
No
Command line interface
Yes
Command line interface compatibility
Linux or Unix
Using the command line interface
If required users can have secure ssh access to the root system of the platform. We are offering a managed solution therefore it is recommended that the management of the platform is provided solely by Webcurl personnel.

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
The platform is designed and scaled with excess capacity up to 50% above anticipated requirements of all customers. This is monitored and adjusted appropriately.
Usage notifications
Yes
Usage reporting
Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Databases
  • All files
  • Platform Software
Backup controls
As this is hosting for a specific product the backup schedule is governed by Webcurl. This can be changed on an ad-hoc basis if required via a support request.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
99.5% uptime is guaranteed by Webcurl

In the event of a failure to meet the specified service levels a service credit can be applied for by the customer. The details of the service credits available are detailed in Webcurl's Terms & Conditions.
Approach to resilience
We use Kubernetes clusters to scale and distribute our hosting platform.

Details are available on Request
Outage reporting
Incidents (high error rates, unusual resource usage, etc) and outages (service failure, web site unavailable, etc) are reported directly to responsible parties via e-mail and our internal chat system where teams can coordinate and resolve issues.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Only relevant management is allowed to access certain areas of the platform and this is restricted by a secure shell
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through
Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
CQS Ltd
ISO/IEC 27001 accreditation date
01/02/2018
What the ISO/IEC 27001 doesn’t cover
Our whole service provision is covered by ISO/IEC 27001 certification.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Security Plus
  • ISO 9001

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a number of information security policies as dictated by ISO 27001. These include:
-Information Security Policy
-Access Control Policy
-Anti-Piracy Policy
-Backup Policy
-Bring your own device (BYOD) Policy
-Cloud Computing Policy
-Email & Internet Acceptable Usage Policy
-Leaving Policy
-Network Systems Monitoring Policy
-Password Policy
-Remote Access and Mobile Computing Policy
-Social Media Policy
-Virus Protection Policy

Our information security manual is reviewed and tested annually. The testers and external auditors report their findings to the board.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We control our configuration and change management processes through our ISO27001 and ISO9001 policies
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
All processes and policies are detailed within an internal system which is available for review on request. The system fully supports all policies and processes required for ISO 27001.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
All processes and policies are detailed within an internal system which is available for review on request. The system fully supports all policies and processes required for ISO 27001.
Incident management type
Supplier-defined controls
Incident management approach
All processes and policies are detailed within an internal system which is available for review on request. The system fully supports all policies and processes required for ISO 27001.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Red Hat Virtualisation
How shared infrastructure is kept separate
We use a number of virtualisation technologies like KVM, VmWare, Kubernetes and linux containers. We operate public and private clouds depending on the client requirements. Separate VLANs are implemented to ensure client separation. If required by the client separate storage solutions can be employed to further separate client data.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
In the wake of huge rises in the costs of commercial power and electricity over the last year, combined with an ever increasing awareness of the environmental consequences of a power-hungry society, our data centre partner are committed to investing in and researching energy efficient hosting systems. They are taking the following steps:

1) To continue to develop and promote Miniservers™ as the ideal basis for mass server consolidation.

2) To invest in the latest power-efficient server technologies, and to keep pressure on our primary suppliers (Dell & Sun) to drive forwards improvements in computing-per-Watt.

Pricing

Price
£3,500 to £12,000 an instance a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Hosting for 1 month

Service documents