Proctor + Stevenson

Drupal Saas development

Fully customised SaaS development using the Drupal 8 framework for global digital services. P+S are Acquia partners. Open-source, supports complex integrations into other business processes and tools.

Features

  • Drupal 7 and 8 development, configuration and deployment
  • Drupal 9 audit and transition planning
  • Developers certified for Drupal
  • Responsive, mobile Drupal theming
  • Drupal multi-site and multilingual publishing
  • Elastic search engine support
  • Acquia foundation partner
  • Accessibility WCAG AAA
  • Integrations CRM Salesforce
  • Integrations CRM Salesforce

Benefits

  • Specialists in decoupled Drupal and content delivery via APIs
  • Cyber Essentials and build to Information Security Standards
  • AWS Managed hosting and DevOps support
  • Quality Assurance and testing from planning through to build
  • UK based core team supported by extended global team
  • Website audits, comparative analysis, user personas, user experience
  • Support and maintenance services
  • Systems and solution architecture consultancy
  • Client experience from Start ups, SME, Global multi-nationals, charity
  • Prince 2, SCRUM and agile project management

Pricing

£600 to £800 a person a day

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at new.business@proctors.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 9 6 0 1 6 1 7 3 5 7 6 2 5 9

Contact

Proctor + Stevenson Sophie Harris
Telephone: 01179232282
Email: new.business@proctors.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
No.
System requirements
  • Internet connectivity
  • Modern web browser
  • Access to private trusted network (private / hybrid cloud only)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is available between standard UK working hours (Mon-Fri, 9am to 5:30pm).

24/7 support is available for additional cost.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
N/a
Onsite support
Yes, at extra cost
Support levels
Our support services include a full support team from Level 1 (helpdesk) Level 2 (Application expert) to Level 3 (Software architect). We will build a support solution based on requirements from the customer which can range from a monthly retainer to a advanced hours arrangement where hours are bought up front.
Standard SLA is highest severity level support of response time 15mins - resolution time 4 hours.
UK office hours support - Out of office on call support available
- Software patch updates on the core application and installed modules
- Security vulnerability patches for Drupal and installed modules
- Regression testing after software updates
- System diagnostic response to alerts
- Site monitoring support
- User Support requests
- Support diagnostics
Support available to third parties
No

Onboarding and offboarding

Getting started
Training is available, either on site or via VC.

Documentation is supplied, inc user manuals, wireframes, SOWs and technical specifications.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Proctor and Stevenson require 3 months notice for contract termination. Data and assets can be exported using standard tools.
End-of-contract process
Proctor and Stevenson require 3 months notice for contract termination. The full source code of the application will be provided. Full access to any database and physical assets is also provided.
If we need to continue providing services for managed hosting, then this would be additional cost.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
We build all of our applications to be optimised for all devices as part of our standard service.
Service interface
Yes
Description of service interface
It allows us to track and monitor support requests while also maintaining transparency with the client.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
N/a
API
No
Customisation available
Yes
Description of customisation
We can customise our service during the scoping stage of the project.

Scaling

Independence of resources
The service is hosted on managed cloud based hosting provider (AWS) which fully supports various features to ensure security and reliability.

This includes dedicated hosting, VPNs, NACLs, autoscaling to manage temporary increases in traffic, and private object storage.

Analytics

Service usage metrics
Yes
Metrics types
Edit
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
In-house
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Tools and modules available with Drupal allow users to export or migrate data either manually, on an ad-hoc basis, or automatically.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We offer 99.95 uptime on applications that we manage, and there is an annual SLA agreement. Should the requirements of the SLA not be met, refunds are available on a pro-rate basis.
Approach to resilience
Using AWS our service can be deployed in any number of regions and availability zones to ensure resilience according to your requirements and the location of your users. This is designed to eliminate single points of failure. Additionally, we can implement auto-scaling groups to ensure the service can expand and contract according to demand, maintaining maximum performance and cost efficiency.
Outage reporting
We use monitoring software on the application and the cloud servers to instantly alert our team to any problems. This alert is distributed to the on call team through a combination of telephone, email, SMS and notification messages.

Additionally we offer 24/7/365 support depending on requirement.

Identity and authentication

User authentication needed
No
Access restrictions in management interfaces and support channels
- Username and password
- 2-factor authentication
- API authentication using tokens, OAuth or JWTs available as required.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
We adhere to best practice and comply with ISO governance.
Information security policies and processes
The whole company conforms to best practice security policies based on ISO information security foundations. All team members are trained in information security procedures.

The fundamental approach to security are followed, which includes

Data at transit or at rest is encrypted
Access to all of our systems is tightly managed and authorised. All transactions are stored and logged. Business continuity and disaster recovery procedures are in place.

Any breach is reported to the Data Protection Officer.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
1. Identify the need for a change (Stakeholders) – Change requestor will submit a change request ticket to the project manager.
2. Log change in Redmine (Project Sponsor) – The project manager will keep a log of all requests
3. Evaluate the change (Project Manager, Team, Requestor) – impact on risk, cost, schedule, and scope and seek clarification from team and client.
4. Submit change request to Change Control Board
5. Obtain Decision on change request (CCB)
6. Implement change (Project Manager) – If change is approved by CCB, the project manager will update and re-baseline project documentation as necessary.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Monthly updates of all software updates including security from the OS layer up. We are subscribed to all of the software application software update services. All major updates are tested in a test environment before being deployed to production. Security updates are evaluated on notification to determine if they should be deployed immediately or in the next regular monthly update.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Drupal has a dedicated security team that are dedicated to monitoring, announcing and releasing security updates. P+S are notified when a security update is available so that we can asses whether it's applicable for your application. With monthly support contracts, these updates can be applied with the highest priority.

Our managed hosting solutions with AWS follow best practice guidelines from AWS in terms of security and networking. Without monthly DevOps support contracts we ensure any software running in the cloud is kept up to date. As an AWS partner we are kept up to date with any incidents and changes.
Incident management type
Supplier-defined controls
Incident management approach
All incidents are promptly reported to our on call team and investigated according to an agreed SLA. Incidents can be reported automatically, through our monitoring software, or manually through our issue tracking system. Upon resolution, RCA reports are provided and any additional actions resourced and progress tracked.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£600 to £800 a person a day
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Free requirements analysis.
If you are unsure about this approach and and the best way to meet your requirements, we can allocate some time with you to review these requirements and determine the best strategy to achieve your goals.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at new.business@proctors.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.