Backup as a Service (BaaS)

Venom IT's online backup services give you “hands-free” automated backups - from full server backups to simple file sharing. Venom IT cloud servers are located in Tier 3, ISO27001 data centres. Archiving, Backup, Disaster Recovery,
Data Warehousing,
SQL, MySQL, NoSQL database,
Relational, Network and Hierarchical databases,
Object/Block storage


  • Archiving, backup and disaster recovery
  • Data warehousing
  • SQL, MySQL, NoSQL database
  • Relational database
  • Network databases
  • Hierarchical databases
  • Object storage
  • Block storage


  • Easy scalability & flexibility
  • Great user privilege control
  • GDPR compliance
  • Reduces human error
  • Fast & easy rollback in case of disaster


£22 to £60 a user a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 3 3 1 2 9 1 9 5 6 0 6 0 0 6


VenomIT James Hegarty
Telephone: 0330 202 0220

Service scope

Service constraints
1) Regular maintenance is usually scheduled over weekends in the early hours, and urgent patches are done on weekdays around midnight, during which times certain services may be temporarily unavailable or slow.
2) User's on-site Internet speed/reliability could affect performance
System requirements
  • Windows*
  • Mac OS*
  • Android*
  • Linux*
  • Laptop**, PC**, smartphone, tablet, thin client**
  • *Latest OS recommended, older OSes may be supported
  • **Recommended

User support

Email or online ticketing support
Email or online ticketing
Support response times
Mon-Fri 8am-6pm: Full remote support, 2-hour SLA
After hours: Emergencies only*, 2-hour SLA

*After hours full remote support is available at extra cost, various packages available
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
The three levels are (1)Office Hours (2)Out-of-office Weekdays, and (3)Weekends, with Remote/Onsite/Both permutations.
Full remote support, Mon-Fri 8am-6pm is included at no charge
24/7/365 Emergency support, included at no charge
If support is required outside of the cloud infrastructure discuss with your technical account manager the costings, as these range from £10-£60 per user PCM, depending on options taken such as full/remote/onsite or antivirus/system monitoring/both.
The Support levels have a standard 2 hour-response SLA. We provide on-site support as and when required if this option is taken on initial agreed contract and also provide out of office hours support for those clients that request such service. All support services we provide are handled by our in-house cloud support technicians with escalation to engineers if required.
Support available to third parties

Onboarding and offboarding

Getting started
1) Scoping of project
2) On-boarding and user acceptance testing
3) Handover, along with documentation
4) Follow-up, sometimes including onsite training
5) Free support calls to support line
Service documentation
Documentation formats
End-of-contract data extraction
That depends on the new supplier - usually a VPN is set up and all data is transferred, verified then deleted. Another option is the postage of an encrypted disk(s) but that would incur a small additional charge.
End-of-contract process
Usually about a week before end date, all data is transferred to the new supplier via VPN, then one final sync is performed on the stipulated handover date, the transferred data is verified by the new supplier, then deleted from our servers.
Transferring the client's data via VPN is free, posting encrypted physical disks will incur a reasonable charge.

Using the service

Web browser interface
Command line interface


Scaling available
Scaling type
Independence of resources
Kemp load balancers and NetScaler are in place to ensure each server cluster runs at optimal efficiency. Each SAN unit has more than 50% free space (depending on compression) in order to accommodate unexpected requests from clients for more space. The SAN units run on a 40 Gb iSCSI network ensuring high performance even under high demand.
Usage notifications
Usage reporting
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • Files & documents plus file structure & user permissions
  • Relational databases
  • Network databases
  • Hierarchical databases
  • SQL, MySQL, NoSQL database
  • Other database services
  • Block storage
  • Object storage
  • Veeam repositories
Backup controls
Backups are performed automatically. Remember that there are 2 replicated Active-Active data centres, which means there is always an automatic, live duplicate. Internally, each DC backs up as follows: 2-hourly SAN snapshots, 50 snapshots are kept.
A daily VM-level backup is made using Veeam technology. These backups are kept for 21 days.
AHSAY backup software enables us to restore individual files/directories without having to restore the entire server. These backups are kept for 365 Days.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Downtime in any given calendar month - Credit Given:
< 99.90% refunds 5% of Recurring Fees
< 99.80% refunds 7.5% of Recurring Fees
< 99.70% refunds 10% of Recurring Fees
< 99.60% refunds 12.5% of Recurring Fees
< 99.50% refunds 15% of Recurring Fees
< 99.40% refunds 17.5% of Recurring Fees
< 99.30% refunds 20% of Recurring Fees
< 99.20% refunds 22.5% of Recurring Fees
< 99.10% refunds 25% of Recurring Fees
A maximum of 25% will be refunded in any given month
Approach to resilience
3 DCs - 2 are in mirrored, Active-Active array, 1 runs as Backup only but can be retasked into Active mode. Additionally, services are modular in design, limiting the impact of hardware failures.

Further details available on request
Outage reporting
Our CRM system is linked with Veeam, VMware (Vcentre) and CentraStage, and automatically creates tickets for any outages. There is also a public dashboard with optional email/text alerts (user's choice).

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
ISO27001 and ISO27017 and Venom IT Router and Switch Security Policy apply. Routers and switches must use TACACS+ for all user authentication. Telnet, FTP, and HTTP services are disallowed. Cisco discovery protocol, dynamic trunking, scripting environments, TCL shell etc are disabled. NTP is configured to standard source.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
QMS International
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Annex 11.1.5 Secure Areas (Not Applicable)
Annex 11.1.6 Delivery & Loading Areas (Not Applicable)
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO27017
  • IOS27018
  • Security to NSI Gold Approved BS5979 (Active-Active DCs only)
  • PASF (Police Approved Secure Facility - Active-Active DCs only)
  • Cyber Essentials
  • PCI DSS (Active-Active DCs only)
  • NHS Data Security and Protection Toolkit

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
59 policies in total as per ISO27001 & ISO27017 for security and ISO9001 for quality. Due to the mostly flat organisational structure, reporting is done either directly to the Tech Director or the Quality Manager. Continual internal audits ensure that policies are followed, and annual external audits on ISO standards ensure compliance.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration standards are mostly based on ISO standards, whilst continuous improvement is done through a combination of ISO and ITIL standards.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
ISO27017 code of practice for cloud providers applies. Threats are assessed on an ongoing basis through network audits and risk assessments. Due to the occasional release of defective patches, they are never deployed immediately but after one week. Patches are deployed on test servers first, before deployment across the entire network.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
ISO27017 code of practice for cloud providers and Venom IT Network Systems Monitoring Policy apply. Potential compromises are identified via log monitoring (Autotask tickets, NetScaler logs, server event logs, antivirus logs, firewall logs etc.) as well as pen testing. When a potential compromise is found, an emergency RFC is submitted to the CAB for faster approval. All security incidents are handled immediately.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
ISO27001 standards and ISO27017 code of practice for cloud providers apply, along with IS0 27002: Clauses 16.1.1 (Responsibilities and Procedures) and 16.1.2 (Reporting Information Security Events) and Venom IT Information Security Incident Reporting Policy.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Other virtualisation technology used
We have different platforms in each DC, employing VMware, Hyper-V, Citrix XenServer and Red Hat Virtualisation
How shared infrastructure is kept separate
Each organisation is confined to its own virtual private network, their own segregated virtual LAN, with no access to any of the other virtual networks. Reverse proxies are used to segregate internal traffic.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
PUE <1.5
Work with Growth Hub Energy Efficiency Scheme
Upgrades currently in process with further CO2 reductions and energy saving underway


£22 to £60 a user a month
Discount for educational organisations
Free trial available
Description of free trial
A full, working backup will be created to be assessed by senior decision makers. Trial period is usually 1 month and includes support.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.