EPiServer AB

Episerver Digital Experience Cloud Service, Commerce

Episerver’s platform for digital commerce forms part of Episerver's "Digital Experience Cloud" platform which enables you to provide outstanding customer experiences that help you drive sales across all channels and markets.


  • Elastic scaling to support traffic peaks and bursts
  • Based on the latest Microsoft cloud technology, Azure Web Apps
  • Optimal performance via a content delivery network (CDN)
  • Separated environments for integration/test, preproduction and production
  • Best-of-breed services from vendors via connectors and add-ons
  • 24x7x365 global operations, maintenance and support
  • Detailed online reports show you website and transaction performance
  • Proactive application and end-user experience monitoring
  • Data backup and retention
  • DDOS mitigation


  • SLA guarantee on your web site being up and running
  • Unlimited number of Episerver web sites
  • Unlimited number of web site users
  • Includes Episerver Find enterprise search product
  • Lower TCO with a fully managed service


£70800 per unit

  • Education pricing available

Service documents


G-Cloud 11

Service ID

2 4 3 2 7 5 6 7 7 0 5 2 9 1 9


EPiServer AB

Edy Alteirac



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Deployment is on public cloud.
System requirements
  • Content editing: IE11, Firefox latest, Google Chrome, latest
  • Development OS: Windows 10|8.1|8, Windows Server 2016|2012 R2|2012
  • Development tool: Microsoft Visual Studio 2017 or 2015

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Minimum response within 2 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels All Episerver Digital Experience Cloud Service contracts include 24/7/365 support and is not charged separately.

Each client gets an account manager and dedicated service level manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Episerver Digital Experience Cloud Service is a platform as a service. Once implemented by an Episerver implementation partner or customer the final solution is deployed to Digital Experience Cloud Service. Once deployed (or before deployment) Episerver can provide classroom and on-site training and also provides online documentation for using Episerver.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction A request is made to the Episerver Managed service desk for a full back up of the Episerver database and accompanying binary assets. These are supplied within the defined SLA period for the managed service desk.
End-of-contract process If termination has been requested then there are no additional costs for ending the contract after the original contract period. If a contract termination requested is received before the end of the period then remaining period must be paid for in order to terminate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface Browser based user interface
Accessibility standards None or don’t know
Description of accessibility Accessible through a browser.
Accessibility testing None that I am aware of.
What users can and can't do using the API Anything is possible using Episerver's API.
API documentation Yes
API documentation formats HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation - Nearly the entire Episerver suite can be customised if required including all HTML presentation templates, authentication providers, site functionality and Episerver editor functionality.
- Customisation takes place using .net languages such as C# or VB.net and also in Javascript. This work is done Visual Studio.
Anyone with access to the solution source code can customised. This is normally Episerver implementation partners or clients with appropriate development skills who own the overall solution.


Independence of resources Each Episerver Digitial Experience Cloud implementation runs as a single tenant solution with its own dedicated set of resources that scale using public cloud infrastructure.


Service usage metrics Yes
Metrics types The Episerver Digital Experience Cloud Service provides a reporting portal which provides the following KPI information: Average Page Load Time, Page Views, Total Page Views (YTD), Availability, Events and Response Time. Additional KPI's may evolve and be added to the service reporting over time.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported directly from the database or an export can be run that downloads content as a .zip in XML
Data export formats Other
Other data export formats XML as part of a standard Episerver Export
Data import formats Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability SLA for availability starts at 99.7% and moves to 99.9% depending on package. If availability falls below the Service(s) SLA, the Customer has the right to obtain a reduction on the monthly fee for the affected Service(s). The reduction shall correspond to ten (10) percent of the monthly fee for each interval of one (1) hour that the effective availability falls below the SLA for the affected Service(s). For example, if there are thirty (30) days in the month, and the SLA is 99.5% (716 out of 720 possible hours), should actual availability be only 715 hours, the monthly fee will be reduced 10%. The reduction is limited to the actual month when the agreed availability level has fallen short. This compensation shall be Customer’s sole remedy for interruption or delay in Service(s) supplied by Episerver.
Approach to resilience Episerver Digitial Experience Cloud Services are primarily based on Microsoft Azure services and utilise other cloud services. Full details around resiliency are available on request.
Outage reporting Email alerts, public dashboard.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Access management is enforced at different levels in the DXC-S. Episerver's PaaS portal is used to administer and manage a clients DXC-S. Only authorized Episerver users with set permissions are allowed to manage your service, this is controlled via AzureAD, stings are also hard coded in the portal. Client developers are allowed to access the DXC-S's integration (development) environment only, users access must be requested, where they will be set up in AzureAD. Client editors can authenticate with the DXC-S via their own chosen federated security if they wish, Episerver can also restrict access via set IP ranges if required.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Episerver policies and processes on the Digital Experience Cloud Service (DXC-S) is aligned to the ISO 27001 standard (cert. planned for 2018).
Information security policies and processes Episerver's ISMS on the DXC-S has management representative down commitment, with regards to the DXC-S this covers operations, Managed Services, IT, HR, Finance, Facilities, Legal, Product Management, Marketing and Sales. Annual training on Episerver's ISMS (and new starter training for new employees and contactors) will be enforced via our LMS. All employees will receive ISMS training to ensure that their responsibilities are understood and enforced across their duties.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Please refer to Section 9: http://www.episerver.com/legal/episerver-dxc-service-level-agreement/ Episerver development follows an iterative development lifcycle regarding code cahnages. Episerver perform web vulnerability scans that look for the OWASP top 10 vulnerabilities and use the OWASP references as a guide during development. We have a review process for all changes/releases to our software (weekly), restricted to select publishers (who have have been trained against our ISMS). Microsoft Azure teams follow a formal Security Development Life-Cycle process for their services which Episerver consume on our service. For more information, please review: https://www.microsoft.com/en-us/sdl/
Vulnerability management type Supplier-defined controls
Vulnerability management approach The DXC-S uses a WAF to stop attacks at the network edge, protecting your website from common threats and specialized attacks before they reach your service. Microsoft is also protected by an active IDS/IPS system, which uses a number of techniques to detect threats. Microsoft and their Red Team regularly pen test the underlying infrastructure of DXC Service. The Episerver platform is also subject to regular pen tests conducted by customers and partners. If a threats are detected these will follow Episerver’s incident management process and are escalated gaining the highest priority available. Microsoft is responsible for patch management.
Protective monitoring type Supplier-defined controls
Protective monitoring approach DXC-S offers centralized monitoring and analysis systems that provide continuous visibility and timely alerts to the teams who manage the service. We have a number of set triggers and thresholds, benchmarked against typical consumption or behaviour on your website. If unanticipated performance behaviour is detected (for example repetitive behaviour, creating increased scale in the service) we have hooks to alert our service desk to look into the issue and block the traffic if necessary Security incidents will receive highest priority and clients will be notified at the soonest opportunity.
Incident management type Supplier-defined controls
Incident management approach Please refer to Section 10 : http://www.episerver.com/legal/episerver-dxc-service-level-agreement/ Incident Reporting: Please see RFO (refereed in section 10.2), incident reports will be generated for all P1 & P2 incidents describing the issue, root cause analysis and corrective and preventative actions which were taken to resolve the issue. Client contacts will be notified once a support ticket is generated by our Managed Services Team.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £70800 per unit
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑