Sitecore Experience Cloud

Sitecore Experience Cloud is a complete digital marketing suite with everything you need to create the most powerful, relevant and individualised customer experiences. The Sitecore® Experience Platform™ (XP) combines the content management power of our market-leading CMS with contextual insights from the Sitecore® Experience Database™ (xDB).


  • Built on the market-leading web CMS Sitecore Experience Manager
  • Marketing automation
  • Sitecore Cortex™ machine learning for optimised business outcomes
  • Sitecore® Experience Database™ collects real-time customer data
  • Scalable campaign management, advanced analytics, testing, optimisation
  • 24x7x365 global operations for maintenance and support
  • Interchange data using Sitecore xConnect
  • Testing and optimisation capabilities
  • Headless option via the Sitecore® Experience Accelerator (SxA)
  • Sitecore Experience Commerce (XC) personalised shopping experiences


  • Deliver omnichannel experiences across print, web, mobile, social, email
  • Easy, quick personalisation without months of training or implementation
  • Machine learning optimises experience and outcomes
  • Incorporates native tools digital marketers need for omnichannel delivery
  • Generates real-time actionable insights from customer behaviour
  • Scaled service to suit your traffic and content needs
  • Deliver spot-on, in-context marketing throughout the customer life cycle
  • Integrates with hundreds of third-party marketing solutions
  • Connect data between Sitecore and CRMs, POS, ERPs, PIMs, etc
  • Omnichannel marketing at scale.


£5000 per licence per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

2 5 0 4 5 2 0 0 7 5 7 7 0 2 0



James Davis

0113 399 4076

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints Usage is subject to an End User Licence Agreement
System requirements
  • Content editing requires IE11+, latest Firefox or Google Chrome
  • Minimum infrastructure specification applies for Private Cloud option

User support

User support
Email or online ticketing support Email or online ticketing
Support response times With standard support, 1 business day for high priority, 3 days for low priority. Premium support offers 1 hour (high priority) and 2 business days (low priority).
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Sitecore offers standard (office hours) and premium (24x7) support levels for platform and application. Sitecore support staff include cloud support engineers.
CDS provides 3rd line code support for your specific codebase, subject to agreeing a separate CDS support and maintenance agreement - charged at standard rates based on an agreed time provision.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started CDS undertakes discovery, design and development processes appropriate to your requirements, through to full system testing.

CDS provides tutor-led, on-site training for editors and administrators, and template user guides. Sitecore provides certified training courses and online user documentation for the application.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Customers can request termination of a Sitecore Managed Cloud subscription, via a form.

Sitecore managed cloud gives direct access to databases, enabling
extract of data when needed.

CDS can provide additional Exit Planning and Management services upon request.
End-of-contract process Sitecore managed cloud gives direct access to databases, therefore you can backup and extract data when needed via the API. CDS can provide Exit Planning and Management services to assist in the transition at additional cost, on a capped time and materials basis.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Core content and experience management features are available on mobile. See for details.
Service interface No
What users can and can't do using the API Sitecores API's can be found here -
API documentation Yes
API documentation formats HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation Sitecore can becustomised to fit your communications and technology environment. Through our partner services, CDS will help you understand your needs, design and configure your system and integrate with other systems to automate business processes.

The Sitecore Experience Accelerator (SXA) allows content teams to design, assemble and deploy web content across channels with fewer development resources.


Independence of resources Sitecore uses Azure Multi tenant, meaning customers get their own Azure Subscription that is separate from others


Service usage metrics Yes
Metrics types CMS activity, e.g. pages published
Reporting types
  • API access
  • Real-time dashboards


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Sitecore

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach Complies with Azure standard trust policies
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach API's, by default it’s a JSON response
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Further details are available here

Availability and resilience

Availability and resilience
Guaranteed availability Up to to 99.9% subject to host configuration.
Approach to resilience CDS helps customers configure and provision their solution to meet the appropriate resilience levels they require. For example this may mean additional instances for high availability or a DR solution. HA and DR plans can be identified through discovery and added to the commissioning and deployment scope. Native host functionality such as auto scaling and deployment slots provide resilience to the solution where available.
Outage reporting Via Azure AppInsights

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Other user authentication The default security authentication and authorization system is based on the Microsoft ASP.NET membership.

ASP.NET membership can implement different providers in order to store and access credentials and user profiles in different systems. By default, Sitecore uses a SQL based ASP.NET membership provider and the users are stored in the Core database.
Access restrictions in management interfaces and support channels Access security is controlled on three levels:
user - an individual user
role - a collection of users. Roles enable you to assign access rights to a group of users instead of to an individual user
domain - a collection of security accounts

With these three levels of security you can control all user access to Sitecore functionality and website content.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Coalfire ISO
ISO/IEC 27001 accreditation date 22/01/2019
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 30/01/2019
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification Yes
Who accredited the PCI DSS certification On request
PCI DSS accreditation date On request
What the PCI DSS doesn’t cover N/A
Other security certifications Yes
Any other security certifications
  • SOC2
  • ISO27017:2015
  • ISO 27018:2014

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards SOC2
Information security policies and processes CDS maintains a set of security policies aligned with our ISO27001 certification, we are also Cyber Essentials Plus certified. All staff are BPSS cleared at minimum and are briefed on the security policy at induction and ongoing compliance supported by an internal learning management system.

Sitecore maintains its own ISMS for which is aligned to ISO27001. Further details are provided at and

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach CDS provides an overarching ISO20000 compliant change management process for Sitecore implementations, subject to a support agreement.

The customer is responsible for scheduling and performing upgrades of the Sitecore XP platform hosted in Sitecore Managed Cloud. We recommend building these in to your CDS support and maintenance profile.

Sitecore supplies patches or hotfixes for Sitecore product bugs reported by a customer according to the scope of services. We recommend including these in your CDS service profile.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Aspects such as Antivirus, OS patching, and OS configuration are handled by Azure as a part of the services offered (Azure App Service for application hosting, AzureSQL for SQL Server databases).

Azure maintains low-level aspects of its services by ensuring proper performance, protection, and availability on an OS level. For any issues to do with this, Sitecore engages with Microsoft Azure to get a resolution. Microsoft regularly penetration tests the underlying infrastructure.

Any other resources that fall out of the Sitecore service and support scope would be managed by CDS as part of a service agreement
Protective monitoring type Supplier-defined controls
Protective monitoring approach Sitecore Managed Cloud provides full monitoring of the backing system required to execute Service Catalog items.

Levels of monitoring include:

Performance - e.g. levels for Disk Size, Disk IO, RAM consumed, CPU
Logic - e.g. Smart Publishing execution success
Additional Sitecore Managed Cloud monitoring metrics are available.

In case of any alert related to monitored resources, Sitecore Support team contacts the customer (or CDS if acting on your behalf) according to the common Sitecore Cloud monitoring manifiest.
Incident management type Supplier-defined controls
Incident management approach Sitecore offers Standard and Premium support options, address P1, P2, P3 and P4 incidents. For a high-level overview of Support Programs and scope of services provided by Sitecore Support is provided , please refer to the following article:

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5000 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Trial instance available through Azure marketplace. Requires configuration.

Service documents

Return to top ↑