twentysix Limited

DevOps Integration

At twentysix, we embrace DevOps culture throughout website development and delivery, integrating Agile tools like Confluence, Jira and Teams with development tools like GitLab, TeamCity, Octopus Deploy, GitHub and Azure DevOps to make automated CI/CD pipelines, provisioning and deploying to multiple environments in public/private clouds using Infrastructure as Code.

Features

• Automated unit, integration and frontend acceptance testing
• Continuous Integration and Deployment (CI/CD)
• Cloud hosting/provisioning on Azure, AWS, Docker and private clouds
• Code security analysis, PEN testing and vulnerability scanning
• Code standards analysis and linting
• GitOps, Git Flow and Source Code Management (SCM)
• Infrastructure as Code (IaC)
• Monitoring, alerting, dashboards and information radiators
• Performance benchmarking
• Software package management and versioning

Benefits

• Automate manual tasks for greater accuracy, speed and efficiency
• Eliminate many bugs in production with robust test automation
• Empower teams to “shift left” and fix issues early
• Improve a website’s operational support
• Increase quality by reducing unplanned rework
• Lower costs with automation and temporary test environments
• Promote team collaboration and efficiency, reduce silos and hand-offs
• Reduce time to market, move fast and deliver quickly
• Release features and fixes quickly and often
• Shorten cycle time – translate requirements to working features faster!

£350 to £895 a person a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Lorna.Foott@twentysixdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

297551593232482

Contact

Lorna Foott
0800 320 2626
Lorna.Foott@twentysixdigital.com

Service scope

• Service constraints: Generally there are no service constraints, though this may change dependent on requirements
• System requirements: Service may require a license

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We respond inline with our SLA’s as the minimum for all tickets. ; ; Weekend coverage only covers P1 tickets (should this coverage have been selected), this is via a direct out of hours phone number, which is then supplemented by a ticket in the service desk.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: N/a - this is something that we are happy to offer if a client requires it but we have not provided any to date.
• Onsite support: Yes, at extra cost
• Support levels: Twentysix provides two core support levels and can also work to create bespoke support packages around our client’s needs. ; ; For in-hours coverage you receive coverage within twentysix’s UK Office hours (9AM to 5:30PM, Monday to Friday). ; ; For 24/7 support you will receive coverage within twentysix’s UK Office hours (9AM to 5:30PM, Monday to Friday) plus 24 hours support coverage - consisting of 15 and a half hours, out of hours coverage (17:30 to 09:00 the following day, Monday to Friday). In addition, you receive 24 hours support coverage on bank holidays and weekends. ; ; SLAs govern guaranteed response times.; ; We can provide bespoke support packages to fit your needs. ; ; Cost is dependent on the coverage and amount of hours support required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We offer full on-boarding sessions with training on any hosting platform and associated services which we provide, this includes phyiscal meetings as well as documentation and webex/remote training/onboarding.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • Other
• Other documentation formats: Video
• End-of-contract data extraction: We have a full off-boarding process for the purposes of handing over data and other assets at the end of a contract. After agreement of a secure way in which to transfer data we commit to delivering that content to an agreed repository within an SLA'd timeframe.
• End-of-contract process: We have a full off-boarding process for the purposes of handing over data and other assets at the end of a contract, as well as closing off the contract formally and ensuring that all contractual requirements have been met in relation to the closure of work. This is all done as either project cost or T&M depending on agreement.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Resources are strictly segregated to ensure that no client needs or requirements have the ability to impact others. More detail on how we accomplish this is available on request.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Various (Microsoft, Amazon)

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• Backup controls: Backups are managed manually through your client services liason within the agency.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: As a fully ISO 27001 certified development partner we ensure at the start of any project that mechanisms are agreed for the transfer of data between parties. This is hugely dependent on the buyers requirements; twentysix can usually find a way to deliver against any requirement that the buyer may have.
• Data protection within supplier network:
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: All of our services have a base level availability target of 99.90%, subject to the level of service taken out. This can be increased subject to requirements and costs. ; ; Refunds are returned as service credits.
• Approach to resilience: This is on a case by case basis dependent on client requirements - but could involve load balancing, replicated data, CDN or other technologies. Further information relating to our service resilience is available on request.
• Outage reporting: Outage reporting is delivered via email alert or through public dashboard.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Restriction can take place using a number of different mechanisms from IP restriction through to locked out accounts.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: MQA, certificate 0549
• ISO/IEC 27001 accreditation date: 18/07/16
• What the ISO/IEC 27001 doesn’t cover: Our entire Leeds organisation is covered by our ISO 27001 certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Information relating to our security policies is available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: As part of our ISO 27001 certification, change control and configuration management is vitally important to twentysix. We have a change management process which we are happy to supply upon request.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: As part of our ISO 27001 certification vulnerability management is vitally important to twentysix. We run a risk identificiation & management based model for any identified vulnerability. Threats are generally identified through subscription to a number of services, including manufacturer/developer websites and email lists. Any fix is generally audited by our IT/IS team against the types of systems we are running internally. Depending on the findings of the IT/IS team, fixes are rolled out ASAP in line with internal and client requriements. We have a full vulnerability management process which we are happy to supply upon request.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: As part of our ISO 27001 certification, monitoring is vitally important to twentysix. We have a full monitoring process & procedure which we are happy to supply upon request.
• Incident management type: Supplier-defined controls
• Incident management approach: As part of our ISO 27001 certification, incident management is vitally important to twentysix. We have a full incident management plan which we are happy to supply upon request.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Hyper-V
• How shared infrastructure is kept separate: Logically seperated using Virtualization technology.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We use a variety of hosting providers, all adhere to the EU code of conduct.

Pricing

• Price: £350 to £895 a person a day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Lorna.Foott@twentysixdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.