RDF Cloud Hosting Services

RDF Group Cloud Hosting Services help organisations move from traditional legacy systems and infrastructure to cloud-based architectures and applications. We support our clients to deliver cloud-based systems and services that meet the UK Government Technology Code of Practice and Digital Service Standard.


  • overall cost and risk reduction
  • change management
  • cloud strategy and adoption services
  • cloud managed service
  • Business Analysis as a Service
  • Developement as a Service
  • Project Management as a Service
  • DevOps as a Service
  • Architecture as a Service
  • On/Off site capability


  • reduce operational expense
  • secure and low risk hosting services
  • guided transition with the assistance of our consultants
  • Gain the flexibility to address growing needs
  • All resource employed permanently mitigating any IR35 Risk
  • No utilisation or long term commitment needs
  • On/Offsite capability
  • Costs Fixed allowing you to budget and forecast effectively


£250 to £900 per person per day

Service documents

G-Cloud 11



Iain Marr



Service scope

Service scope
Service constraints RDF are able to expand our offering and services to scale to client needs. Each individual project is assessed for risk, resource need and capacity.
We do not use in-house penetration testing. We hire 3rd parties to maintain objectivity in our security assessment procedures.
System requirements System requirements will be specified during client engagement

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels RDF Group can provide standard support Monday-Friday 8-6pm. A technical account manager or cloud support engineer will be appointed, as requested.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started To help users get started, RDF provides dedicated staff to train and set up accounts for access to documents and tutorials to help our clients begin using our service. In addition, clients can nominate higher responsibility individuals and provide bespoke one to one training on more critical tasks.
A dedicated team will be available to engage regularly at the client's request.

Should an organisation require additional support as part of the on-boarding process, such as project management, detailed technical design (etc) - this can be made arranged during client engagement
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data can be extracted and supplied to users in whichever format they choose. RDF are flexible to suit our client's needs. If larger migrations are required then this can be performed with the assistance of our dedicated support team. Resource is made available on request.
End-of-contract process Where a client chooses to terminate their subscription with RDF, we are able to provide support for data extraction and/or migration where reasonable. We will agree a point of service termination with the client when the transition is complete. At this point, our dedicated support and technical teams will cease to provide any services. We will work to ensure that this transition is seamless.

Using the service

Using the service
Web browser interface Yes
Using the web interface Users can use a web interface to access their own data hosted by RDF. Changes are made through a bespoke designed and developed interface tool depending on the client need. The nature of permitted changes will be dependent on agreed user privilege and critical changes will not be permitted unless agreed with our engineers.
Web interface accessibility standard WCAG 2.1 AA or EN 301 549
Web interface accessibility testing Each bespoke interface developed for a client is taken though a rigorous delivery process. WCAG 2.0 AA standards are embedded in our analysis, design, development and testing processes. Assistive technology users are active in each step of the process, ensuring that these standards are met. Bespoke interfaces must be signed off by our accessibility team and our 3rd party accessibility consultants before release to a client.
What users can and can't do using the API API capabilities are determined with clients on an individual basis. Typically our API's allow:

Integration with databases, messaging systems, portals, and even storage components.

Application level API's where CRM and ERP (etc) applications interact with and manipulate data
API automation tools
  • Ansible
  • OpenStack
  • SaltStack
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
Command line interface Yes
Command line interface compatibility Linux or Unix
Using the command line interface This service is set up for each client and training is offered on-site where the client agrees.
Changes are made through scripts and commands typical to UNIX command lines
Limitations are applied to user types as agreed with clients


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Our key performance indicators, detailed in client agreements are constantly checked against SLA’s to ensure compliance and We have a dedicated team for each client ensuring that software is kept up to date and security updates are applied urgently, in addition to a dedicated technical support team. We also offer managed service dedicated teams, who are employed on a PAYE basis which mitigates any IR35 risk to end customer and can be used as augmented contract resource. Our resources can be provided as teams or as individuals covering specialisms such as project management, analysis, development and DevOps.
Usage notifications Yes
Usage reporting
  • API
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
Reporting types
  • API access
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Documents
  • Emails, instant messaging conversations on in-house apps
  • Code, virtual machine data, databases
  • Call data
  • VOIP calls and data
Backup controls Schedules, content and structure of data are agreed with the client during our initial engagement. Our teams will work with the client to ensure that their data is stored securely and backed up in accordance with their needs.
Datacentre setup Single datacentre with multiple copies
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability SLA subject to individual contract as required.
Approach to resilience Available on request
Outage reporting We are able to provide a live dashboard in addition to Email alerts. Additional measures can be agreed with the client during engagement.

Identity and authentication

Identity and authentication
User authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access is only granted to users that have been approved by both RDF and the client. Any users not approved will not have access to the service and will not be given any log in details. Any approved users will be given credentials from the technical support team, and only given access to areas agreed with the client. Technical support team will only communicate with approved individuals. Any non-approved individuals will need to be approved by the nominated client management contact.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO 27001. GCN. PSN. NCSC

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach RDF employ a third party to perform penetration testing and ensure that all software is up to date with the latest vulnerability patches analysed and implemented in an impartial manner. Gaps and vulnerabilities are logged and given a severity and urgency level, before being added to a backlog of high priority changes to be added to the system. Changes are performed in line with our SLA's with the client and reports are regularly generated to keep clients updated about changes and patches made to the system. We can also provide managed test teams to work on/offsite.
Protective monitoring type Supplier-defined controls
Protective monitoring approach RDF have a protective monitoring system where all logs are centralised and checked on a daily basis for security breaches using several key search filters. Alerts are sent out for high risk activity and are pro-actively responded to by the operations and security teams.
Incident management type Supplier-defined controls
Incident management approach Incident management processes are agreed with each client during engagement. Typically, incidents are logged with our support team and managed in accordance with our agreed SLA's. Incidents are marked with a severity and then progressed by our technical support teams.
Clients are regularly provided with reports regarding incidents, frequency and content of these reports are agreed with clients during engagement

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £250 to £900 per person per day
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑