Just After Midnight

Managed Drupal Website Hosting

Full specialist Drupal Cloud Hosting, from DevOps to Managed Cloud, IAAS or PAAS, AWS or Azure, Public, Private or Hybrid. Consultancy, infrastructure, security, migration, scalability, DR.
We can manage everything from design and build to procurement and ongoing management, maintenance and patching including 24 hour "eyes on" monitoring service.

Features

  • Drupal specific hosting expertise
  • Infrastructure and application 1st and 2nd line support
  • 24/7 Managed service with UK/Australia/Singapore based teams
  • Managed Cloud Consulting for ongoing optimisation
  • IAAS, PAAS or Hybrid
  • 24/7 “Eyes on” monitoring with SLA Options
  • Dedicated 24/7 service desk support phone number and email contact
  • Code and content author/editor support
  • Migration planning and support
  • Regular reporting

Benefits

  • Web platform experts on hand to offer the best advice
  • Experienced Drupal hosting architects and engineers
  • Up to 15-minute response time (SLA dependent)
  • Security first approach to projects
  • Independent cloud hosting provider offering unbiased advice and agency support
  • Fully managed to reduce client staff overheads
  • Easy to reach, by phone, email or text 24/7
  • Provides application level support as part of managed hosting contract
  • Each customer has their own dedicated infrastructure, no shared services
  • Experienced in CMS specific issues

Pricing

£2,400 an instance a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@justaftermidnight247.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

3 4 7 8 4 1 5 2 0 5 2 7 5 4 2

Contact

Just After Midnight Sam Booth
Telephone: 02032909247
Email: info@justaftermidnight247.com

Service scope

Service constraints
Standard cloud hosting constraints.
System requirements
Not applicable.

User support

Email or online ticketing support
Email or online ticketing
Support response times
We have 24/7 1st and 2nd line support teams across global offices so response times are unaffected by weekends/public holidays. We offer tiered levels of support which can be adjusted to individual client needs. Just After Midnight defines SLAs for both response and target resolution times. General, indicative SLAs are: P1 issues: Initial acknowledgement within 15 minutes and a target resolution time of 4 hours. P2 issues: Initial acknowledgement within 30 minutes and a target resolution time of 12 hours. We also provide P3 and P4 support levels. Clients can request specialist SLAs for events/expected traffic peaks eg application window.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We offer 1st and 2nd level support which can be adjusted to each individual client's needs. There are too many variables to provide standard support costs as the number of support elements required can vary significantly - including infrastructure, environments, level and hours of support, licensing and implementation eg SSL and CDN etc. Just After Midnight defines SLAs for both response and target resolution times. These can be client specific but our general indicative SLAs are:
P1 issues: Initial acknowledgement within 15 minutes, a response time with diagnosis of 1 hour and a target resolution time of 4 hours.
P2 issues: Initial acknowledgement within 30 minutes, a response time with diagnosis of 1 hour and a target resolution time of 12 hours.
We can also provide P3 and P4 support levels.
Clients can request specialist SLAs for events or expected traffic peaks eg an application window, providing an advanced SLA. This is available upon request. Just After Midnight has several Technical Account Managers on hand to provide support as required. As it is cloud based service, onsite support is rarely required. However, for consultancy and if on premise work is required then this can be handled ad hoc.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Just After Midnight engages with clients in face to face meetings where possible as well as tele/video conferencing to undertake full scoping and onboarding activities. We look at the background, issues, any constraints and concerns and what a client wants and needs to achieve. We agree access and what level of support is required - we can provide everything from in hours support to fully managed 24/7 support. We recommend and agree monitoring thresholds and provide regular reporting. We work as independently or collaboratively as fits best with your needs and can provide documentation and upskilling for internal teams. We also provide training for any systems such as our ticketing system so you are fully equipped.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
This needs to be requested from Just After Midnight (following notification of termination of contract if prior to end of contract) and can be provided in any format as required. If there are server-side applications then the content and data will be transferred in the most appropriate method agreed eg, encrypted disk, via SFTP or other. This happens within 7 days of the request unless the hosting is being transferred and this is not required as they would own it.
End-of-contract process
If the contract is rolling then no action need be taken, although there may be an annual fee increase in line with external costs. This provision will be included in any SOWs. If the contract is for a fixed period, then you will need to confirm whether or not you wish to renew the contract or have services transferred in house or to another third party. We will work with you on whichever activities are appropriate to achieve your goal. De-commissioning or working with another third party may incur additional costs dependent upon tasks and effort required. If the services are no longer required they will be backed up prior to termination and held for a maximum of 5 years. Clients will be given content and data as per the end of contract data extraction response and can be provided in any format as required. If there are server-side applications then the content and data will be transferred in the most appropriate method agreed eg, encrypted disk, via SFTP or other. This happens within 7 days of the request unless the hosting is being transferred and this is not required as they would own it.

Using the service

Web browser interface
Yes
Using the web interface
If a client wants to manage their own support or constantly track support tickets, we can provide access to our ticketing system. Clients would be given log in credentials and can access the interface to edit and manage tickets as necessary. Users can create and modify tickets using simple point and click actions, but cannot delete tickets. If users require tickets to be deleted this will need to be done by an administrator. Server access is granted on user request with strict security precautions, ie IP restrictions and Two-factor authentication.
Web interface accessibility standard
WCAG 2.1 AA or EN 301 549
Web interface accessibility testing
Just After Midnight has not undertaken any specific interface testing with assistive technology users. However, we use Zendesk which has been evaluated to the WCAG 2.0 AA standards as of February 2019. The guidelines can be found here: http://www.w3.org/TR/2008/REC-WCAG20-20081211/
API
Yes
What users can and can't do using the API
The code can be used to integrate it. Limitations are that it is predefined and has parameters and variables which cannot be edited.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
Other API automation tools
  • AWS Cloud Formation
  • ARM Templates
API documentation
Yes
API documentation formats
PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface
By downloading CLI and then using the tools to gain access. Limitations would be the predefined commands and that it is not openly accessible to anyone and is set up on an individual user account basis. The command functions cannot be edited.

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
The automated monitoring and ticketing/alerting systems used by Just After Midnight are setup individually for each client and are also scalable. In addition, Just After Midnight is a growing business and taking on new people as and when needed as our client base expands to ensure that all clients are properly serviced including our 24/7 eyes on team monitoring our client sites.
Usage notifications
Yes
Usage reporting
Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
Automated scripts failure reports
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
AWS, Azure and other Cloud hosting, CDN and SSL providers

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Files
  • Virtual Machines
  • Databases
  • Cold Repositories
  • Scripts
  • Replicating back-up
  • Snapshot image backup
  • All data backed up is encrypted
Backup controls
Backups can be scheduled and set up on a request basis and/or manual backups can be undertaken regularly or ad hoc. Different things can be set up on different schedules. This would be discussed during requirements gathering activities to specify what needs to be backed up. Just After Midnight always has 24/7 "eyes on" teams in addition to monitoring alerts. Planned deployments will have personnel specifically alerted to the backup who will monitor the back up in order to ensure it has been undertaken as required. The retention policy will be defined by the client as to their individual requirements.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We have teams available 24/7 to answer queries and SLAs are negotiable. Just After Midnight commits to SLAs regarding response times and target resolution times. The exact timings vary with requirements for support and priority levels eg P1 response may be 30 minutes and target resolution 2 hours and P2 response time of 1 hour and target resolution 4 hours. Standard SLAs on provision of service work back to back with AWS, which offers 99.99% on the server level. Availability on a server-side level may be negotiated but no higher than those committed to by the provider - eg AWS, Azure; which both offer 99.99%.
Approach to resilience
This information is available on request.
Outage reporting
Monitoring is set up to trigger alerts into Just After Midnight's dashboard software as well as raise a ticket in our ticketing system and raise an alert in our critical alerts comms channel. These take the form of an in-house dashboard, APIs from the monitoring software as well as multiple comms channels. In addition, our 24/7 eyes on team will verify an incident as real (not just a false positive) and manage communications with named contacts through agreed methods - email/ticketing/our status update software which issues emails to specified individuals/groups/bridge calls where appropriate. Incident reports are then created by our team following an outage/major incident. This is sent to the client within 24 hours of the incident and details the outage, the actions taken to resolve it and the root cause and recommendations (if known) by Just After Midnight.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Active Directory is also supported.
Access restrictions in management interfaces and support channels
Each user has a role and these are permissions based controlled, whether this is in email, through the interfaces, support channels, servers and all other access channels regardless of how they are authenticated. All methods of authentication are encrypted as data in transit.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Authentication Process
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
The British Assessment Bureau
ISO/IEC 27001 accreditation date
28/08/2018
What the ISO/IEC 27001 doesn’t cover
Third party tools and services are not covered.

The certification covers Just After Midnight's services: 24-hour web support, monitoring, cloud managed services and consultancy information security management and processes.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials
  • Third party organisations have relevant security certifications.

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
As per ISO 27001 - including:
ISMS
Data Protection Policy
Information Security Policy
Maintaining Security Event and Incident Log
Access Control Policy
Information Transfer Policy

Policies are regularly reviewed and are part of the orientation process for new starters. Employees have clauses in contracts regarding information security and associated responsibilities.

Day to day - risk logs are used to assess new projects and specific as well as general risks against best practice and internally approved policies.

We have a DPO and Technical Director who manage information security and review and highlight to the management team any issues regarding information security or changes/actions required for information / approval as appropriate.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
We operate a change management process and can adapt this to align with client processes to ensure any changes to scope or other elements are documented and signed off.
Configuration and Changes are subject to risk assessment including security impact and are scheduling for regular review. Approval from the technical director and senior management team as appropriate. Our processes align with ISO 27001.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Just after Midnight has anti-virus and malware protection, these are updated to the latest definitions along with regular patching of OS levels. Any emergency fixes at application level are applied and this is communicated to Just After Midnight through the web and emails. Also, penetration testing results are reacted to accordingly.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Just After Midnight uses proactive and reactive methods. Our systems are protected by anti-virus and 2fa encryption. Logs are regularly reviewed and monitoring tools are set up to trigger alerts in the case of anything performing outside of expected parameters including potential Ransomware/malware attacks. As our teams work 24/7 then any potential compromise is reacted to within minutes. Dependent upon the incident, it is rectified eg by rolling back to a "safe version" and additional protective measures put in place. If appropriate, relevant clients/third parties contacted. We also subscribe to a number of feeds that inform us of new threats.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident managers provide 24/7 'eyes on' monitoring to all applications and websites. We use decision trees agreed with the client during onboarding to guide our incident managers through the correct 1st and 2nd line support processes and procedures to respond to queries, alerts, and incidents. They are hosted on our internal platform 'Mission Control.' Our 24/7 monitoring ensures that we are usually aware of incidents before you. Should you notice an issue before us, there is a dedicated support email and phone number to contact us 24/7.
Incident reports are issued summarising incident, root cause and recommendations where appropriate.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
No

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
We use cloud hosting rather than on-premise datacentres. Studies have shown that Cloud hosting is significantly more energy efficient than traditional datacentres.
We predominantly use Azure and AWS. Azure states that "For localized deployments, Microsoft Cloud is between 79 to 93% more energy efficient than a traditional on-premise datacenter". Also, that accounting for renewable energy, carbon emissions from Azure Compute are 92-98% lower than a traditional on-premise datacenter" and AWS which states that "customers only need 16% of the power as compared to on-premises infrastructure. This represents an 84% reduction in the amount of power required." and "Combining the fraction of energy required with a less carbon-intense power mix, customers can end up with a reduction in carbon emissions of 88% by moving to the cloud and AWS."

Pricing

Price
£2,400 an instance a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@justaftermidnight247.com. Tell them what format you need. It will help if you say what assistive technology you use.