Zodiac Media Ltd

Drupal CMS Hosting

We offer enterprise level managed cloud hosting for your Drupal website using UK based data centres with 99.9% up time guarantees.

As part of our hosting service we include 1 day per month of support time, this includes out of working hours support.

Features

  • Fully managed hosting service
  • Using GDPR compliant UK based data centres
  • Ability to scale up/down the number and size of servers
  • Load balanced high availability setups available
  • Enterprise grade performance and security monitoring systems
  • 1 day of support time per month
  • Support time includes out of working hours support
  • Send only email server capabilities
  • Option for custom server packages such as Apache Solr
  • We are an ISO 27001 information security certified company

Benefits

  • Support time usage is billable to the nearest hour
  • Unused support time is kept on balance for future months
  • Fully managed service including out of working hours support
  • High availability server setups available
  • All servers are backed up daily
  • Servers are actively monitored for both performance and security

Pricing

£780 a unit a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

3 5 6 5 8 8 6 8 6 5 5 2 0 8 4

Contact

Zodiac Media Ltd Billy Davies
Telephone: 0203 813 8430
Email: info@zodiacmedia.co.uk

Service scope

Service constraints
There are no specific constraints we are aware of.
System requirements
  • Website must run the latest stable version of Drupal 7/8
  • Website must be compatible with PHP 7.3+
  • Website must be compatible with MySQL 5.7+ or MariaDB 10.2+
  • We will need access to your domain name's DNS settings

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our target response time for critical issues affecting all users and all functionality, e.g. website down, is 2 hours.

For major issues affecting all users and some critical functionality, e.g. website can no longer send/receive emails, it is 4 hours.

For minor issues such as confirmation messages failing to display it is 2 working days.

For trivial issues such as misaligned text it is 4 working days.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We offer one level of support.

Support work can include any tasks you feel Zodiac Media are suited to handling. Zodiac Media offer website maintenance and support contracts based on a flat fee that covers a pre-agreed amount of support time for each month, typically 1 day per month, at a cost of £700 ex VAT. Unused support time can be rolled over to subsequent months, up to a limit of 5 working days, although at the end of the contract any remaining support time will not be reimbursed. If the amount of support work required for a given month exceeds the balance of your support account, then we would charge by the hour for further work. We would always make you aware of this by providing estimates for further work once the support allowance has been exhausted. We will endeavour to accommodate additional support and development work as soon as we are able to based on our existing work schedule. We will advise you as to when additional work can be undertaken on a case by case basis.

Requests go through an Account Manager who will be able to answer basic requests and field those necessary to technical personnel.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
To get started we would need command line access to your existing hosting setup.

We would then re-create your current website locally and run benchmark tests on it to determine the suitable hosting architecture.

We would then agree a migration plan for your website.
Service documentation
No
End-of-contract data extraction
At the end of your contract you will be provided with Zip files of your site's codebase and database. We will co-ordinate with you when the Zip files are extracted so that all content is captured prior to the migration of your site away from our servers.
End-of-contract process
At the end of your contract you will be provided with Zip files of your site's codebase and database, at a mutually agreed date and time. All other work would be billable by the hour if you have no support allowance remaining on your account's balance.

Using the service

Web browser interface
No
API
No
Command line interface
No

Scaling

Scaling available
No
Independence of resources
Client servers are allocated exclusively to them so there is no contesting of server resources.
Usage notifications
Yes
Usage reporting
Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
Reporting types
Real-time dashboards

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Linode

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Production servers (virtual machines) are backed up daily as standard
  • Optionally files can be backed up at extra cost
  • Optionally the database can be backed up at extra cost
Backup controls
All production virtual machines are backed up daily as standard.

Site files and databases can be backed up using custom scripts which run using server cron jobs. These bespoke scripts would be developed at an additional cost.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Minimum target uptime for servers and network connectivity is 99.9%. In any given month, if your server is down for more than 0.1%, you will be given a pro-rated hosting cost credit for the down-time. If Zodiac Media fail to respond to an issue report within the target response time, then 1 extra day of support time will be credited to the support account’s balance.
Approach to resilience
Data centre resilience information is available upon request.
Outage reporting
All of our production servers are integrated with our enterprise class monitoring system. If you have a fixed IP address we can provide you with a user account to access this and view server performance. Alternatively we can enable a VPN connection for you to gain access. Depending on the severity of the issue detected the monitoring system sends alerts to a Slack group consisting of Zodiac Media staff.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels
The data centre management interface is subject to two factor authentication.

SSH access to the server is via firewall whitelist and public key authentication.

Support system access can be granted via VPN.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
ACM Ltd.
ISO/IEC 27001 accreditation date
18/10/2018
What the ISO/IEC 27001 doesn’t cover
None
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
The data centres we use for this service are ISO 27001:2013 certified.

Internally, we follow a set of Information Security Management System (ISMS) policies that comply with ISO 27001 standards.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are assessed for their likely impact on security and performance prior to being implemented. All changes progress through a sequence of review gates using local development, staging and then live infrastructure to mitigate risk. Both the performance and security of the overall Drupal website are reviewed at each stage. All server configuration changes are noted in our issue tracking system. Codebase related changes are recorded in the version control system Git.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We pro-actively monitor both Drupal core and Drupal community module public releases. If a release contains security updates then we make clients aware of the need to update as soon as possible. Typically security updates are implemented within 2 working days of clients instructing us to proceed. We use the unattended upgrades functionality of Linux to keep server packages up to date. All servers are integrated with our security monitoring system which actively alerts us to possible threats. We conduct quarterly vulnerability scans of all servers.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
All servers are integrated with both our enterprise class performance and security monitoring systems. These actively alert us to issues immediately, based on custom configured trigger rules. The time taken to respond to these issues is near immediate, although the resolution times depends on the impact of the issue.

In addition all servers are enrolled in the data centre's performance monitoring system which also actively alerts us of performance issues.
Incident management type
Supplier-defined controls
Incident management approach
As part of our Information Security Management System (ISMS) policies we have a predefined process for security incident management. This is inline with ISO 27001 standards.

Clients can report incidents to our dedicated account manager, and are kept updated with the progress and state of the incident throughout the event. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
KVM hypervisor
How shared infrastructure is kept separate
Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The disk virtualization layer automatically erases every block of storage before making it available for use, which protects one customer’s data from being unintentionally exposed to another. Encryption is supported.

A mandatory firewall is enabled in a default deny-all mode and ports must be explicitly opened to allow inbound traffic. Each client is hosted within an isolated Virtual Private Cloud, preventing network connections from any other systems.

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£780 a unit a month
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@zodiacmedia.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.