Netcel

Episerver Digital Experience Cloud™ (Managed Service)

Netcel provide Episerver DXC, a fully managed public or private cloud hosting service. The service is secure, scalable, resilient and highly optimised. With rapid deployment, guaranteed service levels plus full disaster recovery we offer high levels of resilience and up time, allowing you to focus on your business.

Features

  • Choose to host on either public cloud or private cloud
  • Unlimited websites with separate visual appearance, content
  • 365/24/7 monitoring, support and maintenance
  • Migration assistance and detailed solution design
  • Governance with managed deployment
  • Elastic scaling without manual intervention
  • Full-stack redundancy, backup, and disaster recovery
  • Digital Experience Hub Connectors and open API
  • Full customizability using Visual Studio

Benefits

  • Netcel support with transition, deployment and roll-out
  • Extensive experience of hosting Episerver CMS solutions
  • Global computing power with edge content delivery
  • Monthly performance reports and expert advice on fine-tuning your solution
  • Proven security processes with enforcement of duty separation
  • Increased security - Compliance with PCI DSS, HIPAA and SOX
  • Extraordinarily strong DDoS mitigation features
  • Standardised, up-to-date platform that minimizes security weaknesses

Pricing

£686 to £1204 per person per hour

  • Education pricing available

Service documents

G-Cloud 9

384845389894091

Netcel

Tim Parfitt

020 3743 0100

tim.parfitt@netcel.com

Service scope

Service scope
Service constraints The service is offered for the Microsoft .NET technology stack only.

Planned maintenance is scheduled on a monthly basis to allow for patch updates to be applied which may result in minimal downtime. Maintenance outside of the planned window will be communicated in a timely manner with the exception of emergency maintenance which may necessitate immediate action,
System requirements
  • Software licence for Episerver CMS platform
  • SSL certificate

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our normal support hours are Mon-Fri, 8am to 6pm (GMT). Logging/tracking issues during standard support times is done via our Zendesk online ticketing support system. Registered users can also email a central support address and the system will automatically create and acknowledge the ticket. When we receive notification of a support issue via telephone, email or Zendesk, we immediately assign a minimum of 15 minutes to open, review, investigate and respond to the ticket. Any support required outside the normal hours is available as a 24x7x365 service at an additional fee with the same response times
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels We have 5 different support levels which are carried out on a time and materials basis. Typical response times for all defect levels are as follows: Priority One - Response is up to 1 hour (catastrophic & functional critical); Priority Two - Response is up to 4 hours (functional critical); Priority Three - Response is up to 2 working days (functional non-critical); Priority Four- Response is up to 2 working days (minor); Maintenance - Response is up to 2 working days; Priority One or Two levels are dealt with as a matter of urgency based on the SLA response and fix times. Typically, these are deployed as hot fixes due to the nature of the issues, hence the name priority support. Priority Three and Four support requests can also be deployed as hotfixes. However, where there isn’t an immediate need to resolve the issue, greater efficiencies can be leveraged by combining tickets into regular deployment windows (typically monthly). This is a managed process with the involvement of a BA / PM to identify and review the requirements for the next release. A member of the support triage team is responsible for resolution of each support ticket.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There are no training requirements as the service provided is fully managed with no requirement or need for client access.

Documentation of the service is provided as a baseline for the definition of the service provided.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Any solution data held within the hosting service will be made (securely) available at the end of the contract. If transferring to another similar solution configuration the data can be provided in the standard Episerver format of SQL database backups. If transferring to a different solution and the standard SQL database backups will not suffice, any solution data can be extracted and provided in common formats such as CSV or XML as required.

No data will be reasonably withheld with the exception of any secure data relevant only to the infrastructure associated with the ending contract.
End-of-contract process The Contract will be effective from the date of the agreement and continues to be in force for a period of twelve months after which the Contract may be terminated by either party at any time by providing one month’s prior written notice. The supply of Goods and Services and Price are subject to the terms and conditions set out in the Contract Agreement. A full set of Schedules and Appendices to the Contract Agreement with any documents referred to in them, form an integral part of the Contract and any reference to the Contract means this agreement in writing as may subsequently be agreed between the parties. The Price detailed in the Contract are exclusive of VAT, which shall be charged to and be payable by the Client pursuant to the relevant invoice for the same. Any Goods or Services not expressly provided for in the Contract, yet agreed to by the Parties will be documented and be delivered by Netcel hereunder, will be chargeable on a time and materials basis in accordance with the Billing Rates.

Using the service

Using the service
Web browser interface No
API No
Command line interface No

Scaling

Scaling
Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Through differing levels of performance, load and stress testing we ensure that the service itself is resilient to high loads. Both the applications we architect and deliver and the infrastructure upon which they reside are built appropriately for the anticipated load and, within reason, and more. Our services are designed to scale appropriately.

The net output of the architecture, implementation and infrastructure we deliver is a service where high traffic will not affect other users of the service.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Website uptime
  • External services metrics
  • Application throughput
  • Page views per minute
  • Web transactions metrics
  • Database metrics
  • Error analytics
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Amazon and Microsoft

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files and folders
  • Databases
  • Content
  • Entire websites
  • All data
  • Infrastructure configuration
Backup controls From a service perspective, it is a fully managed service and therefore backups are automatically taken at regular intervals and stored securely.

End users have no ability to control backups other than if the solution itself contains some form of backup functionality within the solution.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Netcel's standard SLA for the service is 99.95% with a higher SLA available subject to infrastructure. Service credits come in to effect should the monthly uptime percentage fall below 99.95% or the agreed higher SLA. The SLA is for infrastructure and base operating system only.

Service credits are applied as follows in relation to the default SLA:

Less than 99.95% but equal to or greater than 99.0% - 10% service credit.
Less than 99.0% - 20% service credit.

Netcel will apply any service credits only against future monthly charges due. If the failure to meet the SLA is confirmed by Netcel, a service credit will be applied to the next monthly charge following the month in which the customer request is confirmed.

The hosting SLA is defined as follows:

Priority 1 - Server/web site down/unresponsive; Response time - 1 hour; Fix time - 2 hours.
Priority 2 - Issue has been identified but is not business critical; Response time - 4 hour; Fix time - 6 hours.
Priority 3 - Issue has been identified and has a work around, or is a low impact change that needs prior planning; Response time - 12 hour; Fix time - 24 hours.
Approach to resilience All infrastructure provided to our clients has the option for complete resilience either within a single datacentre, across multiple datacentres in a single region (such as the UK) or across multiple datacentres geographically.

This configuration allows for the worst case loss of an entire physical datacentre with services remaining fully operational.

Methods such as load balancing, mirroring and the more traditional failover are utilised to provide such resilience.
Outage reporting Outages can be reported via different channels subject to the specific requirements either in real-time or delayed until the next working business day.

Our services can provide access for service outages to a private, client specific, dashboard. Email alerts can also be provided alongside a more personal phone call should a service outage occur.

We are also able to hook in to different channels such as API alerts should these be required.

Outages for maintenance include: Emergency maintenance - we aim to notify you of this outage as soon as practicably possible. Planned maintenance - we shall use reasonable endeavors to provide you with a minimum of seven days’ notice and shall in any event give you as much notice as practicably possible. Scheduled maintenance - our standard scheduled maintenance window is every day between 12am-3am UK time. In this case, we shall, where practical, provide notice of such. All clients will be notified via email, phone and dashboard as appropriate.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels At a minimum, access to management interfaces are restricted with a username/password and SSL encryption.

Where permitted by the infrastructure configuration, management interfaces are entirely removed from public access and accessible only via a secure channel.

Multi-factor authentication or integration with a client (service) specific authentication source is feasible.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach Monitoring is deployed within our network to audit access to data both as the individual and the device. Our network contains both application security and threat analytics via industry standard monitoring solutions helping to enforce our policies.
Information security policies and processes Netcel follow a standard information security policy in context of modern cyber security classified as "a formal set of rules by which those people who are given access to company technology and information assets must abide."

Our policy covers hardware, software, communications and data throughout. Information is classified in to categories based on the confidentiality of the data.

Monitoring is deployed within our network to audit access to data both as the individual and the device. Our network contains both application security and threat analytics via industry standard monitoring solutions helping to enforce our policies.

Violation, either automatically detected or manually detected, must be reported to the IT department immediately from where the issue will be escalated accordingly.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Netcel hold a change log for aspects of the solution that are infrastructure related. Only Microsoft approved patches are deployed. Third party drivers or such are not permitted.

Any security vulnerabilities identified by third parties are addressed in accordance with the industry standard recommendations as a priority.

Where possible, environment configurations are fully automated and controlled with all configuration and change operated through auditable source control.
Vulnerability management type Supplier-defined controls
Vulnerability management approach In accordance with our cyber security policy, access to our networks is monitored through automated solutions to detect, as close to the perimeter as possible, any initial threat.

Infrastructure, both internal and that which we provide as part of a service, is patched at least on a monthly cycle in accordance with Microsoft best practice recommendations.

Information regarding potential threats is obtained from our automated solutions and specialist security partners.
Protective monitoring type Supplier-defined controls
Protective monitoring approach In accordance with our cyber security policy, access to our networks is monitored through automated solutions to detect, as close to the perimeter as possible, any initial threat.

If a potential compromise is detected this is addressed through the security software that we have deployed either blocking the compromise automatically or manually.

Where a potential compromise is being attempted automated escalation of security risks are undertaken and approaches such as multi-factor authentication are instigated to protect the network and data within.

Responses to incidents are on a priority basis and attended to immediately where feasible.
Incident management type Supplier-defined controls
Incident management approach Users are, subject to the specific incident type, generally required to escalate incidents to the IT department upon discovery from where the incident will be triaged and further escalated accordingly.

Netcel have in place standard processes for dealing with any incident occurrences. Initial incident reports are provided within the next working business day and further developed if required.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon, Microsoft
How shared infrastructure is kept separate We follow best practices to mitigate risk and ensure a malicious or compromised user of the service can not affect the service or data of another.

These practices include separation of infrastructure via VLANs and firewalls as well as, depending on circumstance or requirement, the use of virtual private cloud (VPC).

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes

Pricing

Pricing
Price £686 to £1204 per person per hour
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑