FOSS (free open source software) as a Service

We provide a fully hosted and supported FOSS (Free and Open Source Software) solutions for our client. These include (not limited too):
* Wordpress
* Postgres
* MongoDB
* Java Tomcat
* Wikis
* Source Control Systems
* Etc..


  • Fully managed, and hosted cloud solution
  • Customisable VM Infrastructure
  • Scalable, Failover and Load balance environment.
  • Fully configuratible and customisable DAM
  • Any FOSS software server can be built/configured
  • Most FOSS solution you require can be provided
  • ISO Compliant security
  • UK, EU & Worldwide Datacentres with 99.995% uptime available
  • Integration to existing directory services
  • DevOps enabled and supported upto 24x7x365


  • Proven cloud based solution. Including Hybrid with AWS/Azure on request.
  • TBSCG private cloud offers most cost effective solution
  • Quick service activiation
  • Free to use software
  • Access and modify assets from anywhere/anytime any device
  • Easy user interface
  • FOSS software is community supported
  • Single point of contact for support and enhancments
  • Fully configurable solution with no VM restrictions.
  • Most FOSS solution you require can be provided


£140 per unit per month

  • Education pricing available

Service documents

G-Cloud 9



Mark Andrews

+44 208 133 1630


Service scope

Service scope
Service constraints The TBSCG Cloud offering provides up to 99.995% up time -one of the best in the industry. It is not dependent on AWS/Azure availability. The TBSCG cloud is located in multiple worldwide datacentres. All downtime/outages will be communicated in advance. The 99.995% uptime is depends on level of hosting (multiple VMs in multiple datacentres), Geo-specific lock can reduce the uptime we can offer. There are no reasonable restrictions on VM configurations.
We will build the specific FOSS solution required for you needs. These can be provisioned for you so long as its on a supported OS
System requirements
  • Latest Windows Versions (VM OS option)
  • Latest Linux versions (VM OS option)
  • EST NOD AntiVirus or equivilant on customer request.
  • Zabbix or Nagios montioring tools (open source)
  • FOSS must run on supported OS

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We provide different levels of support for different levels of tickets, however we can provide support of <1hr response of P1 if applicable, and this can be 24x7 if required
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels We can (and do for clients) provide support in the following levels:
9-5 UK time (5 or 7 days a week)
8-8 UK time (5 or 7 days a week)
We can (and do for some clients) provide a dedicate account manager and support engineers.
We will provide tailored support for clients based on their needs, requirements and budgets.
Standard support SLA's are:
1 A system-wide software failure in production.
Response 1 hour Fixed or Fix Plan 3 hours
2 An issue that degrades system-wide performance of the software in production but is not a Priority 1 Error :
Response 4 hours Fixed or Fix Plan 8 hours
3 An issue that has little to no impact on the production environment. Response 8 hours Fixed or Fix Plan 20 hours
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We will NOT provide the training for the requested FOSS solution - we will host it and manage it, and if we have detailed experience in the use of the software we can provide training (at a cost)

This service is designed to provide our customers with VMs with the required software built, installed, configured and running, rather than us being domain experts in the specific FOSS software
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The customer is completely responsible for the data on the servers

If applicable we will endeavor to assist with the migration, however we may not have the detailed knowledge of the FOSS software being used.

If the migration is the moving of VMs from one provider (us) to another, then we can happily provide this service to the client.
End-of-contract process When the contract ends we will:
* agree the end date with the client
* client and incumbent are responsible for migrating data
* when the client is happy, we will then shut down all the VMs, and keep them (if required) for a period of 30 days before deleting them

We will also happily work with the client to undertake different migrations if required and if we have the required skills to provide the service

Using the service

Using the service
Web browser interface Yes
Using the web interface The web interface would be provided by the chosen FOSS from the client
Web interface accessibility standard WCAG 2.0 AA or EN 301 549
Web interface accessibility testing The web interface would be provided by the chosen FOSS from the client
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • Other
Using the command line interface We can provide upto full access to the client at the command level on the VMs. As such the client (or the representatives) can undertake actions or tasks as they desire.


Scaling available No
Independence of resources The clients VMs are specific to themselves and are always kept "ring fenced" away from other clients. The hardware that they are being run on (so multiple VM managers) are never run to capacity and the datacentres have large bandwidths in/out
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Machine Monitoring
  • Firewall and Loadbalancer monitoring
  • Access Control
  • Database
  • Backups
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach In-house destruction process

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • File System
  • Databases
  • Virtual Machines
  • Content
Backup controls TBSCG manage and maintain the backups of the systems, however the client, if required, can undertake the backups themselves.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The service provided is a standard service with solution availability of 99.5% during service hours only (single node).
TBSCG will provide to the Customer on a monthly basis or on request evidence of the uptime.
(b) TBSCG will promptly inform Customer of the following:
(i) any disruption to the Software Solution;
(ii) any failure of the Software Solution; and
(iii) any other inability or potential inability to use or access the Software Solution.
(c) In the event that the Software Solution is or shall be inaccessible or not available to the Customer or users, due to scheduled downtime or otherwise, the Supplier shall:
(i) use best endeavours to ensure that any such downtime occurs during Maintenance Windows; and
(ii) ensure that users of the Software Solution are promptly given information that works are being carried out on the Software Solution.
Schedule downtime is excluded from any SLA calculation.

If in any one month TBSCG do not meet the obligations highlighted above the Customer will be credited to a maximum value of 20% of the prorated monthly hosting charges. Usually defined with customer.
Approach to resilience For the highest level of availability we use:
* multiple VMs on multiple hardware in multiple datacentres
* Hot-hot system
* active load balancing
* active monitoring
Outage reporting We utilise various reporting tools to monitor the systems at various levels including:
* hardware
* VMs
* datacentres
* websites
These are monitored via alerting thresholds and then emailed/SMS/displayed on the dashboard when issues/potential issues arises

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels This is covered by our ISO27001 policies, and are available on request
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ACS Registrars Limited
ISO/IEC 27001 accreditation date 08/02/2013
What the ISO/IEC 27001 doesn’t cover All parts were covered
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Visa
PCI DSS accreditation date June 2009
What the PCI DSS doesn’t cover Datacentre is compliant to level 1
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are governed by the ISO27001 policies for the information security.
These are very detailed and too detailed for this section, however we are willing to share these with any customer that requests them.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach For urgent security issues we:
* patch our environment (test) to validate
* communicate with the client that the patch is required
* go through their CAB/change management to approve it
* arrange the "down time" window
* patch the system.
For non-urgent issues we undertake a similar process as defined above, however there is less urgency
Vulnerability management type Supplier-defined controls
Vulnerability management approach We use various sources to find potential threats including:
* information from suppliers
* various sites on the web that report and cover vulnerabilities
* internal checking
* existing customer awareness
Once we have identified an issue we will communicate with the client the issue and work to either patch the issue, or de-risk the situation
Protective monitoring type Undisclosed
Protective monitoring approach We actively monitor all parts of the environment for the client and any issues are escalated to the appropriate internal team
The risk is then evaluated and communicated to the client
We respond to risks as fast as possible, and we ideally want to engage the client as soon as we have identified the issue - even if it is a false positive.
Incident management type Supplier-defined controls
Incident management approach We have various "HOW TO..." processes to restore a service as quickly as possible.
Users/Clients can report incidents via email or phone (depending upon the level of severity) and we will action these, however our goal is that our monitoring will identify any incident before the clients does!
After the incident a detailed "P1" report will be produced and if it is a previously unseen incident that can be monitored the additional monitoring will be added

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate All of our clients have their own VMWare (or Hyper-V) instance for themselves, we do NOT share VMwares between clients.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £140 per unit per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑