Cloudsmith Ltd

Cloudsmith Package

Cloudsmith Package is a fully featured Enterprise-grade binary package manager that operates in the Cloud, and acts as the central pinwheel for managing your software dependencies and the distribution of your software to your customers and users across the world.


  • Secure Package Management
  • First-class RESTful API
  • Unlimited Repositories / Packages
  • Private Repositories
  • Support for Debian, Maven, Python, Redhat, Ruby, Raw and more
  • Malware / Antivirus Scanning
  • Global Distribution (Content Delivery Network)
  • Repository Entitlements
  • "Track your Package" Access Logs and Statistics
  • Organization Collaboration


  • Universally manage your software dependencies and artefacts
  • Facilitate DevOps/CI/CD automation
  • Blazing-fast CDN provides local-rate latency across the globe
  • Distribute your packages to internal servers, applications or developers/users
  • Monitor your downloads with statistics and geographic metrics


£10 to £1000 per licence per month

Service documents

G-Cloud 9


Cloudsmith Ltd

Alan Carson

0800 0588699

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Cloudsmith supports an ever-increasing number of package types including but not limited to deb, rpm, ruby gems, maven and nuget. For more information visit:
System requirements Cloud-based Service - no strict requirements.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Usually within 1 to 2 hours UK Business Hours. At weekend it may take 2 to 4 hours but the majority of the time questions are answered within 60 minutes.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Intercom button on the right-hand bottom corner of the website provides direct access to the Support team.
Web chat accessibility testing None.
Onsite support No
Support levels Support is general access but priority is given to customers on the larger tiers.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started User Documentation. The service is designed to be simple and intuitive.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users can download their data at any time and if required they can delete their account completely (after a cool-off period).
End-of-contract process Storage and Bandwidth are limited depending on pricing tier selected. Overage costs kick in if you exceed these limits. However you can increase (and decrease) your tier at any point.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No differences. Responsive design throughout.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing N/A.
What users can and can't do using the API Users can upload, download and manage their packages and repositories via the API.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can select storage and bandwidth tiers; manage their packages and software artefacts; and manage their overage limits.


Independence of resources Cloud-based infrastructure with AWS Elastic Load Balancer technology in front of all external facing interfaces.


Service usage metrics Yes
Metrics types Storage and Bandwidth.
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Cloudsmith Package is a data-handling service. Files can be uploaded, downloaded and removed via the API or Web interface. A user/organization can request their data via the available contact methods (chat/email/phone).
Data export formats Other
Other data export formats
  • JSON
  • XML
Data import formats Other
Other data import formats
  • JSON
  • XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% SLA Target. No refunds.
Approach to resilience System designed with Elastic Load Balancing / horizontal scaling at each level. Further details available on request.
Outage reporting Public dashboard @

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication 2-Factor Authentication coming soon!
Access restrictions in management interfaces and support channels The Cloudsmith management interface is protected via username/password and is restricted to employees only and via an IP whitelist.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach Please see our Security Policy here:
Information security policies and processes Please see our Security Policy here:

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Application code is peer-reviewed and vetted for issues, and several layers of defense exist to combat issues such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, Session Hijacking, and other forms of exploits.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Cloudsmith will engage with security researchers when vulnerabilities are reported. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy.

Security-critical system patches are applied to machines within a daily maintenance window and non-critical patches are applied within a weekly maintenance window.

Cloudsmith utilizes a number of third-party sources to identify security flaws within its systems and dependencies.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Cloudsmith utilizes a number of methods to identify potential compromises including centralized log scanning and notifications. Any compromise is immediately investigated and incidents, depending on severity, are dealt with immediately or within hours.
Incident management type Supplier-defined controls
Incident management approach Incident management is handled directly though support channels - see: - giving you access to the Service maintainers. An internal ticket will track progress. Incident reports are available on request.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10 to £1000 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial There is a 14 day free trial period. All features are included but you are limited in storage and bandwidth.
Link to free trial


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑