DevOps Hosted Platform

BDQ provide a hosted DevOps platform based on the Atlassian Stack (Jira, Confluence, Bitbucket and JIRA Service Desk), alongside Zephyr, Sonatype and Dynatrace.

We host this solution on virtual infrastructure provided by UKCloud, a provider which focuses purely on the UK public sector, or AWS.


  • Atlassian Stack - Jira, Confluence, etc
  • Zephyr Enterprise real-time test management
  • Sonatype Nexus automates open source governance and DevSecOps
  • Dynatrace provides application performance management
  • Hosted at UKCloud, AWS, customer preferred hosting supplier or on-prem
  • License management
  • Configuration and set up consultancy
  • Optionally, systems administration and ongoing support
  • Customisation based on user requirements e.g. secure JIRA Service Desk
  • License management or hosting for customer required software


  • Turnkey infrastructure to host DevOps
  • Hosted in a secure, public sector focused infrastructure
  • Atlassian Solutions Partner expertise in best-practice configuration
  • Scalable
  • No on-premise installation required.
  • Secure hosting in UK datacentres


£900 per server per month

Service documents

G-Cloud 11



Dominic Bush

+44 (0)844 8265 236

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints We do not provide SSH access to the underlying VM itself.

Every Friday there will be a reserved window from 9pm to 12 midnight where we may take the service down for maintenance. This window will not be used every week and can be moved to another scheduled time.
System requirements See supported browsers.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Monday - Friday 9am - 5pm. Our response time is between 4 hours and 2 days depending on the severity of the issue. Out of hours support is available at additional cost.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support - included in standard pricing.

Enhanced support - depends on the level of support required.

Each customer is assigned to a named technical account manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We can provide onsite or public training courses for the products and consultancy services to make sure that your projects get off to the best possible start and follow best practice guidance.

Full user documentation is available for all the products.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction The Atlassian and Zephyr products provide tools which allow the contents of the products to be extracted to open formats. BDQ can provide expert advice regarding extracting the data or can carry this work out as part of a consulting engagement.
End-of-contract process At additional cost we can provide consultancy services to off-board the data. Please see our SFIA rate card for pricing.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service When you view the Atlassian and Zephyr products on a mobile device an optimised version of the page is displayed. It is possible to switch to a desktop view if required.
Service interface No
What users can and can't do using the API The Atlassian and Zephyr products have extensive REST-based APIs that allow configuration of the services and editing of the data within the product. For example, here is the documentation for Jira Cloud:
API documentation Yes
API documentation formats HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation Customers can change the visual appearance of the applications to match their own branding. Themes can be applied to change the colour scheme and custom logos can be added.

Additionally, add-ons from the Atlassian Marketplace can be used to add to the functionality of the products. We can also provide bespoke add-on development services, should the customer require some functionality or custom integration that is not available in the Marketplace.

Issue types and workflows can also be customised to match the business or development processes that the customer follows.


Independence of resources Each customer's users are partitioned into separate Virtual Machines hosted at UKCloud. In order to ensure that the demands placed by one set of customers does not affect others, they use resource reservations and bandwidth shaping to prevent contention.

In addition, UKCloud's capacity planning team ensure that usage in terms of resources are constantly monitored and increased depending on user demand patterns.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold UKCloud, Atlassian and Zephyr

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users can export data from within the application to a number of different formats.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Word
  • Excel
Data import formats
  • CSV
  • Other
Other data import formats Word

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We can offer various levels of SLA depending on customer requirements. For those customers requiring high availability was can offer the Atlassian and Zephyr Data Center versions which provide increased reliability. These options are additional cost and will require more virtual hardware. Please contact us for details.
Approach to resilience Available on request.
Outage reporting Public StatusPage dashboard with email and SMS alerts available.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Only those users assigned to the administrator groups have access to the management user interface. A buyer specified set of users are permitted to raise support requests.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We follow the best practices described in the Cyber Essentials guidance.
Information security policies and processes Our CTO has direct responsibility for our security policies and all employees are empowered to raise any security concerns that they may have regarding information security. Each employee's contract has a specific section in it which describes their responsibility to ensure the confidentiality and security of our customers' data. Within our Active Directory group policies we ensure password complexity and the frequency with which the system enforces a password change.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We track the configuration of each of the virtual machines that we use for customer's data. This includes details of the OS version and the Atlassian and Zephyr products installed in it.

Changes are tested in a non-production environment prior to being deployed to customer production systems.
Vulnerability management type Undisclosed
Vulnerability management approach As an Atlassian Solution Partner and a Zephyr Expert partner we keep up to date with potential problems in the software and deploy fixes as soon as they become available. We are provided information regarding potential threats from the product vendors. We also ensure that the underlying operating system is regularly updated to ensure that any threats are addressed in a timely fashion.
Protective monitoring type Undisclosed
Protective monitoring approach We monitor access logs for unusual activity and will respond by contacting the named customer representative to verify if the activity is authorised or not. For more obvious events we would temporarily disable access to the system. If informed of potential problems we will respond within 2 hours.
Incident management type Undisclosed
Incident management approach We have a series of predefined incident management workflows based on the Information Technology Infrastructure Library (ITIL) incident management workflow. Users can report incidents via our JIRA Service Desk or by email. Incident reports are sent to end customers via email.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £900 per server per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑