Enonic Cloud

Enonic Cloud is a modern web application platform that includes the essential components to deliver external and internal facing web applications, services and websites. The platform includes a flexible and feature rich Web Content Management System (CMS). Clients include government departments, government agencies, banks, insurers, logistics companies and healthcare providers.


  • Built-in search engine
  • NoSQL storage to store any data
  • Serverside Javascript MVC
  • Web Content Management built-in
  • Ready made integrations on market.enonic.com
  • Container based hosting
  • Metrics
  • Continuous deployment
  • Application deployment API
  • Fresh and responsive admin interface


  • Build and manage websites, applications and services
  • Simplified stack that replaces DB, Search, CMS and Appengine
  • Faster development cycles
  • Web editor productivity
  • Highly Scalable - built around a search engine


£500 to £5000 per unit per month

Service documents

G-Cloud 9



Henry Walker

+44 (0) 203 808 6995


Service scope

Service scope
Service constraints No special constraints.
System requirements Web browser for management

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depends on SLA. From Next day support to two hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 A
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 A
Web chat accessibility testing None, third party system.
Onsite support Yes, at extra cost
Support levels We deliver next business day to 24/7/365 support levels.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide onsite training and support in addition to documentation for developers and users. We can also provide remote training and support.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Export in XML.
End-of-contract process XML export is includes in the price.

Using the service

Using the service
Web browser interface Yes
Using the web interface Manage web content, install applications/plugins, manage users and more.
Web interface accessibility standard WCAG 2.0 A
Web interface accessibility testing Tested on customers.
What users can and can't do using the API User typically create and expose their own public APIs built in Javascript on the server using Rest or GraphQL. Enonic offers comprehensive Java/Javascript APIs. Containers are managed using Docker.
API automation tools Other
Other API automation tools
  • Docker Compose
  • Jenkins
  • Custom tools
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • Other
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface Start and stop server, deploy applications, backup etc.


Scaling available No
Independence of resources Based on modern Open Stack infrastructure with pinned hardware.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • JVM metrics
  • Enonic specific metrics
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Data
  • Configuration
Backup controls They can control data snapshots. Backups run automatically every night.
Datacentre setup Single datacentre
Scheduling backups Supplier controls the whole backup schedule
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network Other
Other protection within supplier network Virtual sub networks for each customer project.

Availability and resilience

Availability and resilience
Guaranteed availability Up to 99.9% refund based on the following model based on reduction in availability :
0 to 6 hours: 25%
6 hours to 12 hours: 50%
12 hours or more 100%
Approach to resilience All infrastructure is virtualized and redundant. There's also offsite backups of data and configuration. We also offer clustered customer instances for resilience and scaling.
Outage reporting E-mail alerts.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Username and password. 2 factor if required by customer. We can also restrict based on IP.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach OWASP and ISO-9001 certified framework.
Information security policies and processes OWASP and ISO-9001 quality system.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All configuration is stored using Git.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The service is built on popular technology like Linux, Java and Docker. We monitor updates and deploy patches when needed.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We inform the affected customers and proceed to find a solution and patch the system.
Incident management type Supplier-defined controls
Incident management approach Incident reporting is defined in our ISO-9001 procedures. Reports are sent by e-mail.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Zetta.io / openstack
How shared infrastructure is kept separate Virtualized network, storage and compute.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £500 to £5000 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We offer a 5 days trial of the full platform.
Link to free trial https://enonic.com/try-now


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑