Aptum Technologies (UK) Ltd

Aptum Cloud

Aptum Cloud provides VMware virtualization, hosted on highly available and high-performance infrastructure, enabling the cost-effective deployment of VMs, storage and security within a shared private cloud. The service includes Hybrid Cloud Manager which delivers performance, cost and security recommendations along with single pane-of-glass management across Aptum Cloud, Azure and AWS.


  • Guaranteed 100% availability; network datacentre power and HVAC system
  • Hybrid Cloud Manager gives a single pane-of-glass visibility and control
  • 24/7/365 management; incidents, configuration, maintenance and access policies
  • Back-up to alternative DC, AWS or Azure; full DRaaS option
  • Improved resource utilisation
  • Flexibility of per VM pricing within a Private Cloud
  • HIPAA, PCI and ISO27001 compliant
  • On-demand SAN storage option with performance tiers
  • Full, daily and incremental  backups with custom retention options
  • Options for CDN, Backup, DRaaS, Security and AWS/Azure cloud connect.


  • HCM supports Aptum’s Private Cloud, Cloud, Azure and AWS services
  • Physical and virtual machine monitoring to help prevent application downtime
  • Web based ticketing or call directly for an expert engineer.
  • Fast response; our own engineers, no auto-response systems
  • Option to provision your own resources; network, compute and storage
  • Control over sensitive data, behind dedicated firewalls
  • Full visibility of costs, with recommendations to optimise
  • Improved resource utilisation ensures application performance, whilst reducing costs
  • 100% VMware, leader in server virtualisation optimising performance and reliability


£56.50 a virtual machine a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@aptum.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

6 4 9 4 7 7 6 9 7 3 7 8 6 8 6


Aptum Technologies (UK) Ltd John Cave
Telephone: 0800 840 7490
Email: gcloud@aptum.com

Service scope

Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is 24/7/365. Questions are responded to on a priority basis. Out of hours, we prioritise service impacting questions.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Support levels
Access to Aptum online ticket system, backed by 24/7/365 phone support. Customers make just one call to our support teams and we'll keep you informed as we work on your issue through to resolution. We also provide an aligned Account Manager and a Customer Experience Manager who will manage the ongoing relationship and also are part of our incident management process. Cloud Solution Engineers, Network Architects and Network Engineers are available for complex changes and new projects.
Support available to third parties

Onboarding and offboarding

Getting started
Solution engineers work with customers to design a dedicated Private Cloud environment which is tailored to the customer’s needs. Migration and project managed deployment enables a smooth transition to the new VMWare based solution.

Technical Account Managers are on hand to provide walkthroughs of the management interfaces and web-based Monitoring GUI. They will also advise on the VM configuration based on the Monitoring reporting tools and assist in balancing loads accordingly.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users may choose to migrate their data to an alternative solution. If this solution is provided by Aptum we have migration services available to users. If the replacement solution is not provided by Aptum then data can be copied from VMs using SFTP or equivalent prior to contract end.
End-of-contract process
The end of contract process would be triggered by written notice of termination from the customer. On the service termination date all accounts and resources would be deleted. We can assist with migration of the data as a chargeable professional services engagement. Off boarding of all instances' data and resources would be the responsibility of the customer.

Using the service

Web browser interface
Command line interface


Scaling available
Independence of resources
As a global business we have well staffed, highly trained technical support teams able to handle any peaks in support queries. Azure is a hyper scale platform, the Azure hypervisor ensures full memory and process separation between customers as well as virtual machines.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • Files
  • Folders
  • Volumes
  • VMs
  • MSSQL Database
  • System State
Backup controls
Users select the frequency and retention from a range of options available from our Product Catalogue.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Aptum Cloud solutions are backed by our 100% network uptime SLA and 24/7/365 support.

When thinking about your Cloud solution, it is important to design for availability to ensure every step has been taken to minimize downtime caused by maintenance or faults. To assist you with this, Aptum can offer Disaster Recovery sites between UK sites as well as sites in Canada and America.

Aptum offer service credits for unplanned service downtime.
Approach to resilience
The primary Aptum UK data centre in Portsmouth has N+1 power redundancy with three 2MW generators on site. Carrier neutral data centre with multiple, redundant 10Gbps connections. This enables us to offer a 100% uptime SLA for network, power and HVAC. Our UK Disaster Recovery site and network of 14 additional global data centres add further resilience based on customers' geographical needs.
Outage reporting
Any outage will generate an email alert from our centralised monitoring and ticketing system. This covers all components of the Cloud solution precured.

Identity and authentication

User authentication
Username or password
Access restrictions in management interfaces and support channels
When a ticket is raised via phone, customers will always be asked to authenticate themselves using a series of security questions unique to them.

Usernames and passwords are used to restrict access to customer facing portals for Aptum systems. Role based access control (RBAC) is used to define user access rights within Aptum systems. Aptum adopts a principle of segregation of duties.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Schellman & Company, LLC
ISO/IEC 27001 accreditation date
June 9, 2020
What the ISO/IEC 27001 doesn’t cover
The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting the Data Center Operations services (physical and environmental security of hardware and surrounding physical, environmental, and network security operations and monitoring), including certain other organizations within Aptum that manage, secure, or support Data Center Operations services (Information Security, People and Engagement, Information Technology, Compliance, Product and Transformation, and Global Sourcing and Supply Chain), in accordance with the statement of applicability version 1.1, dated April 7, 2020.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Aptum Cloud is not covered by Aptum PCI accreditation. For those services covered by Aptum PCI certification, Aptum operates a shared responsilibity in relation to PCI DSS, however the following requirements are out of scope its Attestation of Compliance; protect stored cardholder data, encrypt transmission of cardholder data across open, and public networks. The customer is responsible for these requirements.
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Information security policies and processes
Led by the General Counsel and Privacy Officer who reports to the President of the company, Aptum’s Information Security team develop, release and manage security policies based on risk assessment and in line with security good practice. The Information Security team owns the Information Security Management System (ISMS) and are responsible for assessing information risk and applying the appropriate controls. All staff must complete training on key policies such as the Acceptable Use Policy when they join and at regular defined intervals.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our processes for Configuration and Change Management are managed through our service management tool, which follows ITIL methodology and best practice. Upgrades and feature enhancement to Aptum systems are carried out within isolated test environments and then applied to production environments once a programme of Quality Engineer Testing has been completed.

Aptum configuration standards are aligned to the centre for internet security (CIS) benchmarks.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Aptum uses industry leading security technology within it’s Vulnerability Management program. The Information Security team carries out daily, weekly and monthly check on its infrastructure depending on asset criticality. Any identified vulnerabilities are fed into the incident management lifecycle where vulnerabilities are assessed and tickets raised with the IT teams to address any weaknesses. Patching of Aptum systems is carried out on a monthly risk-based cycle. Out of band patching is completed as soon as possible. Information about potential threats is sourced from multiple credible sources including security vendors.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Aptum utilises multiple security monitoring tools across its network. A Security Incident and Event Monitoring tool powered by IBM qRadar receives critical log information from across the infrastructure which alerts the Security team to any potential threats. McAfee’s Network Security Monitor is used to monitor the Intrusion Detection System sensors placed within the workstation environment to detect any suspicious activity from workstations, and alerts raised are triaged and handled as needed. This process is aligned to NCSC C1: Security Monitoring
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Aptum operates a five stage security incident response plan - triage, investigate, contain, report and remediate. Where appropriate incidents are also reviewed by a company wide remediation panel who review all service impacting events.

Incidents are reported by automated monitoring systems, Aptum staff or by our customers and partners through our central service management tool and tracked and escalated as necessary through to resolution.

Reports are provided to impacted customers in the report phase via the central ticketing system.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
VMware provides memory and process separation between virtual machines and users.

Energy efficiency

Energy-efficient datacentres


£56.50 a virtual machine a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@aptum.com. Tell them what format you need. It will help if you say what assistive technology you use.