Code Enigma Limited

Drupal private cloud

We provide ISO 27001 certified specialist hosting services for Drupal, featuring an optimised LAMP-replacement stack ready to host Drupal in a high performance and scalable environment, optional version control and automated deployment services, platformed on our VMWare private cloud which is co-located in Pulsant's Tier four datacentre in the UK.


  • Highly secure, ISO 27001 certified
  • Stack software tuned for Drupal and PHP applications
  • Encrypted backups with regular restore tests
  • Highly flexible, your servers tailored to you
  • Free consultancy to find the best solution
  • Complementary applications and services can also be accommodated
  • Dedicated hosting team in three timezones
  • 24/7/365 server support available
  • Integrated devops
  • 100% available SLA backed hardware and network


  • Reduce "lights on" costs
  • Host multiple Drupal instances alongside other applications
  • Provide out of hours support without hiring
  • Open source stack is portable, no lock-in
  • Support from integrated team of system administrators and Drupal experts
  • Host multiple applications on one platform


£100 per server per month

Service documents

G-Cloud 9


Code Enigma Limited

Greg Harvey

020 3588 1550

Service scope

Service scope
Service constraints The service is limited to hardware management and Linux package management only, and does not include either Drupal or custom application support. This can be provided through our other serivces.
System requirements
  • Software must run on the Linux OS
  • Drupal applications must run on supported versions of PHP

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response varies according to SLA. There is additional cost associated with weekend response.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible We use the free, open source Rocket.Chat system which, as far as we're aware, is not tested for accessibility.
Web chat accessibility testing Not tested.
Onsite support Yes, at extra cost
Support levels Standard support includes a 99.9% service uptime promise and ticketing responses 24 hours a day between Monday and Friday (not weekends). We provide an additional tier of support, allowing customers to specify SLA requirements and ensuring 24/7/365 monitoring and response. This service costs an additional £250 + VAT per month, per server procured. You will have a dedicated support team, including an account manager, as standard.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide access to a detailed FAQ and various introductory documents are also supplied to help customers to orientate themselves. Our ticketing system can also be used to assist people with our service.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction This entirely depends on the application, and could be anything from an entire VM snapshot exported from VMware and delivered to the customer, to database and code dumps provided in an archive format. We would work with the customer to ensure they get the data they need, in the format they need it, within reason.
End-of-contract process At the end of the contract any data the customer requires exporting is exported and delivered, then the server(s) are shut down.

Using the service

Using the service
Web browser interface Yes
Using the web interface The web interface is strictly for server user management and access to monitoring statistics.
Web interface accessibility standard None or don’t know
How the web interface is accessible Interface is not tested.
Web interface accessibility testing Interface is not tested.
Command line interface Yes
Command line interface compatibility Linux or Unix
Using the command line interface Users have full root access to systems, if required, and access levels per user can be defined by the customer. Essentially you have full control, without limitations, over your server(s) via the command line interface provided.


Scaling available Yes
Scaling type Manual
Independence of resources As part of our ISO 27001 certified service management system, we regularly carry out usage and resource checks. We ensure the system is always working within generous limits, so even a significant customer spike in usage would not affect other customers. We also operate VMware, which uses a system called Distributed Resource Scheduler to automatically smooth out resource usage by seamlessly migrating guest servers between hypervisors as load requires.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Other
Other metrics
  • VMware performance
  • Mail server
  • Processes
  • Host uptime
  • NTP
  • Load
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
Backup controls Backups are controlled by Linux cron, and configured by our administrators in our central configuration management system. Different schedules are possible and it is entirely customisable.
Datacentre setup Multiple datacentres
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We guarantee 100% uptime on our private cloud for virtual hardware and network connectivity. Should we fail to deliver, customers may request a service credit from their account manager.
Approach to resilience We have no single point of failure anywhere in our systems, from datacentre fibre connections through to firewalls, cabling and switching. Everything is at least doubled. We use resilient HP 3PAR SAN to provide the disks for our virtual servers, which is highly available and connected over a resilient fibre-optic network to our hypervisors. Our virtualisation technology is by VMware and support their Distributed Resource Scheduler system, which automatically moves guests to a new hypervisor seamlessly and without a break in service, should a host machine fail. We also have datacentre level DoS protection running to mitigate DoS attempts in real time.
Outage reporting We report outages via our Twitter account and via our public status dashboard. We will also correspond by email with customers in the event of a serious incident.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels All accounts are dedicated to individual users, and username and password is a minimum requirement. Sensitive services require a second factor of authentication using a supplied YubiKey 2FA device. Sometimes a third factor, in the form of key pair authentication, is also required.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Standards Institute
ISO/IEC 27001 accreditation date 08/10/2014
What the ISO/IEC 27001 doesn’t cover Our finance and HR functions are only partially covered. All other aspects of the business are in scope.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 27001 certified by the British Standards Institute. We have many checks and balances in place within our normal working processes in order to ensure policies are adhered to. Reporting to management occurs through monthly committee meetings, which are attended by the board of directors.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Configuration is entirely managed via a system called Puppet. Change is kept in the Git version control system (VCS) on a dedicated service owned and managed by us. The entire lifetime of our service, dating back to when we started in 2010, is available in our VCS. Every change goes through peer review, is requested in a ticket, checked for error and impact, as well as implications to wider security, before being accepted. Only senior staff may accept changes on a day to day basis.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We subscribe to all available security mailing lists for the software we use. We maintain a patching schedule which ensures every server is patched not less than every 3 weeks. In the event of a serious security flaw a security incident is raised, inline with our ISO 27001 policy, and is then used to track the mitigating steps. This is done as quickly as possible, outside of the standard 3 week patching cycle, and customer security contacts are kept informed of progress by their account manager via email.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use the open source Intrusion Protection System (IPS) OSSEC to do realtime monitoring of services. This identifies and automatically blocks malicious behaviour by manipulating software firewalls on servers. We also operate rootkithunter and ClamAV on all servers, which scan nightly for viruses and potentially malicious configuration changes. Naturally we respond as quickly as possible to incidents, we run a 24 hour team, so in most cases response is within an hour.
Incident management type Supplier-defined controls
Incident management approach We have an ISO 27001 certified incident management process which we follow in the event of an actual or possible threat to our service. Customers may report incidents to us either via their ticketing system, by email to their account manager or, if anonymity is required, via our website contact form. Reports can be provided on request in PDF form by email.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate If required, we can provide different subnets and even different hypervisor clusters for different customers. Total separation is possible if necessary.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £100 per server per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑