Viewdeck Consulting Limited

Secure LAMP Application Server Service - PaaS GC10-PAS-SLA1

Secure managed Web Software service, delivering a LAMP (Linux, Apache, MySQL, Php) application Service. Supports a wide range of web based applications (php, or perl based) in a patched, secured container service. Provides a range of security features providing a resilient platform, plus managed, monitored and backup services.


  • A complete configured, managed LAMP based application service.
  • Build Server/DevOps configuration, to ensure simple, repeatable, secure deployments.
  • Provides additional Apache2 hardening including modsecurity, modevasive.
  • Range of sizes and configurations to support Development, Test, production.
  • Resilience and Highly Available configurations, to support service levels.
  • Self administer via Web interface, or via a managed service.
  • Debian/Ubuntu based platform for easy management, configuration and flexibility.
  • Service includes regular patches, daily backups, support.
  • Includes optional Mysql or MariaDB databases support.
  • Works with UKCloud, AWS, Azure and private cloud architectures.


  • Ensures repeatability in deployment of your application.
  • Easy to move infrastructure deployment through Development, Test and Production
  • Remove repeated manual steps from Infrastructure build, test and deployments.
  • Enables easy to scale up and out of Cloud services.
  • Secure Server platform, production ready for Public, Tier1 Services.
  • Swift, simple roll-out of changes to multiple servers through DevOps.
  • Available for Web, Tier1 services and Tier2 via private clouds.
  • Suitable for Public, Private and Shared Cloud environments.
  • Hardened Tested stable platform.
  • Supports the full digital delivery process (Discovery, Alpha, Beta, Live).


£425 per user per month

Service documents

G-Cloud 10


Viewdeck Consulting Limited

Glenn Hardy

0203 384 3350

Service scope

Service scope
Service constraints Basic Service includes shared core System management functions like Build, Patch, Event and System monitoring. To provide dedicated Service management functions, additional services may need to be purchased.
System requirements
  • Viewdeck Patch Server for non-shared patch and Virus/Rootkit signatures upgrades
  • Viewdeck Log Server for dedicated event monitoring for the service.
  • Dedicated Viewdeck Monitor Service for availability and host health-check monitoring
  • Backup Solution providing secure non-shared offline remote cloud-based storage.
  • The Viewdeck Backup Service provides a non-shared suitable service.
  • Secure Mail Server with connectivity to dedicated secure administration mailbox
  • Secure Remote Administrator Access via suitable non-shared secure network.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Immediate Automatic response. Email Response 'SLAs' is supported for P3 P4 and P5's during normal working hours. All P1's and P2's should be logged via email, and immediately escalated via the help line. Weekend response to email tickets is available as an additional service.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard WCAG 2.0 A
Web chat accessibility testing Web chat accessibility testing
Our knowledge has come from market research provided by the Slack community.
Onsite support Onsite support
Support levels Viewdeck follows a traditional P1-P5 problem management prioritisation and response model, providing integration and escalation as you would expect to deliver to the agreed service levels. P1 Total loss of service. P2 Some loss of service. P3 Small loss of service or work around. P4 Tasks are made more difficult, but are not impossible to complete. P5 Interferes with non-operational use. All P1 and P2 events are allocated an Incident Manager to see and manage incidents through to successful resolution, providing SPOC, regular reporting, and coordination between various resolver groups. Standard support is Mon-Fri 9-5:30pm. P1’s and P2’s are supported 24 hours a Day, 7 Days a week as standard. Additional extended hours of support are available, either for 8am-8pm Monday-Saturday , or 24 hours x 7 days Week. All services can take advantage of the 24 hour per day web and telephone service, although only P1’s and P2’s will be responded out of supported hours. Additional pricing for these services is based on the product, with further details in our pricing guide. All Viewdeck Services include an Account Manager to manage service issues, and provide a SPOC for clients.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Viewdeck offer assistance to getting stated

Self taught CBT training is available as part of the service

Additional fixed price packages for other training is also available on request at extra cost
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction On end of contract, Viewdeck can supply the users information extracted from the system in native format or configuration files, including XML/JSON format.

This can be transferred to the user electronically via secure electronic transfer by arrangement with the client organisation, or via a shared secure File Transfer area. If the client has specific needs for the physical transfer of the data we would support this by additional services for the media and media transport for Data Extraction.
End-of-contract process 30 days before end of Contract, there will be client engagement to confirm the Requirements, agree a plan, any additional services needed, and the Quality Criteria for the delivery of those services to meet the Requirements.

Using the service

Using the service
Web browser interface Yes
Using the web interface __
Web interface accessibility standard WCAG 2.0 A
Web interface accessibility testing __
What users can and can't do using the API Client (normally Technology Administrators) can access the system through a web based API. This allows the Client to gain 'Controlled' access to the key functionality of the service to support Configuration and Data Management. All Services support REST based API interfaces.
API automation tools
  • Chef
  • Terraform
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface Certain User, Data and configuration options are available to administrators if desired/needed.
Most Services are configurable and available via Web Interfaces.


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources All of our services are based on dedicated devices with managed contention performance to ensure no service degradation due to other user ativity.

In the event of performance degradation occurring our service management tooling would automatically trigger and incident alerting us to the problem so that immediate action can be taken to address it
Usage notifications Yes
Usage reporting Other


Infrastructure or application metrics Yes
Metrics types Network
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Databases, where appropriate
  • Logs
  • System Config
  • User Data
  • Status and Configuration
Backup controls Backups are performed by catalogue/ service request. Users can instigate and self-administer database backups through a web interface.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The level of availability is 99.50%
Approach to resilience Our service utilises a service provider that has multiple hosting sites with diverse routing of communications and power. We use a service configuration that makes use of these capabilities to provide a resilient service.
Outage reporting The client would get an alert via an email should there be an outage.
Additional Alerts can be provided by Web RestFUL API, SMS or Slack/messenger.

The client would also be able to view a service dashboard to see the status of their service

Identity and authentication

Identity and authentication
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Access is limited via IP address of connecting devices and use of shared keyword
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QMS International
ISO/IEC 27001 accreditation date 18/05/2018
What the ISO/IEC 27001 doesn’t cover All aspects covered.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes Viewdeck has a ISMS with the basis procedures to manage security such as

Information security policy and objectives
Risk assessment and risk treatment methodology
Statement of Applicability
Risk treatment plan
Risk assessment report
Definition of security roles and responsibilities
Inventory of assets
Acceptable use of assets
Access control policy
Operating procedures for IT management
Supplier security policy

Viewdeck has a nominated security officer who ensure security policies are followed and undertakes scheduled audits. The security officer reports directly to the CEO

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Viewdeck utilizes suppliers that follow certified configuration and change management procedures.

Viewdeck also uses automated configuration control and management via the Chef toolkit.

Viewdeck has its own documented procedures for configuration and change management based on ITIL. All changes are assessed and appropriate assurance steps determined for the change. All changes are tested in a dedicated environment before release to live.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach View deck undertake event logging via our SIEM. This allows security monitoring in real time of our services.

Our services also undergo regular penetration test to ensure that no vulnerabilities have emerged.

Our services are managed using automated Configuration tooling that keeps the infrastructure from being changed and lowering the risk of malicious exploration.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach All services are managed at the boundary by NIDS. Our services also provide application level logging and HIDS protection. All alerts would be forward to the clients. Depending on severity, we would respond within the SLAs of our services.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our incident management process is based on ITIL principles

Users can log and incident via email, phone, web interface and also chat.

Incident reporting is via web interface. Additional reports can be supplied by request at additional cost.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider AWS, Azure, UKCloud
How shared infrastructure is kept separate Compute separation is provided by a hypervisor. Network and storage virtualisation techniques are also employed. Other software controls, such as operating systems, web servers or other applications, provide separation between users of the service. There are seperated virtual hosts and data encryption at rest with strong bounday and host-based control.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £425 per user per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑