Drupal in Cloud

Drupal powered sites hosted in a cloud to create rich websites with excellent user experience.


  • Content management
  • User rights, groups, and roles management
  • Image and attachment management
  • Content workflows, acceptance, publishing control
  • Full e-commerce platform included
  • Multichannel and omnichannel support
  • Built-in application framework for self-service portals


  • Create beautiful, engaging, and easy to use sites and services
  • Publish and manage content anywhere with any device
  • Optimise content based on analytics and user behaviour
  • Combine content and e-commerce
  • Allow visitors to serve themselves with online apps
  • Drive up conversions with proper analytics and content tools
  • Create subsites for other brands, languages, or regions


£200 per virtual machine per month

Service documents


G-Cloud 11

Service ID

6 9 9 6 8 0 3 0 5 1 1 3 2 7 0



Exove UK



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No.
System requirements Drupal runs on LAMP stack

User support

User support
Email or online ticketing support Email or online ticketing
Support response times This depends on agreed service level agreement and issue criticality. Critical issues 30min – 4 hours, major issues 2 hours – 1 day, minor issues 6 hours – 2 days.

The service time is either office hours or 24/7, depending on the contract.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Exove offers four packaged cloud support services and a tailored one.

- Workdays 8-16, service monitoring, critical security updates, SLA level 1
- £500/month

- Workdays 8-16, service monitoring, critical security updates, SLA level 2
- £700/month

- Workdays 8-16, service monitoring, all platform updates, monthly reporting, SLA level 3
- £1400/month

Large 24/7
- 24/7, service monitoring, all platform updates, monthly reporting, SLA level 3
- £3200/month

SLA levels are defined in the pricing appendix.

We provide a technical account manager and cloud support engineers, there are no non-technical people providing support.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide content editor and admin training tailored to the organisation taking the system into use. We also provide help and mentoring for the content editors.

Drupal has also extensive online documentation.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Either using the API, scripts made by us, or getting a full database dump.
End-of-contract process We will either shut down the service, transfer the site to a new provider, or provide data to the client, depending on the case. All of these are done on time and material basis and invoiced.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service UI is reflowed to fit on a smaller screen, but no difference in available functionality.
Service interface Yes
Description of service interface Drupal admin interface and cloud service interface for basic cloud instance management (restart, shutdown, etc.)
Accessibility standards WCAG 2.1 A
Accessibility testing No tests.
What users can and can't do using the API All major functionality of the platform is available through API.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The system can be fully tailored to fit the needs. A lot of the end-user visible customisation can be done using administration interface that is fully accessible to the client. We typically do code level customisations, but we are open to other parties doing the customisations, too. This needs to be agreed separately.


Independence of resources The service infrastructure is designed and built completely by UpCloud's experienced staff. We have designed the infrastructure to be completely redundant, self-healing and automatically balancing resource usage.

We have solved redundancy issues in physical hardware through having duplicate resources available.

Regarding the software layer, intelligent algorithms take care of load and redundancy issues so that end users do not have to worry about them. Our infrastructure constantly monitors the performance of each cloud service deployed and services are transparently moved between physical hardware to less busy nodes.

UpCloud can also agree separately to deliver certain performance on contractual level.


Service usage metrics Yes
Metrics types We provide basic metrics on service usage. This includes the following:
Traffic statistics (public and private network)
IO load
Reporting types
  • API access
  • Real-time dashboards


Supplier type Reseller providing extra features and support
Organisation whose services are being resold UpCloud

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Using readymade API, scripts made by us, or getting a database dump from us.
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Exove together with UpCloud will guarantee 100% virtual server and network availability to the Customer. The network will be deemed available if UpCloud's routers and switches are available and responding properly. For all unscheduled interruptions in the provision of the Services, which are due to hardware or telecommunications failures that last longer than 5 minutes, UpCloud shall offer compensation to the Customer.

When a failure in the Services has been corrected, UpCloud will offer the Customer compensation which the Customer may reclaim within 15 days. The compensation will be paid to the Customer's service account in the form of credits and may not be exchanged for cash or other forms of payment.

The amount of compensation will be 50 times UpCloud's charges for the Services allocated for the period of the interruption of the Services. The maximum amount of compensation for an individual interruption is 100% of UpCloud's charges for the Services during 30 calendar days preceding the interruption. The total sum of aggregated compensations cannot exceed 250% of UpCloud's charges for the Services during 30 calendar days preceding the latest interruption.
Approach to resilience This information is available on request.
Outage reporting UpCloud service is self-aware and informs the user if there is outage &/ the service(s) in question are not reachable through specific status of the services. These details can be retrieved through UpCloud’s public dashboard or API. We also have public status page at https://status.upcloud.com/ which has the possibility to inform users through emails, if there is service components which has downgraded performance, partial outage or total outage.

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels System supports account, role, and group based rights management to control who is able to perform certain functions on the system. The rights system can be configured either by Exove or the customer to fit the exact needs of the customer.

The system can also be connected to an LDAP or SSO system for controlling access rights and accounts.

The access is granted based on the mechanisms described in the following question about management access, the suitable mechanism is selected together with the customer.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach UpCloud has a three-pronged approach to security governance: Operational, Tactical and Strategic.

Security governance starts with the requirement to protect users data in process-driven manner. The security starts from the highest level, with strict directives on information security is interpretation and implementation.

On tactical level, the directives and guidance from strategic level direct creating policies and organization wide guidelines and standards, which are implemented into lower level policies at operational level.

Operational level implements the tactical level policies, guidelines and standards to day-to-day operations.

Executive management directives can be traced from strategic level, through tactical level onto the operational level.
Information security policies and processes UpCloud follows the tight security policies set by Finnish government on the services we provide and all other legal requirements that fall under the services we provide. UpCloud’s core business and processes are governed by organization wide, written security policy which is approved by the acting management.

UpCloud’s responsibility regarding data security is mainly towards our users and secondary to governmental organizations, according to local law on each country where data resides.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach UpCloud’s change and configuration management tools and processes are built from the grounds up by in-house team; providing our users 100% reliable and scalable platform to grow their business.

Change and configuration management processes define how we handle both our hardware and software, which combined with heavy automation makes the end-product a scalable and reliable cloud platform.

All changes to hardware and software are automatically tracked, whether the component be in production environment, pre-production environment, staging environment or internal testing environments.

All software components put into production go through Quality Assurance process, including notoriously tight security reviews of all components.
Vulnerability management type Undisclosed
Vulnerability management approach UpCloud closely monitors and proactively assesses different potential threats to our services and users.

In the past five years there has been two major global security incidents that have affected all cloud computing service providers. UpCloud has been one of the first ones globally to validate, test and deploy security patches throughout our infrastructure without any customer downtime. Please refer to our public, transparent communication regarding January 2018 CPU vulnerability: https://status.upcloud.com/incidents/9r9t34f98p28

UpCloud closely works with major hardware and software vendors, and gains continuous insight of potential security threats.

We work closely with every major national Computer Emergency Response Team’s (CERT).
Protective monitoring type Undisclosed
Protective monitoring approach UpCloud monitors various aspect of our services and using a set of known and learned parameters we raise internal issue to our team. Our focus is to discover underlying problems before they cause any issues to our users. We closely monitor hardware and software of any impending potential future issues.

We address all potential issues that might affect our service in matter of hours. This is part of the on-going process to improve our services, so we can provide 100% SLA to all users.

Average response time to incidents in 2018 has been two minutes.
Incident management type Supplier-defined controls
Incident management approach UpCloud operates global services 24/7/365 with own personnel and pre-defined incident management process. In the past year, over 85% of incidents reported/diagnosed fall under pre-defined processes, which are regularly updated and trained to our employees.

Users have wide variety of methods to report incidents in the services we provide. Currently users have three different communication methods to report incidents that have occurred: Through telephone, e-mail or web-based real-time chat. We are constantly looking for ways to be present in the services/tools our users utilize in their daily life.

All incident reports are publicly available through UpCloud’s status-page located at https://status.upcloud.com

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £200 per virtual machine per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑