Carelink - Piksel Ltd

Carelink HSCN Cloud - Managed VM Service

A secure, highly available virtual platform with connectivity to HSCN and the Internet.


  • Secure highly accredited UK based company and facilities
  • HSCN and Internet connectivity
  • Flexible and expandable virtual servers
  • High availability as standard
  • Dual data centre DR capability
  • Multiple architectures to provide best value
  • Built on industry leading infrastructure - HP, EMC, VMWare
  • ITIL aligned service management
  • ISO 27001, 20000, 9001, DPA, IGSoC
  • 24x7 Service Desk


  • Increased efficiency of a single provider for connectivity and infrastructure
  • Services available everywhere - web, cloud, HSCN, PSN, JANET
  • Security of information assured
  • Access from anywhere with secure remote connectivity solutions
  • Supporting the latest technologies and methodologies
  • Service management and availability assured through ITIL and ISO 20000
  • Customer centric approach working as trusted partners
  • Strong governance and shared ownership of security and service
  • Total focus on health and social care
  • 20 years' of NHS IT experience


£350 per virtual machine per month

  • Free trial available

Service documents

G-Cloud 10


Carelink - Piksel Ltd

Zak Suleman


Service scope

Service scope
Service constraints Planned maintenance is carried out at pre-scheduled windows but will often not affect the service.

Servers are managed under our ITIL aligned managed service.
System requirements By default servers are installed with a managed AV package

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times are dependent on the service impact level of the incident. Where the incident impact is critical and the service is not available then target response times are 30 minutes.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide a single level of support where we deliver a fully managed service for the platform up to OS level with 24x7 monitoring. We take responsibility for the availability of the platform and manage the underlying hardware, hypervisor and system.

Incident resolution is office hours but can optionally be extended to 24x7 for high priority incidents.

All customers have a named Service Delivery Manager and a Technical Architect and Technical Lead available for consultation through the SDM. We provide guidance and advice on getting the best value server architecture, performance and optimisation, security and data protection and compliance with NHS requirements. We'll bring in other experts from the wider business: infosec, DbA, firewall/networks, cloud specialists, devops etc etc wherever required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provision and manage the server platform in line with customer requirements, so that they need only be concerned with the deployment of their applications. We assist in this process by providing the necessary secure access and making any configuration changes requested to support the application.

We provide documentation to assist customers in using our secure access solution.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The method would depend on the nature and volume of the data that needs to be extracted, we can provide a range of tools for this. This could be anything from a simple copy, to a secured online transfer or where large volumes are present, using a physical, portable storage device.
End-of-contract process At the end of the contract, once all necessary data has been transferred, monitoring is removed, servers are decommissioned and resources returned to the pool, SAN data is overwritten, backups are removed, service desk systems and CMDB are updated. All this is included in the price of the contract. Additional charges may be incurred where large volumes - multi TB - of data require transfer and there is a direct cost to us to provide this.

Using the service

Using the service
Web browser interface No
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface Users are provided with RDP or CMD line access to the server platforms for deployment and management of their applications. This access is provided on a least rights basis. Changes to the base server configuration, operating system and components, and reboots would normally be executed by us in order to maintain an audit trail of low level changes that have taken place and enable us to ensure the stability and availability of the platform.

We take a pragmatic approach and try to find the balance between giving customers the rights they need to work efficiently, while also being able to maintain our responsibility for the availability of the service.


Scaling available No
Independence of resources We monitor capacity of the overall platform and manage this in line with our ITIL and ISO 20000 Capacity Management and Planning practices.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual machines using Veeam
  • Files using Asigra Televaulting
Backup controls Backups are performed on a daily basis by default, as part of the managed service. Further backups can be scheduled to backup specific elements at different times. This would be implemented by the managed service team as a change request and additional charges may be incurred.
Datacentre setup Multiple datacentres
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We provide an expected up-time of 99.95% for customers hosted at a single site without DR capability. Dual data centre architectures have higher expected up-times, dependent on the specific design of the platform. Service credits can be provided in cases where the SLA is breached. The level and triggering of these is agreed at service inception and included in the SLA.
Approach to resilience Our entire infrastructure is designed from the ground up with no single points of failure. Networks, firewalls, switches, routers, physical servers and storage are all configured with redundancy and automated fail over capability, to provide a highly available virtual hosting platform.

We can provide detailed information on the technology and configurations that we have in place on request.
Outage reporting We would notify customers by email and telephone and continue those communications throughout the incident to resolution.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access to management interfaces and support channels is restricted by the use of Two-Factor-Authentication and protected by SSL VPN.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SGS
ISO/IEC 27001 accreditation date 5/12/2014
What the ISO/IEC 27001 doesn’t cover It covers the full scope of our operational activities.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • IGSoC and N3 Aggregator
  • CN-SP for HSCN once launched
  • CAS(T) pending

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a formal documented ISMS that provides the framework for our ISO27001 certification. A key component of this is our suite of 21 security policies covering all aspects of security controls. These policies are regularly and routinely reviewed and updated and are stored on the corporate intranet to ensure they are available to all staff.

All staff receive security awareness training which includes the core requirements of these policies and these policies are also endorsed by the company executive. A statement expressing this endorsement is published on the intranet alongside the policies to ensure its visibility to all staff.

We ensure all our policies are complied with by following a program of internal audits to verify and this is further endorsed by independent external audits conducted in support of ISO27001 certification every 6 months.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our Configuration and Change Management approach is aligned with ITIL and is ISO 20000 certified.

We maintain a CMDB to record and track components (Configuration Items - CI) through their lifetime.

Each change is logged as a Request for Change - RFC - by our Service Desk and enter the Change Management process. Any RFC affecting a CI is reviewed by the Change Advisory Board - CAB. The CAB includes members of our Information Security team who assess the potential security impact of each CI RFC.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability Management forms part of our ISO 27001 certification.

We operate a continuous Vulnerability Assessment process with routine scanning of environments to identify and mitigate vulnerabilities.

We monitor a variety of external channels and internal devices for awareness of emerging threats.

We carry out annual Check Approved Penetration Testing of our internal and external networks and infrastructure and complete remedial follow up actions where required.

Where our Information Security team has classified a patch as an emergency we initiate our Emergency Change process and have the ability to deploy the patch immediately, at the discretion of our Information Security Officer.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Protective Monitoring forms part of our ISO 27001 certification and is the responsibility of our Information Security team.

Potential compromises are identified by the active monitoring of a range of logs, audits, reports and alerts provided by network boundary devices and internal network and server activity.

Security Incidents are assigned to our Information Security team by our Service Desk. The Information Security team will assess the impact and work with technical operations to mitigate and take remedial action.

A security compromise would have the highest priority and be responded to in less than 30 minutes.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incident Management forms a key part of our ITIL aligned managed service and ISO 20000 certification.

We have a well defined Incident Management process, for all common events, centred on our 24/7 Service Desk.

Users log incidents to the Service Desk by telephone or email and these are assigned to the customer-specific engineering team. Each customer team has a Service Delivery Manager who is responsible for maintaining the service within the agreed SLA and communicating the details of Incidents to customers in Incident Reports. Where disruption has occurred the SDM will provide a Service Outage Analysis to the customer.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Environments are segregated at both a network level using vLAN and at hypervisor level. Further details are available on request.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £350 per virtual machine per month
Discount for educational organisations No
Free trial available Yes
Description of free trial We can provide a trial period for organisations who have a requirement to assess the solution. This is at our discretion and is assessed on a case by case basis. It would include the full service for a restricted number of machines for a limited time.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑