Isotoma Ltd

TrustServe: Wagtail web site for NHS Trusts

Your site. Your way. Your peace of mind. With TrustServe you get a secure, end-to-end website solution that’s tailored to your trust’s needs. TrustServe uses Wagtail; the platform delivering the new We work with you to ensure smooth, customised delivery over six stages: analysis; planning; design; build; launch; support


  • End-to-end solution for procuring and developing a new website
  • Uses Wagtail, the CMS behind the new
  • Customisation for your trust included in the cost
  • Extensive user research and testing already carried out
  • Penetration tested
  • Accessibility audited
  • Load tested
  • GDPR compliant
  • Hosted at AWS. Secure, resilient and auto-scaling by default


  • Clearly defined process makes timelines and costs transparent
  • Meet the content needs of your communications team
  • Already audited to meet NHS Digital and GDS guidelines
  • Public cloud hosting
  • Easy to use admin interface
  • Meets all standards according to current IT best practice
  • Extensible; as your needs change, so can the site
  • Integrates seamlessly with other software
  • Fixed price and fixed timeline
  • Free trial available


£40000 per instance

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 7 6 3 9 6 3 6 4 8 2 4 4 5 5


Isotoma Ltd

Andy Theyers


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints There are no constraints to this service
System requirements No minimum system requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SLA dependent
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Service monitored 24x7. Telephone and email support available UK office hours only. 99.9885% availability. Critical incidents responded to 24x7. Non-critical incidents responded to within 4 working hours. Technical account manager included as part of the service. Cloud support engineer included at take on and contract end. Cloud support engineer available on request (at standard hourly rate) throughout contract.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We will work with take you through 6 phases: Analysis; Planning; Design; Build; Launch; Support. Each of these phases is well defined and includes on site visits from our staff. We will engage directly with your internal and external stakeholders to ensure a smooth to the service. On site training is included in the service cost.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction All volatile data is made available in a dedicated S3 bucket that the user has access to at all times. This includes database dumps and all media assets.
End-of-contract process Users are encouraged to renew, however if they wish to migrate to an alternative provider all assets required for the new provider to take on the service are automatically available to the user. 4 hours of consultancy is included - any additional consultancy is charged at our standard hourly rate.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There is no difference in functionality between mobile and desktop. Presentation on mobile devices is optimised for smaller screens and touch.
Service interface No
What users can and can't do using the API API features are available on request. Most facilities the CMS offers can be accessed via the API.
API documentation Yes
API documentation formats
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The user interface for public users can be customised using HTML, CSS and JavaScript. Customisation by our team is included in the service charge.


Independence of resources Each user is partitioned from all other users, and each user is placed in their own AWS AutoScaling Group (ASG)


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All volatile data is made available in an S3 bucket for users to download whenever they require.
Data export formats Other
Other data export formats
  • Django JSON fixtures
  • Direct SQL dump
Data import formats Other
Other data import formats YAML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We guarantee our infrastructure to be available 99.9885% of the time, calculated annually. This equates to 1 hour of unplanned downtime per year. Service is credited at 2% of the annual fee per complete hour outside this target.
Approach to resilience Our infrastructure is 100% resilient, with every single component in more than one AWS Availability Zone. The exact configuration is available on request.
Outage reporting Users will receive email notifications should their service fail, and then regular emails until the service is restored.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Our service implements role based access control. Users and roles are defined by customers as part of service take on
Access restriction testing frequency At least every 6 months
Management access authentication Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QMS
ISO/IEC 27001 accreditation date 22/03/2019
What the ISO/IEC 27001 doesn’t cover ISO27001 covers our entire business
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a Information Security Policy which is available on request. We have rigorous induction and training methods which ensure policies are followed. Reporting Structure is also available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our configuration and change management processes, including component life cycle tracking and security impact assessments, are aligned with the ITIL v3 Framework Guidelines.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We monitor for potential threats through multiple sources, including external repositories and vendor feeds. Each patch and hotfix is assessed by severity, client requirements and/or vendor recommendations.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We rely on AWS GuardDuty for intrusion detection and regular automated vulnerability scanning for potential threats. Every incident is responded to within 4 hours, regardless of time of day or night.
Incident management type Supplier-defined controls
Incident management approach Users can report incidents via telephone, web and email. We have predefined processes for common events and leverage the guidelines defined by the ITIL v3 Framework. Incident reports are delivered as ODF documents as agreed with the user on a case by case basis, depending on severity and user requirements.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £40000 per instance
Discount for educational organisations No
Free trial available Yes
Description of free trial All potential users may request a free trial of the service. This is initially available for 7 days, but may be extended on request.

Service documents

Return to top ↑